memory forensics volatility

In preparing for the provincial competition, I simply learned a tool. This article simply records the commands commonly used in memory forensics.

vol.py -f xp.raw imageinfo //View the system type of the system image
vol.py -f memory.raw --profile=Win7SP1x64 cmdscan //Command to scan cmd
vol.py -f memory.raw --profile=Win7SP1x64 pslist
vol.py -f memory.raw --profile=Win7SP1x64 pstree //View process information
vol.py -f memory.img --profile=Win2003SP1x86 dlllist
vol.py -f memory.img --profile=Win2003SP1x86 ldrmodules
vol.py -f memory.img --profile=Win2003SP1x86 malfind//dynamic library list
vol.py -f memory.raw --profile=Win7SP1x64 hashdump//username and password information
vol.py -f memory.raw --profile=Win7SP1x64 printkey//registry key
vol.py -f memory.raw --profile=Win7SP1x64 hivelist
vol.py -f memory.raw --profile=Win7SP1x64 hivedump -o 0xfffff8a001cce010 (Registry Volatility address)
//View registry information
vol.py -f memory.raw --profile=Win7SP1x64 netscan//Scan network links
vol.py -f memory.raw --profile=Win7SP1x64 svcscan//View service running status
vol.py -f memory.raw --profile=Win7SP1x64 envars//View process environment variables
vol.py -f memory.raw --profile=Win7SP1x64 filesscan//View cached files, scan
vol.py -f mem.vmem --profile=WinXPSP2x86 memdump -p 2012 -D ./
//After viewing with pslist, use memdump to add -p to specify the process to export
vol.py -f mem.raw --profile=Win7SP1X64 filescan | grep flag//scan file flag
vol.py -f mem.raw --profile=Win7SP1X64 dumpfiles -Q vol_address -D ./
//Dump with dumpfiles and -Q
vol.py -f mem.raw --profile=Win7SP1X64 memdump -p 536 -D ./
Then read directly with strings, strings -e -l 536.dmp|grep flag
vol.py -f zy.raw --profile=WinXPSP2x86 iehistory//Get browser history
vol.py --plugins=./volatility-master/volatility/plugins -f OtterCTF.vmem --profile=Win7SP1x64 mimikatz
//Get the system password with mimikatz
vol.py --plugins=./volatility-master/volatility/plugins -f OtterCTF.vmem --profile=Win7SP1x64 pslist
// view the process
vol.py --plugins=./volatility-master/volatility/plugins -f OtterCTF.vmem --profile=Win7SP1x64 -o process address printkey
//print process information
vol.py --plugins=./volatility-master/volatility/plugins -f OtterCTF.vmem --profile=Win7SP1x64 -o process address printkey -k "Controlset001\contril\computerName\computername"
// print the computer hostname through the process
strings xxx.vmem| grep Luar-3 -A 5 -B 5//Find data about Luar-3 in xxx.vmem file
hexdump -C 708.dmp | grep "5a 0c 00" -A 3 //Find the hexadecimal data about the process that was dumped
vol.py -f mem.raw --profile=Win7SP1X64 clipboard //View the information on the clipboard
vol.py -f mem.raw --profile=Win7SP1X64 memdump -n chrome -D ./chromepes
//dump information about the chrome browser