Professional Documents
Culture Documents
Remember to open command prompt as Administrator The timeliner plugin parses time-stamped objects found in
memory images. Output is sorted by:
winpmem ➢ Process creation time
-o Output file location ➢ Thread creation time Memory Forensics Cheat Sheet v2.0
-p <path to pagefile.sys> Include page file ➢ Driver compile time
-e Extract raw image from AFF4 file ➢ DLL / EXE compile time POCKET REFERENCE GUIDE
-l Load driver for live memory analysis ➢ Network socket creation time SANS Institute by Chad Tilbury
➢ Memory resident registry key last write time http://computer-forensics.sans.org http://forensicmethods.com
C:\> winpmem_<version>.exe -o F:\mem.aff4
C:\> winpmem_<version>.exe F:\mem.aff4 -e ➢ Memory resident event log entry creation time
PhysicalMemory -o F:\mem.raw timeliner Purpose
--output-file Optional file to write output This cheat sheet supports the SANS FOR508 Advanced Forensics and Incident
DumpIt --output=body Bodyfile format (also text,xlsx) Response and SANS FOR526 Memory Analysis courses. It is not intended to be
/f Output file location --type=Registry Extract registry key last write times an exhaustive resource for Volatility™ or other highlighted tools. Volatility™ is a
/s <value> Hash function to use trademark of Verizon. The SANS Institute is not sponsored or approved by, or
# vol.py -f mem.img timeliner --output-file out.body affiliated with Verizon.
/t <addr> Send to remote host (set up listener with /l) --output=body --profile=Win10x64
C:\> DumpIt.exe /f F:\mem.raw /s 1
–-profile=Win2016x64_14393
FOR508HANDOUT_MemForensCheatSheetv2_E02_03
Getting Started with Volatility™ Review Network Artifacts Extract Processes, Drivers, and Objects
Getting Help netscan - Scan for TCP connections and sockets dlldump - Extract DLLs from specific processes
# vol.py –h (show options and supported plugins) # vol.py netscan -p Dump DLLs only for specific PIDs
# vol.py plugin –h (show plugin usage) Note: Use connscan and sockscan for XP systems -b Dump DLL using base offset
-r Dump DLLs matching REGEX name
# vol.py plugin --info (show available OS profiles)
--dump-dir Directory to save extracted files
Sample Command Line Look for Evidence of Code Injection # vol.py dlldump --dump-dir ./output –r metsrv
# vol.py -f image --profile=profile plugin malfind - Find injected code and dump sections moddump - Extract kernel drivers
Identify System Profile -p Show information only for specific PIDs -o Dump driver using offset address (from modscan)
-o Provide physical offset of single process to scan -r
imageinfo - Display memory image metadata Dump drivers matching REGEX name
--dump-dir Directory to save suspicious memory sections --dump-dir Directory to save extracted files
# vol.py –f mem.img imageinfo # vol.py malfind --dump-dir ./output_dir # vol.py moddump --dump-dir ./output –r gaopdx
Using Environment Variables ldrmodules - Detect unlinked DLLs
Set name of memory image (takes place of -f ) procdump - Dump process to executable sample
-p Show information only for specific PIDs -p Dump only specific PIDs
# export VOLATILITY_LOCATION=file:///images/mem.img -v Verbose: show full paths from three DLL lists -o Specify process by physical memory offset
Set profile type (takes place of --profile= ) # vol.py ldrmodules –p 868 -v --dump-dir Directory to save extracted files
# export VOLATILITY_PROFILE=Win10x64_14393 # vol.py procdump --dump-dir ./output –p 868
hollowfind - Detect process hollowing techniques
-p Show information only for specific PIDs memdump - Extract every memory section into one file
Identify Rogue Processes -D Directory to save suspicious memory sections -p Dump memory sections from these PIDs
# vol.py hollowfind -D ./output_dir
pslist - High level view of running processes --dump-dir Directory to save extracted files
# vol.py pslist # vol.py memdump –-dump-dir ./output –p 868
Check for Signs of a Rootkit filescan - Scan memory for FILE_OBJECT handles
psscan - Scan memory for EPROCESS blocks
# vol.py filescan
# vol.py psscan psxview - Find hidden processes using cross-view
# vol.py psxview dumpfiles - Extract FILE_OBJECTs from memory
pstree - Display parent-process relationships -Q Dump using physical offset of FILE_OBJECT
# vol.py pstree modscan - Scan memory for loaded, unloaded, and -r Extract using a REGEX (add -i for case insensitive)
unlinked drivers -n Add original file name to output name
# vol.py modscan --dump-dir Directory to save extracted files
Analyze Process DLLs and Handles
# vol.py dumpfiles -n -i -r \\.exe --dump-dir=./
dlllist - List of loaded dlls by process apihooks - Find API/DLL function hooks
-p Operate only on specific PIDs svcscan - Scan for Windows Service record structures
-p Show information only for specific processes (PIDs)
-Q Only scan critical processes and DLLS -v Show service DLL for svchost instances
# vol.py dlllist –p 1022,868 # vol.py apihooks # vol.py svcscan -v
getsids - Print process security identifiers ssdt - Hooks in System Service Descriptor Table cmdscan - Scan for COMMAND_HISTORY buffers
-p Show information only for specific PIDs # vol.py ssdt | egrep –v ‘(ntoskrnl|win32k)’ # vol.py cmdscan
# vol.py getsids –p 868
driverirp - Identify I/O Request Packet (IRP) hooks consoles - Scan for CONSOLE_INFORMATION output
handles - List of open handles for each process -r Analyze drivers matching REGEX name pattern
# vol.py consoles
-p Show information only for specific PIDs # vol.py driverirp –r tcpip
-t Display only handles of a certain type
{Process, Thread, Key, Event, File, Mutant, Token, Port} idt - Display Interrupt Descriptor Table
# vol.py handles –p 868 –t File,Key # vol.py idt
FOR508HANDOUT_MemForensCheatSheetv2_E02_01