Documenting some common usages (plugins) of Volatility 3 for memory forensics.
As it provides plugins for 3 common operating system (Linux, Mac, and Windows), adjust the command base on the operating system of the given memory.
# View process hierachy
vol -f memory.dmp windows.pstree
# Search for filepath
vol -f memory.dmp filescan
# List network connection
vol -f memory.dmp netscan
# Dumping executable file
vol -f memory.dmp windows.dumpfiles --virtaddr <address from filescan>
# Identifying suspicious memory regions
vol -f MemoryDump.mem windows.malfind
# Listing Command-line
vol -f 192-Reveal.dmp windows.cmdlineFor determining running processes when the image is acquired, we use pslist plugins, but pay attention to the timestamp:
vol -f IMAGE.raw windows.pslist
Volatility 3 Framework 2.26.2
Progress: 100.00 PDB scanning finished
PID PPID ImageFileName Offset(V) Threads Handles SessionId Wow64 CreateTime ExitTime File output
4 0 System 0x89c037f8 55 245 N/A False N/A N/A Disabled
368 4 smss.exe 0x89965020 3 19 N/A False 2023-02-14 04:54:15.000000 UTC N/A Disabled
592 368 csrss.exe 0x89a98da0 11 321 0 False 2023-02-14 04:54:15.000000 UTC N/A Disabled
616 368 winlogon.exe 0x89a88da0 18 508 0 False 2023-02-14 04:54:15.000000 UTC N/A Disabled
660 616 services.exe 0x89938998 15 240 0 False 2023-02-14 04:54:15.000000 UTC N/A Disabled
672 616 lsass.exe 0x89aa0020 21 335 0 False 2023-02-14 04:54:15.000000 UTC N/A Disabled
832 660 VBoxService.exe 0x89aaa3d8 9 115 0 False 2023-02-14 04:54:15.000000 UTC N/A Disabled
880 660 svchost.exe 0x89aab590 21 295 0 False 2023-02-13 17:54:16.000000 UTC N/A Disabled
968 660 svchost.exe 0x89a9f6f8 10 244 0 False 2023-02-13 17:54:17.000000 UTC N/A Disabled
1060 660 svchost.exe 0x89730da0 51 1072 0 False 2023-02-13 17:54:17.000000 UTC N/A Disabled
1108 660 svchost.exe 0x897289a8 5 78 0 False 2023-02-13 17:54:17.000000 UTC N/A Disabled
1156 660 svchost.exe 0x899adda0 13 192 0 False 2023-02-13 17:54:17.000000 UTC N/A Disabled
1484 1440 explorer.exe 0x89733938 14 489 0 False 2023-02-13 17:54:18.000000 UTC N/A Disabled
1608 660 spoolsv.exe 0x897075d0 10 106 0 False 2023-02-13 17:54:18.000000 UTC N/A Disabled
480 1060 wscntfy.exe 0x89694388 1 28 0 False 2023-02-13 17:54:30.000000 UTC N/A Disabled
540 660 alg.exe 0x8969d2a0 5 102 0 False 2023-02-13 17:54:30.000000 UTC N/A Disabled
376 1484 VBoxTray.exe 0x89982da0 13 125 0 False 2023-02-13 17:54:30.000000 UTC N/A Disabled
636 1484 msmsgs.exe 0x8994a020 2 157 0 False 2023-02-13 17:54:30.000000 UTC N/A Disabled
1880 1484 taskmgr.exe 0x89a0b2f0 0 - 0 False 2023-02-13 18:25:15.000000 UTC 2023-02-13 18:26:21.000000 UTC Disabled
964 1484 rootkit.exe 0x899dd740 0 - 0 False 2023-02-13 18:25:26.000000 UTC 2023-02-13 18:25:26.000000 UTC Disabled
1960 964 cmd.exe 0x89a18da0 0 - 0 False 2023-02-13 18:25:26.000000 UTC 2023-02-13 18:25:26.000000 UTC Disabled
528 1484 notepad.exe 0x896c5020 0 - 0 False 2023-02-13 18:26:55.000000 UTC 2023-02-13 18:27:46.000000 UTC Disabled
1432 1484 notepad.exe 0x89a0d180 0 - 0 False 2023-02-13 18:28:25.000000 UTC 2023-02-13 18:28:40.000000 UTC Disabled
1444 1484 notepad.exe 0x899e6da0 0 - 0 False 2023-02-13 18:28:42.000000 UTC 2023-02-13 18:28:47.000000 UTC Disabled
276 1484 DumpIt.exe 0x89a0fda0 1 25 0 False 2023-02-13 18:29:08.000000 UTC N/A DisabledThe highlighted lines display the process that has been terminated before the image is acquired, leftovers are the one that still active.
Better output
The command line can be hard to view, especially when most of the results from the
volare very long. Therefore, make use of the highlight fromgrep,awk, andsed:# Using grep vol -f MemoryDump.mem windows.pstree | grep --color=always -E "(oneetx\.exe|$)" # Using awk vol -f MemoryDump.mem windows.pstree | awk '/oneetx\.exe/ {print "\033[43m" $0 "\033[0m"; next} {print}' # Using sed vol -f MemoryDump.mem windows.pstree | sed 's/.*oneetx\.exe.*/\x1b[41m&\x1b[0m/'