memory forensics volatility

In preparing for the provincial competition, I simply learned a tool. This article simply records the commands commonly used in memory forensics. -f xp.raw imageinfo //View the system type of the system image -f memory.raw --profile=Win7SP1x64 cmdscan //Command to scan cmd -f memory.raw --profile=Win7SP1x64 pslist -f memory.raw --profile=Win7SP1x64 pstree //View process information -f memory.img --profile=Win2003SP1x86 dlllist -f memory.img --profile=Win2003SP1x86 ldrmodules -f memory.img --profile=Win2003SP1x86 malfind//dynamic library list -f memory.raw --profile=Win7SP1x64 hashdump//username and password information -f memory.raw --profile=Win7SP1x64 printkey//registry key -f memory.raw --profile=Win7SP1x64 hivelist -f memory.raw --profile=Win7SP1x64 hivedump -o 0xfffff8a001cce010 (Registry Volatility address)
//View registry information -f memory.raw --profile=Win7SP1x64 netscan//Scan network links -f memory.raw --profile=Win7SP1x64 svcscan//View service running status -f memory.raw --profile=Win7SP1x64 envars//View process environment variables -f memory.raw --profile=Win7SP1x64 filesscan//View cached files, scan -f mem.vmem --profile=WinXPSP2x86 memdump -p 2012 -D ./
//After viewing with pslist, use memdump to add -p to specify the process to export -f mem.raw --profile=Win7SP1X64 filescan | grep flag//scan file flag -f mem.raw --profile=Win7SP1X64 dumpfiles -Q vol_address -D ./
//Dump with dumpfiles and -Q -f mem.raw --profile=Win7SP1X64 memdump -p 536 -D ./
Then read directly with strings, strings -e -l 536.dmp|grep flag -f zy.raw --profile=WinXPSP2x86 iehistory//Get browser history --plugins=./volatility-master/volatility/plugins -f OtterCTF.vmem --profile=Win7SP1x64 mimikatz
//Get the system password with mimikatz --plugins=./volatility-master/volatility/plugins -f OtterCTF.vmem --profile=Win7SP1x64 pslist
// view the process --plugins=./volatility-master/volatility/plugins -f OtterCTF.vmem --profile=Win7SP1x64 -o process address printkey
//print process information --plugins=./volatility-master/volatility/plugins -f OtterCTF.vmem --profile=Win7SP1x64 -o process address printkey -k "Controlset001\contril\computerName\computername"
// print the computer hostname through the process
strings xxx.vmem| grep Luar-3 -A 5 -B 5//Find data about Luar-3 in xxx.vmem file
hexdump -C 708.dmp | grep "5a 0c 00" -A 3 //Find the hexadecimal data about the process that was dumped -f mem.raw --profile=Win7SP1X64 clipboard //View the information on the clipboard -f mem.raw --profile=Win7SP1X64 memdump -n chrome -D ./chromepes
//dump information about the chrome browser