AS
Uploaded byAnderson Carvalho Silva
34 views

Memory Forensic CheatSheet - SANS Institute

Memory Forensics Cheat Sheet

Embed presentation

Download to read offline
How To Use This Document Memory analysis is one of the most powerful tools available to forensic examiners. This guide aims to document and simplify the overwhelming number of tools and available capabilities. Windows memory analysis can generally be split into six steps: 1. Identify Rogue Processes 2. Analyze Process Objects 3. Review Network Artifacts 4. Look for Evidence of Code Injection 5. Audit Drivers and Rootkit Detection 6. Dump Memory Objects of Interest In this reference guide we outline the most useful MemProcFS and Volatility capabilities to support these six stages of memory forensics. Further information is provided for: ➢ Memory Acquisition ➢ Live Memory Scanning ➢ Using Indicators of Compromise ➢ Alternate Windows Memory Locations Purpose This reference supports the SANS Institute FOR508 Advanced Incident Response, Threat Hunting, and Digital Forensics Course. It is not intended to be an exhaustive resource for MemProcFS, Volatility , or any other tools. Volatility is a trademark of the Volatility Foundation. The SANS Institute is not sponsored, approved by, or affiliated with the Volatility Foundation. Powerful capabilities exist to scan processes for anomalies on live systems. Useful for hunting and memory research. Administrator command terminal is required Moneta Memory scanning tool looking for dynamic/unknown code, suspicious PE image regions, and advanced indicators of compromise https://github.com/forrest-orr/moneta -p Process IDs to scan (* for all) -m ioc Scan only suspicious memory regions (-m * for all) -d Dump selected process memory to local file system --filter Limit scans to reduce false positives (* | unsigned-module | metadata-modules | clr-heap | clr-prvx | wow64-init) moneta64.exe -m ioc -p * --filter * -d Hollows_Hunter Identifies potential process implants, shellcode, hooks, and in-memory patches https://github.com/hasherezade/hollows_hunter /pname Scan specific processes by name /pid Scan specific processes by PID /dnet Set policy for skipping .NET processes /hooks Detect code patches and inline hooks (noisy) /dir Directory to save dumps and reporting hollows_hunter64.exe /pid 1290;454 /dir .Output Get-InjectedThreadEx Find suspicious threads (and associated processes) indicative of code injection https://github.com/jdu2600/Get-InjectedThreadEx Get-InjectedThreadEx.exe > .output.txt Live Memory Scanning Hibernation File (Compressed) C:hiberfil.sys Page and Swap Files C:pagefile.sys C:swapfile.sys (Windows 8+ Server 2012+) Crash Dump C:WindowsMEMORY.DMP In rare instances locations can differ from the defaults (except hiberfil.sys) Alternate Windows Memory Locations Execute command terminal as Administrator WinPmem https://github.com/Velocidex/WinPmem -d Output to <filename> -l Load driver for live memory analysis winpmem_mini_x64_<version>.exe -d D:mem.img (64-bit) Magnet DumpIt https://for508.com/dumpit /OUTPUT Image destination / TYPE Memory output format (RAW | DMP) /NOCOMPRESS Do not compress output when > 32GB DumpIt.exe /TYPE DMP /OUTPUT D:mem.img Memory Acquisition Memory Forensics Cheat Sheet v3.0 POCKET REFERENCE GUIDE SANS Institute by Chad Tilbury http://dfir.sans.org http://sans.org/for508 Memory Analysis with YARA Volatility 3 VadYaraScan --yara-file Text file of YARA rules vol.py –f mem.img windows.vadyarascan --yara-file rules MemProcFS YARA Integration MemProcFS includes built-in YARA signatures from Elastic Security Add to Command line: -license-accept-elastic-license-2-0 Built-in YARA hits: M:forensiccsvfindevil.csv Include Custom Signatures: -forensic-yara-rules rules Custom YARA hits: M:forensicyara Many Volatility 3 plugins have an option to “--dump” objects: pslist, psscan,dlllist, modules, modscan, malfind vol.py -f mem.img windows.pslist.PsList --pid 840 --dump Extraction plugins also exist for other Windows memory objects: windows.memmap.Memmap windows.filescan.FileScan windows.dumpfiles.DumpFiles windows.mftscan.MFTScan windows.svcscan.SvcScan Dump Memory Objects of Interest © 2023 SANS Institute Memory_FOR_CheatSheet_3.0 1
pslist - High level view of running processes --dump Extract process executables vol.py -f mem.img windows.pslist.PsList psscan - Deep scan of memory for EPROCESS blocks vol.py -f mem.img windows.psscan.PsScan pstree - Display parent-process relationships --pid Display mini-process tree for single parent process vol.py -f mem.img windows.pstree.PsTree Identify Rogue Processes Analyze Process Objects dlllist - List of loaded DLLs by process --dump Extract DLLs from the memory image vol.py -f mem.img windows.dlllist.DllList --pid 840 cmdline - Display process command lines from PEB vol.py -f mem.img windows.cmdline.CmdLine getsids - Print process security identifiers vol.py -f mem.img windows.getsids.GetSIDs handles - List of open handles for each process Pipe results to egrep to display only handles of a certain type: vol.py -f mem.img windows.handles.Handles --pid 840 | egrep ‘File|Key|Mutant’ MemProcFS MemProcFS (Windows Memory Analysis) https://github.com/ufrisk/MemProcFS MemProcFS.exe [options] –device <memory image> -device: Memory image (includes hibernation file support) -v: Enable verbose auditing in console -pagefile0: Specify pagefile.sys file (not required) -pagefile1: Specify swapfile.sys file (not required) -mount: Drive letter for analysis output (M: is default) -forensic [0-4]: Start forensic scan of memory upon startup 0 = not enabled (default value) 1 = forensic mode with in-memory sqlite database 2 = forensic mode with temp sqlite database deleted upon exit 3 = forensic mode with temp sqlite database remaining upon exit 4 = forensic mode with static named sqlite database (vmm.sqlite3) Processes: Process Tree: M:sysprocproc.txt CSV (requires -forensic): M:forensiccsvprocess.csv Process Objects: Objects represented as files. Use a simple copy/paste for “dumping" By PID: M:pid By Name: M:name Network Artifacts: Text: M:sysnetnetstat.txt CSV (requires -forensic): M:forensiccsvnet.csv Code Injection and Anomaly Detection (requires -forensic): Text: M:forensicfindevilfindevil.txt CSV: M:forensiccsvfindevil.csv Cached Files (requires -forensic): Extracted files in virtualized file system: M:forensicfiles List of available cached files: M:forensiccsvfiles.csv Other Analysis Capabilities (most require -forensic): Virtualized Registry: M:registry MFT Virtualized File System: M:forensicntfs Drivers: M:forensiccsvdrivers.csv Services: M:forensiccsvservices.csv Scheduled Tasks: M:forensiccsvtasks.csv Forensic Timeline: M:forensiccsvtimeline_all.csv Getting Help (Windows / Linux / Mac Memory Analysis) https://github.com/volatilityfoundation/volatility3 vol.py –h (show options and supported plugins) vol.py plugin –h (show plugin usage) Sample Command Line vol.py -f mem.img plugin Query Memory Image Metadata (OS Profile & SystemTime) vol.py –f mem.img windows.info.Info Create and use JSON Config File to Accelerate Processing vol.py --write-config –f mem.img windows.info.Info vol.py -c config.json –f mem.img plugin Output and Format Options These options must precede the plugin within the command-line: -r <csv | pretty | json> Output format -o folder Output folder for extracted items (useful with --dump) Plugin specific options must follow the plugin name: --pid PID1,PID2 Limit data to specific process IDs (most plugins) Plugin names can be shortened if they still result in a unique match: vol.py -f mem.img -r csv windows.pslist --pid 4 Getting Started with Volatility 3 malfind - Find suspicious RWX sections not mapped to disk --dump Save suspicious memory sections to a folder vol.py -f mem.img -o tmp windows.malfind.Malfind --dump ldrmodules - Detect unlinked DLLs vol.py -f mem.img windows.ldrmodules.LdrModules Look for Evidence of Code Injection netstat - Display data from network tracking structures vol.py -f mem.img windows.netstat.NetStat netscan - Deep scan for network connections and sockets --include-corrupt Relax validation for more results vol.py -f mem.img windows.netscan.NetScan Review Network Artifacts modules - View list of loaded kernel drivers --dump Extract listed drivers --name driver Info on named driver (can use with --dump) vol.py -f mem.img windows.modules.Modules --name ks.sys modscan - Scan for loaded, unloaded, and unlinked drivers --dump Extract all available drivers vol.py -f mem.img -o tmp windows.modscan.ModScan --dump ssdt - Output System Service Descriptor Table vol.py -f mem.img windows.ssdt.SSDT driverirp - Print driver IRP (major function) tables vol.py -f mem.img windows.driverirp.DriverIrp Audit Drivers and Rootkit Detection © 2023 SANS Institute Memory_FOR_CheatSheet_3.0 2

More Related Content

PDF
Memory forensics cheat sheet
byMartin Cabrera
 
PPTX
Memory Forensic: Investigating Memory Artefact (Workshop)
bySatria Ady Pradana
 
PPTX
(Workshop) Memory Forensic - Investigating Memory Artefact
bySatria Ady Pradana
 
PPTX
Advanced malware analysis training session 7 malware memory forensics
byCysinfo Cyber Security Community
 
PDF
Hta w22
bySelectedPresentations
 
PPTX
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
byAndrew Case
 
PDF
Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...
byMalachi Jones
 
PDF
MNSEC 2018 - Windows forensics
byMNCERT
 
Memory forensics cheat sheet
byMartin Cabrera
 
Memory Forensic: Investigating Memory Artefact (Workshop)
bySatria Ady Pradana
 
(Workshop) Memory Forensic - Investigating Memory Artefact
bySatria Ady Pradana
 
Advanced malware analysis training session 7 malware memory forensics
byCysinfo Cyber Security Community
 
Hta w22
bySelectedPresentations
 
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
byAndrew Case
 
Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...
byMalachi Jones
 
MNSEC 2018 - Windows forensics
byMNCERT
 

Similar to Memory Forensic CheatSheet - SANS Institute

PDF
2010 2013 sandro suffert memory forensics introdutory work shop - public
bySandro Suffert
 
PDF
From hybernation file to malware analysis with volatility
byChristiaan Beek
 
PDF
Super Easy Memory Forensics
byIIJ
 
PPTX
Illegal_File_Transferring_Memory_Forensics.pptx
bydtro7037
 
PDF
Stop pulling the plug
byKamal Rathaur
 
PPTX
Hunting Rootkit From the Dark Corners Of Memory
bysecurityxploded
 
PDF
Larson Macaulay apt_malware_past_present_future_out_of_band_techniques
byScott K. Larson
 
PPTX
Basic malware analysis
byCysinfo Cyber Security Community
 
PPTX
Advanced Malware Analysis Training Session 7 - Malware Memory Forensics
bysecurityxploded
 
PPTX
Hunting rootkit from dark corners of memory
byCysinfo Cyber Security Community
 
PPTX
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
byJared Greenhill
 
PPTX
Unmasking Careto through Memory Forensics (video in description)
byAndrew Case
 
PDF
Mem forensic
byChong-Kuan Chen
 
PDF
Free Computer Forensic Software's list - by Forensic Control
byraiyankhair47
 
PDF
Hunting malware via memory forensics
bySriram Krishnan
 
PPTX
Anomalies Detection: Windows OS - Part 1
byRhydham Joshi
 
PPTX
Anomalies Detection: Windows OS - Part 1
byRhydham Joshi
 
PDF
You need a PROcess to catch running processes and their modules_v2.0
byMichael Gough
 
PDF
Volatility Commands for Basic Malware Analysis- Descriptions and Examples
byStephen Hasford
 
PDF
SANS Digital Forensics and Incident Response Poster 2012
byRian Yulian
 
2010 2013 sandro suffert memory forensics introdutory work shop - public
bySandro Suffert
 
From hybernation file to malware analysis with volatility
byChristiaan Beek
 
Super Easy Memory Forensics
byIIJ
 
Illegal_File_Transferring_Memory_Forensics.pptx
bydtro7037
 
Stop pulling the plug
byKamal Rathaur
 
Hunting Rootkit From the Dark Corners Of Memory
bysecurityxploded
 
Larson Macaulay apt_malware_past_present_future_out_of_band_techniques
byScott K. Larson
 
Basic malware analysis
byCysinfo Cyber Security Community
 
Advanced Malware Analysis Training Session 7 - Malware Memory Forensics
bysecurityxploded
 
Hunting rootkit from dark corners of memory
byCysinfo Cyber Security Community
 
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
byJared Greenhill
 
Unmasking Careto through Memory Forensics (video in description)
byAndrew Case
 
Mem forensic
byChong-Kuan Chen
 
Free Computer Forensic Software's list - by Forensic Control
byraiyankhair47
 
Hunting malware via memory forensics
bySriram Krishnan
 
Anomalies Detection: Windows OS - Part 1
byRhydham Joshi
 
Anomalies Detection: Windows OS - Part 1
byRhydham Joshi
 
You need a PROcess to catch running processes and their modules_v2.0
byMichael Gough
 
Volatility Commands for Basic Malware Analysis- Descriptions and Examples
byStephen Hasford
 
SANS Digital Forensics and Incident Response Poster 2012
byRian Yulian
 

Recently uploaded

PDF
Pneumatic Pressure Pump PPP01 for Calibration & Testing
bySERRAX TECHNOLOGIES LLP
 
PDF
Designing a Blog Using Wordpress
bymarkzubi50
 
PDF
7 Essential Types of Penetration Testing Services Every Business Should Under...
bypandeydevika621
 
PDF
React Mastery: Visual Mental Models to Understand React Deeply
byThomas Gaye
 
PDF
Build Next-Gen Spatial & Sensor Workflows: Secure, Scalable Processing in Sno...
bySafe Software
 
PDF
Startup Formation Collapses While Acquisition Activity Hits New High!
byMemoori
 
PDF
AI and Zero Trust: What it takes to do it right
byMark Simos
 
PDF
TrustArc Webinar - From Zero to Privacy Hero: Launching Your Program Right an...
byTrustArc
 
PDF
Bettersize | BeSEC Series Product Brochure
byBettersize Instruments
 
PDF
EU regulations for the North American book supply chain - Tech Forum 2026
byBookNet Canada
 
PDF
January 2026 OpenMetadata Community Spotlight - OpenMetadata @ Wix.pdf
byOpenMetadata
 
PDF
Parental Control App for Phones_ The Complete 2026 Guide for Safer, Smarter P...
byRyan Cooper
 
PDF
Supercharge Your Copilot-Driven Collaboration with Microsoft 365 Agents SDK
byAntti Koskela
 
PDF
Post-Hackathon-Learnings-Maximizing-Impact-Beyond-the-Event.pdf
byishantyadav1111
 
PPTX
The Lex Wire Precedent: A Technical Standard for Machine-Mediated Authority ...
byJeff Howell
 
PPTX
2026 SCORM Troubleshooting Rustici + dominKnow.pptx
byRustici Software
 
PDF
CI CD Observability, Metrics and DORA - Shifting Left and Cleaning Up! - Febr...
byPeter Souter
 
PPTX
Introduction to Industrial-Arts Grade 8 ppt Lesson 1
byFSBTLEDNathanVince
 
PDF
"When every team does things "right", but together it turns into chaos", Yozh...
byFwdays
 
PPTX
TechSprint (SJBIT) 2025-26 Hackathon Winners & Awards Ceremony
bysuhasspgdg
 
Pneumatic Pressure Pump PPP01 for Calibration & Testing
bySERRAX TECHNOLOGIES LLP
 
Designing a Blog Using Wordpress
bymarkzubi50
 
7 Essential Types of Penetration Testing Services Every Business Should Under...
bypandeydevika621
 
React Mastery: Visual Mental Models to Understand React Deeply
byThomas Gaye
 
Build Next-Gen Spatial & Sensor Workflows: Secure, Scalable Processing in Sno...
bySafe Software
 
Startup Formation Collapses While Acquisition Activity Hits New High!
byMemoori
 
AI and Zero Trust: What it takes to do it right
byMark Simos
 
TrustArc Webinar - From Zero to Privacy Hero: Launching Your Program Right an...
byTrustArc
 
Bettersize | BeSEC Series Product Brochure
byBettersize Instruments
 
EU regulations for the North American book supply chain - Tech Forum 2026
byBookNet Canada
 
January 2026 OpenMetadata Community Spotlight - OpenMetadata @ Wix.pdf
byOpenMetadata
 
Parental Control App for Phones_ The Complete 2026 Guide for Safer, Smarter P...
byRyan Cooper
 
Supercharge Your Copilot-Driven Collaboration with Microsoft 365 Agents SDK
byAntti Koskela
 
Post-Hackathon-Learnings-Maximizing-Impact-Beyond-the-Event.pdf
byishantyadav1111
 
The Lex Wire Precedent: A Technical Standard for Machine-Mediated Authority ...
byJeff Howell
 
2026 SCORM Troubleshooting Rustici + dominKnow.pptx
byRustici Software
 
CI CD Observability, Metrics and DORA - Shifting Left and Cleaning Up! - Febr...
byPeter Souter
 
Introduction to Industrial-Arts Grade 8 ppt Lesson 1
byFSBTLEDNathanVince
 
"When every team does things "right", but together it turns into chaos", Yozh...
byFwdays
 
TechSprint (SJBIT) 2025-26 Hackathon Winners & Awards Ceremony
bysuhasspgdg
 

Memory Forensic CheatSheet - SANS Institute

  • 1.
    How To UseThis Document Memory analysis is one of the most powerful tools available to forensic examiners. This guide aims to document and simplify the overwhelming number of tools and available capabilities. Windows memory analysis can generally be split into six steps: 1. Identify Rogue Processes 2. Analyze Process Objects 3. Review Network Artifacts 4. Look for Evidence of Code Injection 5. Audit Drivers and Rootkit Detection 6. Dump Memory Objects of Interest In this reference guide we outline the most useful MemProcFS and Volatility capabilities to support these six stages of memory forensics. Further information is provided for: ➢ Memory Acquisition ➢ Live Memory Scanning ➢ Using Indicators of Compromise ➢ Alternate Windows Memory Locations Purpose This reference supports the SANS Institute FOR508 Advanced Incident Response, Threat Hunting, and Digital Forensics Course. It is not intended to be an exhaustive resource for MemProcFS, Volatility , or any other tools. Volatility is a trademark of the Volatility Foundation. The SANS Institute is not sponsored, approved by, or affiliated with the Volatility Foundation. Powerful capabilities exist to scan processes for anomalies on live systems. Useful for hunting and memory research. Administrator command terminal is required Moneta Memory scanning tool looking for dynamic/unknown code, suspicious PE image regions, and advanced indicators of compromise https://github.com/forrest-orr/moneta -p Process IDs to scan (* for all) -m ioc Scan only suspicious memory regions (-m * for all) -d Dump selected process memory to local file system --filter Limit scans to reduce false positives (* | unsigned-module | metadata-modules | clr-heap | clr-prvx | wow64-init) moneta64.exe -m ioc -p * --filter * -d Hollows_Hunter Identifies potential process implants, shellcode, hooks, and in-memory patches https://github.com/hasherezade/hollows_hunter /pname Scan specific processes by name /pid Scan specific processes by PID /dnet Set policy for skipping .NET processes /hooks Detect code patches and inline hooks (noisy) /dir Directory to save dumps and reporting hollows_hunter64.exe /pid 1290;454 /dir .Output Get-InjectedThreadEx Find suspicious threads (and associated processes) indicative of code injection https://github.com/jdu2600/Get-InjectedThreadEx Get-InjectedThreadEx.exe > .output.txt Live Memory Scanning Hibernation File (Compressed) C:hiberfil.sys Page and Swap Files C:pagefile.sys C:swapfile.sys (Windows 8+ Server 2012+) Crash Dump C:WindowsMEMORY.DMP In rare instances locations can differ from the defaults (except hiberfil.sys) Alternate Windows Memory Locations Execute command terminal as Administrator WinPmem https://github.com/Velocidex/WinPmem -d Output to <filename> -l Load driver for live memory analysis winpmem_mini_x64_<version>.exe -d D:mem.img (64-bit) Magnet DumpIt https://for508.com/dumpit /OUTPUT Image destination / TYPE Memory output format (RAW | DMP) /NOCOMPRESS Do not compress output when > 32GB DumpIt.exe /TYPE DMP /OUTPUT D:mem.img Memory Acquisition Memory Forensics Cheat Sheet v3.0 POCKET REFERENCE GUIDE SANS Institute by Chad Tilbury http://dfir.sans.org http://sans.org/for508 Memory Analysis with YARA Volatility 3 VadYaraScan --yara-file Text file of YARA rules vol.py –f mem.img windows.vadyarascan --yara-file rules MemProcFS YARA Integration MemProcFS includes built-in YARA signatures from Elastic Security Add to Command line: -license-accept-elastic-license-2-0 Built-in YARA hits: M:forensiccsvfindevil.csv Include Custom Signatures: -forensic-yara-rules rules Custom YARA hits: M:forensicyara Many Volatility 3 plugins have an option to “--dump” objects: pslist, psscan,dlllist, modules, modscan, malfind vol.py -f mem.img windows.pslist.PsList --pid 840 --dump Extraction plugins also exist for other Windows memory objects: windows.memmap.Memmap windows.filescan.FileScan windows.dumpfiles.DumpFiles windows.mftscan.MFTScan windows.svcscan.SvcScan Dump Memory Objects of Interest © 2023 SANS Institute Memory_FOR_CheatSheet_3.0 1
  • 2.
    pslist - Highlevel view of running processes --dump Extract process executables vol.py -f mem.img windows.pslist.PsList psscan - Deep scan of memory for EPROCESS blocks vol.py -f mem.img windows.psscan.PsScan pstree - Display parent-process relationships --pid Display mini-process tree for single parent process vol.py -f mem.img windows.pstree.PsTree Identify Rogue Processes Analyze Process Objects dlllist - List of loaded DLLs by process --dump Extract DLLs from the memory image vol.py -f mem.img windows.dlllist.DllList --pid 840 cmdline - Display process command lines from PEB vol.py -f mem.img windows.cmdline.CmdLine getsids - Print process security identifiers vol.py -f mem.img windows.getsids.GetSIDs handles - List of open handles for each process Pipe results to egrep to display only handles of a certain type: vol.py -f mem.img windows.handles.Handles --pid 840 | egrep ‘File|Key|Mutant’ MemProcFS MemProcFS (Windows Memory Analysis) https://github.com/ufrisk/MemProcFS MemProcFS.exe [options] –device <memory image> -device: Memory image (includes hibernation file support) -v: Enable verbose auditing in console -pagefile0: Specify pagefile.sys file (not required) -pagefile1: Specify swapfile.sys file (not required) -mount: Drive letter for analysis output (M: is default) -forensic [0-4]: Start forensic scan of memory upon startup 0 = not enabled (default value) 1 = forensic mode with in-memory sqlite database 2 = forensic mode with temp sqlite database deleted upon exit 3 = forensic mode with temp sqlite database remaining upon exit 4 = forensic mode with static named sqlite database (vmm.sqlite3) Processes: Process Tree: M:sysprocproc.txt CSV (requires -forensic): M:forensiccsvprocess.csv Process Objects: Objects represented as files. Use a simple copy/paste for “dumping" By PID: M:pid By Name: M:name Network Artifacts: Text: M:sysnetnetstat.txt CSV (requires -forensic): M:forensiccsvnet.csv Code Injection and Anomaly Detection (requires -forensic): Text: M:forensicfindevilfindevil.txt CSV: M:forensiccsvfindevil.csv Cached Files (requires -forensic): Extracted files in virtualized file system: M:forensicfiles List of available cached files: M:forensiccsvfiles.csv Other Analysis Capabilities (most require -forensic): Virtualized Registry: M:registry MFT Virtualized File System: M:forensicntfs Drivers: M:forensiccsvdrivers.csv Services: M:forensiccsvservices.csv Scheduled Tasks: M:forensiccsvtasks.csv Forensic Timeline: M:forensiccsvtimeline_all.csv Getting Help (Windows / Linux / Mac Memory Analysis) https://github.com/volatilityfoundation/volatility3 vol.py –h (show options and supported plugins) vol.py plugin –h (show plugin usage) Sample Command Line vol.py -f mem.img plugin Query Memory Image Metadata (OS Profile & SystemTime) vol.py –f mem.img windows.info.Info Create and use JSON Config File to Accelerate Processing vol.py --write-config –f mem.img windows.info.Info vol.py -c config.json –f mem.img plugin Output and Format Options These options must precede the plugin within the command-line: -r <csv | pretty | json> Output format -o folder Output folder for extracted items (useful with --dump) Plugin specific options must follow the plugin name: --pid PID1,PID2 Limit data to specific process IDs (most plugins) Plugin names can be shortened if they still result in a unique match: vol.py -f mem.img -r csv windows.pslist --pid 4 Getting Started with Volatility 3 malfind - Find suspicious RWX sections not mapped to disk --dump Save suspicious memory sections to a folder vol.py -f mem.img -o tmp windows.malfind.Malfind --dump ldrmodules - Detect unlinked DLLs vol.py -f mem.img windows.ldrmodules.LdrModules Look for Evidence of Code Injection netstat - Display data from network tracking structures vol.py -f mem.img windows.netstat.NetStat netscan - Deep scan for network connections and sockets --include-corrupt Relax validation for more results vol.py -f mem.img windows.netscan.NetScan Review Network Artifacts modules - View list of loaded kernel drivers --dump Extract listed drivers --name driver Info on named driver (can use with --dump) vol.py -f mem.img windows.modules.Modules --name ks.sys modscan - Scan for loaded, unloaded, and unlinked drivers --dump Extract all available drivers vol.py -f mem.img -o tmp windows.modscan.ModScan --dump ssdt - Output System Service Descriptor Table vol.py -f mem.img windows.ssdt.SSDT driverirp - Print driver IRP (major function) tables vol.py -f mem.img windows.driverirp.DriverIrp Audit Drivers and Rootkit Detection © 2023 SANS Institute Memory_FOR_CheatSheet_3.0 2