Skip to main content

Questions tagged [volatility]

Volatility is a memory forensics framework that provides functionality to analyse memory dumps and to extract valueable information from it.

Filter by
Sorted by
Tagged with
2 votes
1 answer
354 views

Examining linux memory dump with signs of compromise in yarascan

I have captured a memory dump of recent Ubuntu 22.04 kernel 6.2.0-39-generic. captured image with LiMe and analyzed with volatility3. did a yarascan against all known rules and found a suspicious ...
Zzgooloo's user avatar
1 vote
1 answer
174 views

Can malware detect memory dumping?

Morning, I recently had need to check for malware on my PC by dumping the memory and searching for unwanted processes which could be malware, my question it's, is it possibile for malware to detect ...
Hopkins's user avatar
  • 13
1 vote
0 answers
243 views

Get file from the linux_volshell from volatility

I am analyzing a mem and trying to recover a file that an attacker used to exploit drupalgeddon2 vulnerability. I discover that the process with pid 11046 executes the request with the file h38x.php (...
P00's user avatar
  • 43
2 votes
0 answers
1k views

How to recover a file with volatility from a linux profile [closed]

I'm trying to recover files from a .mem file with volatility. The mem file is from a Linux machine. I have already loaded the profile and it works fine. I have discovered that the drupalgeddon2 ...
P00's user avatar
  • 43
0 votes
1 answer
4k views

Volatility: AutoMagic Symbol Table error

I am trying to analyze the .vmem file from HoneyNet challenge 3: Banking Troubles (HoneyNet) using volatility3. But I can't seem to get past this error: PS C:\Users\<user>\Desktop\HoneyNet\...
Varghese George's user avatar
2 votes
2 answers
525 views

How to extract a .bat file with volatility

I am experimenting with the volatility2 tool. I have created a memorydump of a windows 7 machine where i had a batch script file on the desktop of the machine. I used the mftparser command as : ...
bd55's user avatar
  • 23
2 votes
1 answer
408 views

Are TPM PCRs volatile, non-volatile, or both?

Do PCRs (Platform Configuration Registers) on TPMs (Trusted Platform Modules) retain their data on reboot? I'm trying to find out if all (or some) of the PCRs on a TPM are volatile (will loose their ...
Michael Altfield's user avatar
0 votes
1 answer
2k views

Is there a way to get Windows login password hint from SAM hive with volatility?

We know that every user in Windows has a password hint. This password hint is stored in the SAM hive, more specifically in the SAM\Domains\Account\Users path. Is there a way to extract this password ...
bd55's user avatar
  • 23
1 vote
1 answer
7k views

How to identify hidden processes with volatility using psxview?

I was learning volatility and in this room in tryhackme they used psxview to find the hidden processes. The assignment was, It's fairly common for malware to attempt to hide itself and the process ...
randomSapien's user avatar
0 votes
1 answer
210 views

How to detect fileless kernel compromise in linux

Is there a way to detect fileless kernel compromise in Linux? The only one way to analyze this kind of attack is by volatility. Volatility is a very good product, but not often updated especially with ...
Lews's user avatar
  • 105
1 vote
0 answers
526 views

Finding NonPagedPool Start and End Address using volatility

I am exploiting bluekeep vulnerability in windows server 2008 R2 using metasploit framework. When I run the exploit windows/rdp/cve_2019_0708_bluekeep_rce, it ends in BSOD on server and then server ...
aneela's user avatar
  • 201
0 votes
1 answer
1k views

How to build Linux Volatility Profiles With the Compiled Kernel

I'm familiar with creating Linux memory profiles as stated here. However, this is assuming that I have access to the live system which often times is not the case. I heard there is a way to build the ...
user148614's user avatar
1 vote
0 answers
3k views

Why does Volatility fail on windows 10 dumps and what other tools can I use? [closed]

So I am trying to extract data from a full memory dump (Made with either dumpit or a BSOD). WinDBG manages to extract some information from it, but Volatility is silent: PS F:\> C:\Python27\python....
Adalcar's user avatar
  • 111
1 vote
0 answers
4k views

Volatility: Issue with analyzing Windows 10 and Server 2016 systems

I have been trying to use Volatility 2.6 to analyze memory dumps generated by DumpIt. I am experiencing an issue analyzing the memory dumps (all 4 GB in size) of two Windows 10 64 bit boxes (build ...
synthesis's user avatar
  • 155
0 votes
1 answer
190 views

Is there any difference between hiberfile.sys file and RAM dump made with 3rd party software for Volatility.py?

I was wondering how could I give some advice to one of my friend when attempting to analyze live Windows machine which was infected with malware. As far as I know, hibernation saves RAM memory ...
RedS's user avatar
  • 74
0 votes
0 answers
1k views

Volatility: Dumping memory associated with a particular process

I'm trying figure out how I can dump the memory associated with a process. So far, I've managed to identify the PID's of the processes I'm interested in (along with their offset). However, I can't ...
F_Infinity2's user avatar
3 votes
1 answer
315 views

Volatility.exe suggests two profiles for XP memory dump. Which one should I use?

Volatility suggests two profiles for XP memory dump. Which one should I use for further investigation? I am a beginner for the volatility.
PEO's user avatar
  • 33
4 votes
1 answer
4k views

Volatility Forensics with Large dumps

Today I was tasked with the analysis of a .vmem file of a Windows RDS one of our customers due to some "strange" connections coming from native Windows processes. The extracted .vmem file has a size ...
Nomad's user avatar
  • 2,419
2 votes
0 answers
1k views

Extract Outlook email attachments from memory

Does anyone know if there is a way to extract Outlook emails with attachments from memory? What I have tried is to use volatility to dump PST files from memory and then use libpff to recover the ...
Yang Yu's user avatar
  • 449
1 vote
0 answers
196 views

Volatility Plug-ins to investigate packed exe files

I am using volatility for malware analysis. I have got a process in my memory image that is packed by malware using UPX packer. Malfind plugin doesn't show injected code for it also. How can i use ...
ayesha's user avatar
  • 11
4 votes
1 answer
1k views

Create memory dump from the windows commandline

I was following this blog post to dump the memory of a windows host. Sadly this method does not work on Windows Server 2012 because the memory drivers that come with mdd aren't signed and this is ...
davidb's user avatar
  • 4,343
3 votes
1 answer
1k views

Can a rootkit hide processes from "Volatility" or other memory forensics tools?

I know that a rootkit can hide processes from the OS by fooling around in the userspace. But can a rootkit also modify a processes metadata in a way that it won't even be recognized by a RAM forensic ...
davidb's user avatar
  • 4,343
5 votes
1 answer
15k views

Convert raw memory dump into a format recognized by volatility

I dumped the RAM of a Windows 7 pc using LiveKd which basicly worked. The memory was dumped but then the convert of the binary dump into "summary format" failed. When I then tried to read the file ...
davidb's user avatar
  • 4,343