Link to this headingMemory Forensics and Analysis
Link to this headingForensics
Manipulate FAT filesystems, in order to explore, extract, repair, recover and forensic them
Anlyse Docker analysis & hacking tools
A tool for exploring each layer in a docker image
Tools to improve Google Cloud Platform environments
Find Cryptographic Keys in Memory in Linux
Tools:
DFF
Sleuthkit
Encase
X-Ways
Link to this headingMemory Analysis Tools
Volatility (Windows/Linux/Mac)
Mandiant Redline (Windows)
VolaFox (Mac OS / BSD)
Link to this headingMemory Analysis Info
The Art of Memory Forensics Book
Remote Memory Acquisition Tool
Link to this headingVolatility
The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples
Show Options and Supported plugins
vol.py -h
Show plugin usage
vol.py <plugin> -h
Identify System Profile
vol.py -f mem.img imageinfo
Identify Rogue Process
vol.py pslist -f mem.img
Scan memory for EPROCESS Blocks
vol.py psscan -f mem.img
Display parent-process relationships
vol.py pstree -f mem.img
Look for Evidence of Code Injection
vol.py malfind --dump-dir ./output_dir
ldrmodules
vol.py ldrmodules -p 868 -v
Link to this headingCheck for Signs of a Rootkit
Find Hidden processes using cross-view
vol.py psxview
Scan Memory for loaded, unloaded and Unlinked drivers
vol.py modscan
Link to this headingFind API/DLL Function hooks
vol.py apihooks
vol.py apihooks -p 868 (Specific PID)
vol.py apihooks -Q (Only Critical Processes)
Hooks in System Service Descriptor Table
vol.py ssdt | grep -v '(ntoskrnl|win32k)'
Display Interrupt Descriptor Table
vol.py idt
#Identify I/O Request Packet (IRP) hooks
vol.py driverip -r tcpip
Link to this headingAnalyze Process DLLs and Handles
List of loaded dlls by process
vol.py dlllist -p 4,868
Print process security indentifiers
vol.py getsids -p 868
List of open handles for each process
Scan memory for FILE_OBJECT handles
vol.py filescan
Scan for Windows Service Information
vol.py svcscan
Link to this headingDump Suspicious Processes and Drivers
Extract DLLs from Specific Processes (dlldump)
Link to this headingExtract kernel drivers
moddump
#Dump process to executable sample
#Dump every memory section into a file
Link to this headingReview Network Artifacts
[XP] List of open TCP connections
vol.py connections
[XP] ID TCP connections, including closed
vol.py connscan
[XP] Print listening sockets (any protocol)
vol.py sockets
[XP] ID sockets, including closed/unlinked
vol.py sockscan
[Win7] Scan for connections and sockets
vol.py netscan
Link to this headingMemory Acquisition
Windows Operating Systems
- Win32dd (x86)
- Win64dd (x64)
c:\> win32dd.exe /f E:\memory.img
MemoryDD.bat
c:\> MemoryDD.bat --output E:\
Converting Hibernation Files and Crash Dumps
Memory Artifact Timelining
The Volatility Timeliner plugin parses time-stamped objects found in memory images. Output is sorted by:
- Process creation time
- Thread creation time
- Driver compile time
- DLL / EXE compile time
- Network socket creation time
- Memory resident registry key last write time
- Memory resident event log entry creation time
timeliner
‐‐output‐file Optional file to write output (v2.1)
‐‐output=body bodyfile format for mactime (v2.3)
vol.py -f mem.img timeliner --output-file out.csv --profile=Win7SP1x86
Registry Analysis Volatility Plugins
hivelist - Find and list available registry hives
vol.py hivelist
hivedump - Print all keys and subkeys in a hive
printkey - Output a registry key, subkeys, and values
userassist - Find and parse userassist key values
vol.py userassist
hashdump - Dump user NTLM and Lanman hashes
Link to this headingDump KeePass
Find keepass proxy from
get password and database from memory KeeTheif