📒
cybersecurity notes
  • Welcome
  • Memory Forensics
    • Resources
    • autovol
    • Memory Forensics - 13cubed
      • Intro to Memory Forensics
      • Windows Memory Analysis
      • Windows Process Genealogy
      • Pulling threads
      • Persistence in Memory
      • Memory Forensics Baselines
      • Extracting Prefetch
      • Shellbag forensics
    • Challenges
      • BTLO
        • Memory Analysis - Ransomware
      • Memlabs
        • Lab 1 - Beginner's Luck
    • Analysis
      • Stuxnet
      • Zeusbot
      • Darkcomet RAT
      • ZeroAccess Rootkit
  • Linux
    • Linux commands
  • Malware Analysis
    • Triaging
    • Malware Analysis - 13cubed
    • gdb
  • Networking
    • CCNA notes
      • Network devices
      • Interfaces and cables
      • OSI model & TCP-IP suite
      • Intro to CLI
      • Ethernet LAN switching (1)
      • Ethernet LAN switching (2)
      • IPv4 addressing (1)
      • IPv4 addressing (2)
      • Switch Interfaces
      • IPv4 Header
      • Static routing
      • Life of a Packet
      • Subnetting (1)
      • Subnetting (2)
      • Subnetting (3)
      • VLAN (1)
      • VLAN (2)
      • VLAN (3)
      • DTP & VTP
      • Spanning Tree Protocol (1)
      • Spanning Tree Protocol (2)
      • RSTP
      • Etherchannel
      • Dynamic routing
      • RIP & EIGRP
      • OSPF (1)
      • Others (gdrive)
Powered by GitBook
On this page
  • Volatility
  • Installing Volatility
  • Using Volatility
  • Command reference
  • Add plugins
  • Additional info
  1. Memory Forensics

Analysis

write-ups for the Memory Analysis of various malwares

PreviousLab 1 - Beginner's LuckNextStuxnet

Last updated 1 year ago

Volatility

I'll be using Volatility 2 for analysis because many plugins were written in python2. Alternatively, this can be done with Volatility 3 with the exemption of running a few plugins.

Installing Volatility

Volatility 2 GitHub repo: 

$ git clone https://github.com/volatilityfoundation/volatility.git

Using Volatility

$ python2 [path-to-vol.py] -f [path-to-image] --profile=[profile] [plugin]

Command reference

Add plugins

  • Clone the plugin from their respective github repos.

  • Add the [plugin].py file into "volatility/plugins/" directory.

Additional info

  • I create separate folders for each of the memory images that I analyze.

  • Inside them, various folders are created to dump the output whenever required.

It is recommended to follow along the process and explore the process yourself.

LogoGitHub - volatilityfoundation/volatility: An advanced memory forensics frameworkGitHub
LogoCommand Reference · volatilityfoundation/volatility WikiGitHub