Questions tagged [volatility]
Volatility is a memory forensics framework that provides functionality to analyse memory dumps and to extract valueable information from it.
23 questions
2
votes
1
answer
354
views
Examining linux memory dump with signs of compromise in yarascan
I have captured a memory dump of recent Ubuntu 22.04 kernel 6.2.0-39-generic.
captured image with LiMe and analyzed with volatility3.
did a yarascan against all known rules and found a suspicious ...
1
vote
1
answer
174
views
Can malware detect memory dumping?
Morning, I recently had need to check for malware on my PC by dumping the memory and searching for unwanted processes which could be malware, my question it's, is it possibile for malware to detect ...
1
vote
0
answers
243
views
Get file from the linux_volshell from volatility
I am analyzing a mem and trying to recover a file that an attacker used to exploit drupalgeddon2 vulnerability. I discover that the process with pid 11046 executes the request with the file h38x.php (...
2
votes
0
answers
1k
views
How to recover a file with volatility from a linux profile [closed]
I'm trying to recover files from a .mem file with volatility. The mem file is from a Linux machine. I have already loaded the profile and it works fine. I have discovered that the drupalgeddon2 ...
0
votes
1
answer
4k
views
Volatility: AutoMagic Symbol Table error
I am trying to analyze the .vmem file from HoneyNet challenge 3: Banking Troubles (HoneyNet) using volatility3. But I can't seem to get past this error:
PS C:\Users\<user>\Desktop\HoneyNet\...
2
votes
2
answers
525
views
How to extract a .bat file with volatility
I am experimenting with the volatility2 tool.
I have created a memorydump of a windows 7 machine where i had a batch script file on the desktop of the machine.
I used the mftparser command as :
...
2
votes
1
answer
408
views
Are TPM PCRs volatile, non-volatile, or both?
Do PCRs (Platform Configuration Registers) on TPMs (Trusted Platform Modules) retain their data on reboot?
I'm trying to find out if all (or some) of the PCRs on a TPM are volatile (will loose their ...
0
votes
1
answer
2k
views
Is there a way to get Windows login password hint from SAM hive with volatility?
We know that every user in Windows has a password hint. This password hint is stored in the SAM hive, more specifically in the SAM\Domains\Account\Users path. Is there a way to extract this password ...
1
vote
1
answer
7k
views
How to identify hidden processes with volatility using psxview?
I was learning volatility and in this room in tryhackme they used psxview to find the hidden processes.
The assignment was,
It's fairly common for malware to attempt to hide itself and the
process ...
0
votes
1
answer
210
views
How to detect fileless kernel compromise in linux
Is there a way to detect fileless kernel compromise in Linux?
The only one way to analyze this kind of attack is by volatility. Volatility is a very good product, but not often updated especially with ...
1
vote
0
answers
526
views
Finding NonPagedPool Start and End Address using volatility
I am exploiting bluekeep vulnerability in windows server 2008 R2 using metasploit framework. When I run the exploit windows/rdp/cve_2019_0708_bluekeep_rce, it ends in BSOD on server and then server ...
0
votes
1
answer
1k
views
How to build Linux Volatility Profiles With the Compiled Kernel
I'm familiar with creating Linux memory profiles as stated here. However, this is assuming that I have access to the live system which often times is not the case.
I heard there is a way to build the ...
1
vote
0
answers
3k
views
Why does Volatility fail on windows 10 dumps and what other tools can I use? [closed]
So I am trying to extract data from a full memory dump (Made with either dumpit or a BSOD). WinDBG manages to extract some information from it, but Volatility is silent:
PS F:\> C:\Python27\python....
1
vote
0
answers
4k
views
Volatility: Issue with analyzing Windows 10 and Server 2016 systems
I have been trying to use Volatility 2.6 to analyze memory dumps generated by DumpIt. I am experiencing an issue analyzing the memory dumps (all 4 GB in size) of two Windows 10 64 bit boxes (build ...
0
votes
1
answer
190
views
Is there any difference between hiberfile.sys file and RAM dump made with 3rd party software for Volatility.py?
I was wondering how could I give some advice to one of my friend when attempting to analyze live Windows machine which was infected with malware.
As far as I know, hibernation saves RAM memory ...
0
votes
0
answers
1k
views
Volatility: Dumping memory associated with a particular process
I'm trying figure out how I can dump the memory associated with a process. So far, I've managed to identify the PID's of the processes I'm interested in (along with their offset). However, I can't ...
3
votes
1
answer
315
views
Volatility.exe suggests two profiles for XP memory dump. Which one should I use?
Volatility suggests two profiles for XP memory dump. Which one should I use for further investigation? I am a beginner for the volatility.
4
votes
1
answer
4k
views
Volatility Forensics with Large dumps
Today I was tasked with the analysis of a .vmem file of a Windows RDS one of our customers due to some "strange" connections coming from native Windows processes.
The extracted .vmem file has a size ...
2
votes
0
answers
1k
views
Extract Outlook email attachments from memory
Does anyone know if there is a way to extract Outlook emails with attachments from memory? What I have tried is to use volatility to dump PST files from memory and then use libpff to recover the ...
1
vote
0
answers
196
views
Volatility Plug-ins to investigate packed exe files
I am using volatility for malware analysis. I have got a process in my memory image that is packed by malware using UPX packer. Malfind plugin doesn't show injected code for it also.
How can i use ...
4
votes
1
answer
1k
views
Create memory dump from the windows commandline
I was following this blog post to dump the memory of a windows host. Sadly this method does not work on Windows Server 2012 because the memory drivers that come with mdd aren't signed and this is ...
3
votes
1
answer
1k
views
Can a rootkit hide processes from "Volatility" or other memory forensics tools?
I know that a rootkit can hide processes from the OS by fooling around in the userspace. But can a rootkit also modify a processes metadata in a way that it won't even be recognized by a RAM forensic ...
5
votes
1
answer
15k
views
Convert raw memory dump into a format recognized by volatility
I dumped the RAM of a Windows 7 pc using LiveKd which basicly worked. The memory was dumped but then the convert of the binary dump into "summary format" failed. When I then tried to read the file ...