! ! 2.4!Edition!

Cross!reference!processes!with!various!lists:! Scan!a!block!of!code!in!process!or!kernel!memory!
psxview! for!imported!APIs:!
! impscan!!
Show!processes!in!parent/child!tree:! !!!!Hp/HHpid=PID!!!!!!!!!Process!ID!!
pstree! !!!!Hb/HHbase=BASE!!!Base!address!to!scan!
& !!!!Hs/HHsize=SIZE!!!!!!!Size!to!scan!from!start!of!base!
Process&Information& !
! Logs&/&Histories&
Specify!–o/HHoffset=OFFSET!or!Hp/HHpid=1,2,3!! !
! Recover!event!logs!(XP/2003):!
Display!DLLs:! evtlogs!!
!
! dlllist! !!!!HS/HHsaveHevt!!!!!!!!!!!!!!!!!!!!Save!raw!event!logs!
Development!build!and!wiki:! ! !!!!HD/HHdumpHdir=PATH!!!Write!to!this!directory!
github.com/volatilityfoundation!! Show!command!line!arguments:! !
! cmdline! Recover!command!history:!
Download!a!stable!release:! ! cmdscan!and!consoles!!
volatilityfoundation.org!! Display!details!on!VAD!allocations:! !
! vadinfo![HHaddr]! Recover!IE!cache/Internet!history:!
Read!the!book:! ! iehistory!!
artofmemoryforensics.com! Dump!allocations!to!individual!files:! !
! vaddump!HHdumpHdir=PATH![HHbase]! Show!running!services:!
Development!Team!Blog:! ! svcscan!!
http://volatilityHlabs.blogspot.com!! Dump!all!valid!pages!to!a!single!file:! !!!!Hv/HHverbose!!!!Show!ServiceDll!from!registry!
! memdump!HHdumpHdir=PATH! !
(Official)!Training!Contact:! !
Display!open!handles:!
Networking&Information&
voltraining@memoryanalysis.net!! !
! handles!!
Active!info!(XP/2003):!
Follow:!@volatility! !!!!Ht/HHobjectHtype=TYPE!!!Mutant,!File,!Key,!etc…!
connections!and!sockets!!
Learn:!www.memoryanalysis.net!! !!!!Hs/HHsilent!!!!!!!!!!!!!!!!!!!!!!!!!!!Hide!unnamed!handles!
!
! !
Scan!for!residual!info!(XP/2003):!
Display!privileges:!
Basic&Usage& privs!!
connscan!and!sockscan!
! !
!!!!Hr/HHregex=REGEX!!!!!!!!!!!Regex!privilege!name!
Typical!command!components:!! Network!info!for!Vista,!2008,!and!7:&
!!!!Hs/HHsilent!!!!!!!!!!!!!!!!!!!!!!!!!!!Explicitly!enabled!only!
#!vol.py!Hf![image]!HHprofile=[profile]![plugin]! netscan!
!
! !
Display!SIDs:!
Display!profiles,!address!spaces,!plugins:! getsids! Kernel&Memory&
#!vol.py!HHinfo! ! !
! Display!environment!variables:! Display!loaded!kernel!modules:!
Display!global!commandHline!options:! envars! modules!
#!vol.py!HHhelp! ! !&
!
Display!pluginHspecific!arguments:! PE&File&Extraction& Scan!for!hidden!or!residual!modules:!
modscan!
#!vol.py![plugin]!HHhelp! !
!
! Specify!HD/HHdumpHdir!to!any!of!these!plugins!to!
Display!recently!unloaded!modules:&
Load!plugins!from!an!external!directory:! identify!your!desired!output!directory.!!
unloadedmodules!
#!vol.py!HHplugins=[path]![plugin]!! !
!
! Dump!a!kernel!module:!
Display!timers!and!associated!DPCs:&
Specify!a!DTB!or!KDBG!address:! moddump!!
timers!!
#!vol.py!HHdtb=[addr]!HHkdbg=[addr]! !!!!Hr/HHregex=REGEX!!!Regex!module!name!!
!
! !!!!Hb/HHbase=BASE!!!!!!!Module!base!address!!
Display!kernel!callbacks,!notification!routines:!
Specify!an!output!file:! !
callbacks!!
#!vol.py!HHoutputHfile=[file]! Dump!a!process:!
!!
procdump!!
! !!!!Hm/HHmemory!!!!!!!!!!!Include!memory!slack!
Audit!the!SSDT!&
ssdt!!
Image&Identification& !
!!!!Hv/HHverbose!!!!Check!for!inline!API!hooks!
& Dump!DLLs!in!process!memory:!
!
Get!profile!suggestions!(OS!and!architecture):! dlldump!!
Audit!the!IDT!and!GDT:!
imageinfo!! !!!!Hr/HHregex=REGEX!!!Regex!module!name!!
idt!(x86!only)!
& !!!!Hb/HHbase=BASE!!!!!!!Module!base!address!!
gdt!(x86!only)!
Find!and!parse!the!debugger!data!block:! &
!
kdbgscan! Injected&Code& Audit!driver!dispatch!(IRP)!tables:&
! ! driverirp!!
Processes&Listings& Specify!–o/HHoffset=OFFSET!or!Hp/HHpid=1,2,3! !!!!Hr/HHregex=REGEX!!!Regex!driver!name!
! ! !
Basic!active!process!listing:! Find!and!extract!injected!code!blocks:! Display!device!tree!(find!stacked!drivers):!
pslist! malfind!! devicetree!
! !!!!HD/HHdumpHdir=PATH!!!!Dump!findings!here!! !
Scan!for!hidden!or!terminated!processes:! ! Print!kernel!pool!tag!usage!stats:!
psscan! CrossHreference!DLLs!with!memory!mapped!files:! pooltracker!
! ldrmodules! !!!!!!Ht/HHtags=TAGS!!!!!!!List!of!tags!to!analyze!
! ! !!!!!!HT/HHtagfile=FILE!!!pooltag.txt!for!labels!

Copyright!©!2014!The!Volatility!Foundation!
 ! ! 2.4!Edition!
Kernel&Objects& Display!a!type/structure:!
>>>!dt(“_EPROCESS”,!recursive!=!True)!
Dump!the!contents!of!the!clipboard:!
clipboard!
!
! !
Scan!for!driver!objects:!
Display!a!type/structure!instance:! Detect!message!hooks!(keyloggers):!
driverscan!
>>>!dt(“_EPROCESS”,!!0x820c92a0)! messagehooks!
!
! !
Scan!for!mutexes:!
Create!an!object!in!kernel!space:! Take!a!screen!shot!from!the!memory!dump:!
mutantscan!!
>>>!thread!=!obj.Object(“_ETHREAD”,!offset!=!! screenshot!HHdumpHdir=PATH!
!!!!Hs/HHsilent!!!!!Hide!unnamed!mutants!
0x820c92a0,!vm!=!addrspace())& !
!
& Display!visible!and!hidden!windows:!
Scan!for!used/historical!file!objects:!
filescan! Dump&Conversion& windows!and!wintree!
!
! !
Scan!for!symbolic!link!objects!(shows!drive! Create!a!raw!memory!dump!from!a!hibernation,! Strings&
mappings):&
symlinkscan!
crash!dump,!firewire!acquisition,!virtualbox,!
vmware!snapshot,!hpak,!or!EWF!file:!
!
Use!GNU!strings!or!Sysinternals!strings.exe:&
! imagecopy!–O/HHoutputHimage=FILE!
strings!Ha!Htd!FILE!>!strings.txt!!
Registry& !
Convert!any!of!the!aforementioned!file!types!to!a!
strings!Ha!Htd!Hel!FILE!>>!strings.txt!(Unicode)!
! !
Windows!crash!dump!compatible!with!Windbg:!
Display!cached!hives:& strings.exe!Hq!Ho!>!strings.txt!(Windows)!
raw2dmp!–O/HHoutputHimage=FILE!
hivelist! !
&
! Translate!the!string!addresses:!
Print!a!key’s!values!and!data:& API&Hooks&& strings!
printkey!! ! !!!!Hs/HHstringHfile=FILE!!!!Input!strings.txt!file!
!!!Ho/HHhive_offset=OFFSET!!!Hive!address!(virtual)! Scan!for!API!hooks:! !!!!HS/HHscan!!
!!!HK/HHkey=KEY!!!!!!!!!!!!!!!!!!!!!!!!!Key!path!! apihooks!! !
!
Dump!userassist!data:!
!!!!HR/HHskipHkernel!!!!!!!!Don’t!check!kernel!modules!
!!!!HP/HHskipHprocess!!!!!!Don’t!check!processes!!
Password&Recovery&
userassist! !!!!HQ/HHquick!!!!!!!!!!!!!!!!!!!!Scan!faster!! &
! ! Dump!LSA!secrets:!
Dump!shellbags!information:!
shellbags!
Yara&Scanning&& lsadump!!
!
!
! Dump!cached!domain!hashes:!
Scan!for!Yara!signatures:!
Dump!the!shimcache:! cachedump!!
yarascan!!
shimcache!
!
!!!!Hp/HHpid=PID!!!!!!!!!!!!!!!!!!!!!!!Process!IDs!to!scan!! !
!!!!HK/HHkernel!!!!!!!!!!!!!!!!!!!!!!!!!!Scan!kernel!memory! Dump!LM!and!NTLM!hashes:!
Timelines& !!!!HY/HHyaraHrules=RULES!!!String,!regex,!bytes,!etc.! hashdump!(x86!only)!
& !!!!Hy/HHyaraHfile=FILE!!!!!!!!!!!Yara!rules!file!!
!!!!HW/HHwide!!!!!!!!!!!!!!!!!!!!!!!!!!!Match!Unicode!strings!
!
Extract!OpenVPN!credentials:!
To!create!a!timeline,!create!output!in!body!file!
!!!!Hs/HHsize!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!Size!of!preview!bytes! openvpn!(github.com/Phaeilo)!
format.!Combine!the!data!and!run!sleuthkit’s!
mactime!to!create!a!CSV!file.!
! !
! File&System&Resources& Extract!RSA!private!keys!and!certificates:!
timeliner!HHoutput=body!>!time.txt! ! dumpcerts!
shellbags!HHoutput=body!>>!time.txt!! Scan!for!MFT!records:! !!!!Hs/HHssl!!!!!!!Parse!certificates!with!openssl!!
mftparser!HHoutput=body!>>!time.txt! mftparser!! !
! !!!!HHoutput=body!!!!Output!body!format!
!!!!HD/HHdumpHdir!!!!Dump!MFTHresident!data!!
Disk&Encryption&&
mactime!–b![time.txt]![Hd]!>!csv.txt!
&
! !
Extract!cached!files!(registry!hives,!executables):! Recover!cached!TrueCrypt!passphrases:!
Volshell& dumpfiles!! truecryptpassphrase!!
! !!!!HD/HHdumpHdir=PATH!!!!!!!Output!directory!! !
List!processes:! !!!!Hr/HHregex=REGEX!!!!!!!!!!!!!Regex!filename!! Triage!TrueCrypt!artifacts:!
>>>!ps()! ! truecryptsummary!
! Parse!USN!journal!records:! !
Switch!contexts!by!pid,!offset,!or!name:! usnparser!(github.com/tomspencer)! Extract!TrueCrypt!master!keys!
>>>!cc(pid!=!3028)! & truecryptmaster!
>>>!cc(offset!=!0x3eb31340,!physical=True)! GUI&Memory& !
>>>!cc(name!=!“explorer.exe”)!
!
! Malware&Specific&
Sessions!(shows!RDP!logins):!! !
Acquire!a!process!address!space!after!using!cc:!
sessions! Dump!Zeus/Citadel!RC4!keys:!
>>>!process_space!=!
! zeusscan!and!citadelscan!
proc().get_process_address_space()!
Window!stations!(shows!clipboard!owners):! !
!
wndscan! Find!and!decode!Poison!Ivy!configs:!
Disassemble!data!in!an!address!space!
! poisonivyconfig!
>>>!dis(address,!length,!space)!
Desktops!(find!ransomware):! !
!
Deskscan! Decode!Java!RAT!config:!
Dump!bytes,!dwords!or!qwords:!
! javaratscan!(github.com/Rurik)!
>>>!db(address,!length,!space)!
Display!global!and!session!atom!tables:! !
>>>!dd(address,!length,!space)!
atoms!and!atomscan!
>>>!dq(address,!length,!space)!
!
!
!
!
Copyright!©!2014!The!Volatility!Foundation!
 ! !
!
!
General!Investigations!
Dump!the!system’s!raw!registry!hive!files!
Create!a!Graphviz!diagram!of!processes!
Create!a!color!coded!diagram!of!processes!memory!
Translate!an!account!SID!to!user!name!
List!run!keys!for!HKLM!and!all!users!
Find!Unicode!hostnames!or!URLs!
Find!nullDterminated!ASCII!dot!quad!IP!addresses!
Locate!and!extract!the!HOSTS!file!to!local!directory!
! 0x0000000005e3c6d8!
Extract!the!admin!password!hash!
Malicious!Code!
Check!if!a!process!has!domain!or!enterprise!admin!
Identify!processes!with!raw!sockets!
Look!for!explicit!enabled!debug!privilege!!
Identify!alternate!data!streams!
Dump!MFTDresident!batch!scripts!
Determine!what!is!spying!on!the!clipboard!
Dump!injected!code!and!focus!on!executables!
Trace!API!hooks!through!memory!
Scan!for!a!specific!mutex!on!the!system!
Dump!injected!DLL,!fix!image!base!+!IDA!import!
labels!
Find!binaries!loaded!from!temporary!directories!
User!Activity!
Detect!remote!mapped!shares!
Files!on!Truecrypt!volumes!
Extract!ASCII!and!Unicode!clipboard!content!
Brute!force!search!for!command!history!
Recently!clicked!applications!and!shortcuts!
Find!prefetch!files!(recently!executed!programs)!
Kernel!Memory!
Identify!hooked!driver!dispatch!tables!
Look!for!hooked!SSDT!functions!
Malicious!kernel!callbacks!and!timers!
Locate!hidden!threadDbased!kernel!rootkits!
Speed!Enhancements!
Find!and!set!the!kernel!DTB!
Find!and!set!the!KDBG!on!XPD7!and!32Dbit!8!
Find!and!set!the!KDBG!on!64Dbit!8!and!2012!
Volshell!Scripting!
Create!a!process!ID!lookup!table!
Scan!process!memory!and!print!a!hex!dump!
Extract!a!chunk!of!kernel!memory!to!disk!
Translate!a!kernel!address!and!seek!to!it!(raw!
dumps!only)!
Kernel!modules!with!embedded!PE!signatures!
!
2.4!Edition!
dumpfiles!Dp!4!DDregex='(config|ntuser)'!DDignoreDcase!DDname!DD!./!
psscan!DDoutput=dot!DDoutputDfile=graph.dot!
vadtree!Dp!PID!DDoutput=dot!DDoutputDfile=graph.dot!
printkey!DK!"Microsoft\\Windows!NT\\CurrentVersion\\ProfileList\\[SID]"!|!grep!ProfileImagePath!
printkey!DK!"Microsoft\\Windows\\CurrentVersion\\Run"!
printkey!DK!"Software\\Microsoft\\Windows\\CurrentVersion\\Run"!
yarascan!DY!"/(www|http).+\.(com|net|org)/"!DDwide![DDkernel]!
yarascan!DY!"/([0D9]{1,3}\.){3}[0D9]{1,3}\x00/"!DDwide![DDkernel]!
filescan!|!egrep!hosts$!|!awk!'{print!$1}'!
dumpfiles!DQ!0x0000000005e3c6d8!DDname!DD!./!
hashdump!|!grep!Administrator!>!admin.txt!
getsids!|!egrep!'(Domain|Enterprise)'!
handles!Dt!File!|!grep!"\\Device\\RawIp\\0"!
privs!DDsilent!DDregex=debug!
mftparser!|!grep!"DATA!ADS"!
mftparser!DD!output/!
file!output/*!|!grep!"DOS!batch!file"!
wndscan!|!grep!ClipViewer!
malfind!DD!output/!
file!output/*!|!grep!PE!
apihooks!Dp!PID!DDquick!|!grep!'Hook!address'!
0x1da654f!
echo!"dis(0x1da654f,!length!=!512)"!|!volshell!Dp!PID!!
mutantscan!|!grep![Di]![MUTANT!NAME]!
dlldump!DDbase=ADDR!Dp!PID!DD./!DDfix!–memory!
impscan!DDbase=ADDR!Dp!PID!DDoutput=idc!>!labels.idc!
envars!Dp!PID!|!grep!TEMP!|!awk!'{print!$5}'!
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp!
Filter!dlllist!and!modules!output!for!the!specified!path!
handles!Dt!File!|!egrep!"\\Device\\(LanmanRedirector|Mup)"!
filescan!|!grep!TrueCryptVolume!
clipboard!|!grep!TEXT!
yarascan!DY!"/C:\\\\.+>/"!DDwide![DDkernel]!
userassist!|!grep!REG_BINARY!
mftparser!|!grep!\.pf$!|!awk!'{print!$NF}'!
driverirp!DDregex=tcpip!|!grep!IRP!|!egrep!Dvi!'(tcpip|ntos)'!
ssdt!|!egrep!–vi!'(ntos|win32k)!'!
callbacks!|!grep!UNKNOWN!(same!with!timers)!
threads!DF!OrphanThread!|!grep!StartAddress!
psscan!|!grep!System!|!awk!'{print!$5}'!
0x00319000!(Now!use!DDdtb=0x00319000)!
kdbgscan!|!grep!Offset!|!grep!V!|!uniq!
Offset!(V)!:!0xf80002803070!(add!to!DDkdbg)!
kdbgscan!DDprofile=[PROFILE]!|!grep!KdCopyDataBlock!!
KdCopyDataBlock!(V)!:!0xf80281ff5ea0!(add!to!DDkdbg)!
by_pid!=!dict((p.UniqueProcessId,!p)!for!p!in!getprocs())!
parent_name!=!by_pid[PID].ImageFileName!
needles!=!["abc123",!"def456"]!
for!hit!in!proc().search_process_memory(needles):!
!!!!!db(hit)!
data!=!addrspace().zread(ADDR,!SIZE)!
with!open("output.bin",!"wb")!as!handle:!
!!!!!handle.write(data)!
echo!"addrspace().vtop(0x98dfd9c8)"!|!volshell!Df![MEMDUMP]!
597989832!
xxd!Ds!597989832![MEMDUMP]!
signed!=![mod!for!mod!in!getmods()!if!mod.sec_dir()]!
Copyright!©!2014!The!Volatility!Foundation!
 ! ! 2.4!Edition!
CrossJreference!shared!libraries!with!memoryJ Print!the!kernel!debug!buffer:!
Linux!Commands! mapped!files:! linux_dmesg!
! linux_ldrmodules! !
Processes'Listings' ! Audit!the!IDT:!
! Check!for!process!hollowing:! linux_idt!(x86!only)!
Basic!active!process!listing:! linux_process_hollow! '
linux_pslist! !!!!!Jb/JJbase!!!!Base!address!of!ELF!file!in!memory!
!!!!!JP/JJpath!!!!Path!of!known!good!file!on!disk!
Userland'API'Hooks''
! !
List!processes!and!threads:! !
Scan!for!API!hooks:!
linux_pidhashtable! Command'History' linux_apihooks!!
! ! !!!!!!Ja/JJall!!!!!!!!!!!Check!hooked!PLT!entries!
Cross!reference!processes!with!various!lists:! Recover!command!history:! !
linux_psxview! linux_bash! Scan!for!GOT/PLT!hooks:!
! ! linux_plthook!
Show!processes!in!parent/child!tree:! Recover!executed!binaries:! !!!!!!Ja/JJall!!!!!!!!!!List!all!PLT!entries!
linux_pstree! linux_bash_hash! !!!!!!Ji/JJignore!!!Libraries!to!ignore!in!processing!
' ! !
Process'Information' Networking'Information' Yara'Scanning''
! ! !
Specify!–o/JJoffset=OFFSET!or!Jp/JJpid=1,2,3!! Active!info:! Scan!for!Yara!signatures:!
! linux_netstat! linux_yarascan!!
Display!shared!libraries:! ! !!!!Jp/JJpid=PID!!!!!!!!!!!!!!!!!!!!!!!Process!IDs!to!scan!!
linux_library_list! Interface!information:! !!!!JK/JJkernel!!!!!!!!!!!!!!!!!!!!!!!!!!Scan!kernel!memory!
! linux_ifconfig! !!!!JY/JJyaraJrules=RULES!!!String,!regex,!bytes,!etc.!
List!threads:! ! !!!!Jy/JJyaraJfile=FILE!!!!!!!!!!!Yara!rules!file!!
linux_threads! Raw!sockets:' !!!!JW/JJwide!!!!!!!!!!!!!!!!!!!!!!!!!!!Match!Unicode!strings!
! linux_list_raw! !!!!Js/JJsize!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!Size!of!preview!bytes!
Show!command!line!arguments:! ! !
linux_psaux!
!
Routing!cache:'
linux_route_cache!
File'System'Resources'
Display!details!on!memory!ranges:! !
!!!!!JR/JJresolve!!!!DNS!resolve!destination!IPs!
linux_proc_maps! List!mount!points:!
!
! linux_mount!
Netfilter!entries:!
Dump!allocations!to!individual!files:! !
linux_netfilter!
linux_dump_map!! Enumerate!files:!
!
!!!!!!!!JD/JJdumpJdir=PATH!! linux_enumerate_files!
ARP!cache:!
!!!!!!!!JJvma=ADDR!!!!!Range!to!dump! !
linux_arp!
! Extract!cached!files:!
!
Display!open!handles:! linux_find_file!
linux_lsof! Kernel'Memory' !!!!JF/JJfind=FILE!!!!!!!!!!!!!Path!of!file!to!find!
! ! !!!!Ji/JJinode=INODE!!!!!!!Address!of!inode!to!dump!!
Display!environment!variables:! Display!loaded!kernel!modules:! !!!!JL/JJlistfiles!!!!!!!!!!!!!!!!!!Lists!files!in!cache!!
linux_psenv!and!linux_bash_env! linux_lsmod! !!!!JO/JJoutputfile!!!!!!!!!!!!!File!path!to!write!
! !! '
ELF'File'Extraction' Check!for!system!call!hooks:!
linux_check_syscall!!
Disk'Encryption''
! '
!
Specify!JD/JJdumpJdir!to!any!of!these!plugins!to! Recover!cached!Truecrypt!passphrases:!
Check!for!network!stack!hooks:!
identify!your!desired!output!directory.!! linux_truecryptpassphrase!!
linux_check_afinfo!
! !
!
Dump!a!kernel!module:! Check!for!credential!copying:! Strings'
linux_moddump!! linux_check_creds! !
!!!!Jr/JJregex=REGEX!!!Regex!module!name!! ! Translate!extracted!strings:!
!!!!Jb/JJbase=BASE!!!!!!!Module!base!address!! Check!for!file!operations!hooking:! linux_strings!
! linux_check_fop! !!!!Js/JJstringJfile=FILE!!!!Input!strings.txt!file!
Dump!a!process:! ! !!!!!
linux_procdump!! Check!for!inline!kernel!hooks:! !
! linux_check_inline_kernel!
Dump!shared!libraries!in!process!memory:! !
linux_librarydump!! Check!for!hidden!modules:!
!!!!Jr/JJregex=REGEX!!!Regex!module!name!! linux_check_modules!
!!!!Jb/JJbase=BASE!!!!!!!Module!base!address!! linux_hidden_modules!
' !
Injected'Code' Check!for!TTY!hooks:!
! linux_check_tty!
Specify!–o/JJoffset=OFFSET!or!Jp/JJpid=1,2,3! !
! Check!for!malicious!keyboard!callbacks:!
Find!and!extract!injected!code!blocks:! linux_keyboard_notifiers!
linux_malfind! !
! !
! !
!

Copyright!©!2014!The!Volatility!Foundation!
 ! ! 2.4!Edition!
CrossNreference!shared!libraries!with!memoryN Print!the!kernel!debug!buffer:!
Mac$OS$X$Commands$ mapped!files:! mac_dmesg!
$ mac_ldrmodules! API$Hooks$$
!
Processes$Listings$ !
! Command$History$ Scan!for!API!hooks:!
Basic!active!process!listing:! ! mac_apihooks!!
mac_pslist! Recover!command!history:! !!!!NR/NNskipNkernel!!!!!!!!Don’t!check!kernel!modules!
! mac_bash! !!!!NP/NNskipNprocess!!!!!!Don’t!check!processes!!
List!PID!hash!table:! ! !!!!NQ/NNquick!!!!!!!!!!!!!!!!!!!!Scan!faster!!
mac_pid_hash_table! Recover!executed!binaries:! !
! mac_bash_hash! Check!for!process!hollowing:!
List!tasks:! ! mac_process_hollow!
mac_tasks! Networking$Information$ !!!!!Nb/NNbase!!!!Base!address!of!ELF!file!in!memory!
!!!!!NP/NNpath!!!!Path!of!known!good!file!on!disk!
! !
Cross!reference!processes!with!various!lists:! !
Active!info:!
mac_psxview! Scan!for!GOT/PLT!hooks:!
mac_netstat!
! mac_plthook!
!
Show!processes!in!parent/child!tree:! !!!!!!Na/NNall!!!!!!!!!!List!all!PLT!entries!
Active!info!from!network!stack:!
mac_pstree! !!!!!!Ni/NNignore!!!Libraries!to!ignore!in!processing!
mac_network_conns!
$ !
!
Process$Information$ Interface!Information:! Yara$Scanning$$
! mac_ifconfig! !
Specify!–o/NNoffset=OFFSET!or!Np/NNpid=1,2,3!! ! Scan!for!Yara!signatures:!
! ARP!cache:! mac_yarascan!!
Display!shared!libraries:! mac_arp! !!!!Np/NNpid=PID!!!!!!!!!!!!!!!!!!!!!!!Process!IDs!to!scan!!
mac_dyld_maps! ! !!!!NK/NNkernel!!!!!!!!!!!!!!!!!!!!!!!!!!Scan!kernel!memory!
! Route!table:! !!!!NY/NNyaraNrules=RULES!!!String,!regex,!bytes,!etc.!
Show!command!line!arguments:! mac_route! !!!!Ny/NNyaraNfile=FILE!!!!!!!!!!!Yara!rules!file!!
mac_psaux! ! !!!!NW/NNwide!!!!!!!!!!!!!!!!!!!!!!!!!!!Match!Unicode!strings!
! Socket!filters:! !!!!Ns/NNsize!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!Size!of!preview!bytes!
Display!details!on!memory!ranges:! mac_socket_filters! !
mac_proc_maps! !
IP!filters:!
Disk$Encryption$$
! $
Dump!allocations!to!individual!files:! mac_ip_filters!
Recover!possible!Keychain!keys:!
mac_dump_map!! !
mac_keychaindump!
!!!!!!ND/NNdumpNdir=PATH!! Kernel$Memory$ !
!!!!!NNmap_address=ADDR!!
!
!
Display!loaded!kernel!modules:!
File$System$Resources$
Display!open!handles:! !
mac_lsmod!
mac_lsof! List!mount!points:!
!!
! mac_mount!
Check!for!kernel!API!hooks:!
Display!environment!variables:! !
mac_apihooks_kernel!
mac_psenv!and!mac_bash_env! List!cached!files!and!their!vnode!addresses:!
!
! mac_list_files!
Check!for!system!call!hooks:!
Display!login!sessions:! !
mac_check_syscalls!
mac_list_sessions! Extract!cached!files:!
!
! mac_dump_file!
Check!for!shadow!system!call!table:!
!!!!!Nq/NNfile_offset!!!!!!!Offset!of!vnode!to!dump!!
Mach8O$File$Extraction$ mac_check_syscall_shadow!
!!!!!NO/NNoutputfile!!!!!File!path!to!write!
! !
!
Specify!ND/NNdumpNdir!to!any!of!these!plugins!to! Check!sysctl!handlers:!
identify!your!desired!output!directory.!! mac_check_sysctl! Strings$
! ! !
Dump!a!kernel!module:! Check!the!trap!table:! Translate!extracted!string:!
mac_moddump!! mac_check_trap_table! mac_strings!
!!!!Nr/NNregex=REGEX!!!Regex!module!name!! ! !!!!Ns/NNstringNfile=FILE!!!!Input!strings.txt!file!
!!!!Nb/NNbase=BASE!!!!!!!Module!base!address!! Check!the!mig!table:! !
! mac_check_mig_table!
!
User$Activity$
Dump!a!process:! $
mac_procdump!! Check!for!file!operations!hooking:!
Recover!Adium!messages,!including!OTR!chat:!
! mac_check_fop!
mac_adium!
Dump!shared!libraries!in!process!memory:! !
$
mac_librarydump!! Check!for!inline!kernel!hooks:!
Recover!Calendar!entries:!
!!!!Nb/NNbase=BASE!!!!!!!Module!base!address!! mac_check_inline_kernel!
mac_calendar!
$ !
$
Check!for!hidden!modules:!
Injected$Code$ mac_lsmod_iokit!
Recover!contacts:!
! mac_contacts!
mac_lsmod_kext_map!
Specify!–o/NNoffset=OFFSET!or!Np/NNpid=1,2,3! ! $
! Check!for!TrustedBSD!hooks:!
Find!and!extract!injected!code!blocks:! mac_trustedbsd!
mac_malfind! !
!
Copyright!©!2014!The!Volatility!Foundation!