Volatility2 core commands
There are a number of core commands within Volatility and a lot of them are covered by Andrea Fortuna in his blog. For those interested, I highly recommend his book "The little handbook of Windows Memory Analysis" (not an affiliate link).
The following is a short list of basic commands to get you up and running with Volatility. More commands will be covered later.
Using our Win7SP1x64_23418 profile identified previously, we can execute the following command to identify a list of commands we can use. $mem is set to the path of our imagedump.
$ python vol.py -f $mem --profile=Win7SP1x64_23418 -h
Depending on the size of your memory dump file, these commands can sometimes take a long time to return results. It's wise (as with any analysis) to identify your objectives. If you're starting fresh and don't have any investigative avenues, then running these core commands will help you identify any potentially foreign connections or malicious processes.
netscan
Netscan scans for network related artifacts, up to Windows 10. You'll see IPv4 and IPv6 addresses, local address (with port), remote address (with port), state, PID (processing ID), connection owner, and created time.
$ python vol.py -f $mem --profile=Win7SP1x64_23418 netscan
0x13d73d730 TCPv4 0.0.0.0:3389 0.0.0.0:0 LISTENING 1160 svchost.exe
0x13d73d730 TCPv6 :::3389 :::0 LISTENING 1160 svchost.exe
0x13f2e5010 TCPv4 192.168.10.146:54284 13.107.21.200:443 CLOSED -1
0x13f304280 TCPv4 192.168.10.146:54283 13.107.21.200:443 CLOSED -1
pslist
pslist generates a list of the procsses used by the system. It shows the offset, process name, PID (process ID), PPID (parent process ID), as well as process start and exit time.
$ python vol.py -f $mem --profile=Win7SP1x64_23418 pslist
Volatility Foundation Volatility Framework 2.6.1
Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit
------------------ -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
0xfffffa8030e57b00 System 4 0 108 572 ------ 0 2020-04-20 22:44:37 UTC+0000
0xfffffa8032005aa0 smss.exe 280 4 2 30 ------ 0 2020-04-20 22:44:37 UTC+0000
0xfffffa8032f05b00 csrss.exe 364 352 9 532 0 0 2020-04-20 22:44:38 UTC+0000
0xfffffa803254d580 wininit.exe 408 352 3 76 0 0 2020-04-20 22:44:38 UTC+0000
0xfffffa8032a29350 csrss.exe 440 416 11 534 1 0 2020-04-20 22:44:38 UTC+0000
0xfffffa803317e8e0 services.exe 472 408 7 241 0 0 2020-04-20 22:44:38 UTC+0000
0xfffffa8033197060 winlogon.exe 508 416 5 117 1 0 2020-04-20 22:44:38 UTC+0000
0xfffffa80331a7b00 lsass.exe 536 408 7 648 0 0 2020-04-20 22:44:38 UTC+0000
0xfffffa80331adb00 lsm.exe 544 408 10 211 0 0 2020-04-20 22:44:38 UTC+0000
0xfffffa8033227b00 svchost.exe 660 472 11 378 0 0 2020-04-20 22:44:38 UTC+0000
0xfffffa803325c060 vmacthlp.exe 728 472 3 66 0 0 2020-04-20 22:44:38 UTC+0000
0xfffffa8033266060 svchost.exe 772 472 10 336 0 0 2020-04-20 22:44:39 UTC+0000
0xfffffa80332b0b00 svchost.exe 860 472 21 514 0 0 2020-04-20 22:44:39 UTC+0000
0xfffffa80332fa5f0 svchost.exe 936 472 20 460 0 0 2020-04-20 22:44:39 UTC+0000
0xfffffa80333379b0 svchost.exe 980 472 15 655 0 0 2020-04-20 22:44:39 UTC+0000
0xfffffa803333db00 svchost.exe 112 472 44 1260 0 0 2020-04-20 22:44:39 UTC+0000
0xfffffa8033424860 svchost.exe 1160 472 21 668 0 0 2020-04-20 22:44:39 UTC+0000
0xfffffa803343eb00 spoolsv.exe 1304 472 13 287 0 0 2020-04-20 22:44:39 UTC+0000
0xfffffa80334d8b00 svchost.exe 1332 472 19 346 0 0 2020-04-20 22:44:39 UTC+0000
0xfffffa803357c5f0 svchost.exe 1444 472 10 146 0 0 2020-04-20 22:44:39 UTC+0000
0xfffffa80335e7720 VGAuthService. 1520 472 3 86 0 0 2020-04-20 22:44:39 UTC+0000
0xfffffa803364a060 vmtoolsd.exe 1576 472 10 289 0 0 2020-04-20 22:44:39 UTC+0000
0xfffffa80335edb00 wlms.exe 1636 472 4 46 0 0 2020-04-20 22:44:39 UTC+0000
0xfffffa8033735060 sppsvc.exe 1952 472 4 170 0 0 2020-04-20 22:44:40 UTC+0000
0xfffffa803362c060 svchost.exe 2032 472 6 105 0 0 2020-04-20 22:44:40 UTC+0000
0xfffffa803376e060 svchost.exe 1080 472 7 101 0 0 2020-04-20 22:44:40 UTC+0000
0xfffffa803379eb00 WmiPrvSE.exe 2108 660 12 221 0 0 2020-04-20 22:44:40 UTC+0000
0xfffffa80338145f0 dllhost.exe 2216 472 13 195 0 0 2020-04-20 22:44:40 UTC+0000
0xfffffa803386db00 msdtc.exe 2324 472 12 148 0 0 2020-04-20 22:44:40 UTC+0000
0xfffffa803365b060 svchost.exe 2944 472 9 136 0 0 2020-04-20 22:46:40 UTC+0000
0xfffffa80310b3b00 svchost.exe 360 472 13 361 0 0 2020-04-20 22:46:40 UTC+0000
0xfffffa8031090060 SearchIndexer. 2580 472 13 694 0 0 2020-04-20 22:46:41 UTC+0000
0xfffffa80316f9060 taskhost.exe 1396 472 10 223 1 0 2020-04-20 23:16:53 UTC+0000
0xfffffa8031ea9940 dwm.exe 2852 936 3 82 1 0 2020-04-20 23:16:53 UTC+0000
0xfffffa80317ff060 explorer.exe 2672 2148 31 1018 1 0 2020-04-20 23:16:53 UTC+0000
0xfffffa803140c5f0 WerFault.exe 2164 2508 5 133 1 0 2020-04-20 23:16:54 UTC+0000
0xfffffa8031e80b00 vmtoolsd.exe 2928 2672 9 178 1 0 2020-04-20 23:16:54 UTC+0000
0xfffffa80324e1940 audiodg.exe 1728 860 5 136 0 0 2020-04-20 23:16:54 UTC+0000
0xfffffa803165eb00 slack.exe 2208 2412 28 553 1 0 2020-04-20 23:16:54 UTC+0000
0xfffffa8031ed3710 slack.exe 2728 2208 9 213 1 0 2020-04-20 23:16:59 UTC+0000
0xfffffa8031471b00 slack.exe 1172 2208 7 135 1 0 2020-04-20 23:17:00 UTC+0000
0xfffffa8031688b00 slack.exe 2812 2208 15 325 1 0 2020-04-20 23:17:00 UTC+0000
0xfffffa80338cdb00 slack.exe 2848 2208 14 276 1 0 2020-04-20 23:17:00 UTC+0000
0xfffffa803177bb00 WINWORD.EXE 3180 2672 15 698 1 0 2020-04-20 23:17:06 UTC+0000
0xfffffa8031e2c2c0 chrome.exe 3384 2672 30 1039 1 0 2020-04-20 23:17:07 UTC+0000
0xfffffa8032429060 chrome.exe 3392 3384 7 95 1 0 2020-04-20 23:17:07 UTC+0000
0xfffffa803258cb00 wuauclt.exe 3464 112 3 94 1 0 2020-04-20 23:17:08 UTC+0000
0xfffffa80324ca5c0 chrome.exe 3492 3384 2 56 1 0 2020-04-20 23:17:09 UTC+0000
pstree -v
pstree shows the process list, but as a tree which may be easier to follow/visualise. pstree also supports verbose listings (-v) which shows the entire process path, arguments attached during execution, and some other technical information.
$ python vol.py -f $mem --profile=Win7SP1x64_23418 pstree -v
Name Pid PPid Thds Hnds Time
-------------------------------------------------- ------ ------ ------ ------ ----
0xfffffa803254d580:wininit.exe 408 352 3 76 2020-04-20 22:44:38 UTC+0000
audit: \Device\HarddiskVolume1\Windows\System32\wininit.exe
cmd: wininit.exe
path: C:\Windows\system32\wininit.exe
. 0xfffffa80331a7b00:lsass.exe 536 408 7 648 2020-04-20 22:44:38 UTC+0000
audit: \Device\HarddiskVolume1\Windows\System32\lsass.exe
cmd: C:\Windows\system32\lsass.exe
path: C:\Windows\system32\lsass.exe
. 0xfffffa80331adb00:lsm.exe 544 408 10 211 2020-04-20 22:44:38 UTC+0000
audit: \Device\HarddiskVolume1\Windows\System32\lsm.exe
cmd: C:\Windows\system32\lsm.exe
path: C:\Windows\system32\lsm.exe
. 0xfffffa803317e8e0:services.exe 472 408 7 241 2020-04-20 22:44:38 UTC+0000
audit: \Device\HarddiskVolume1\Windows\System32\services.exe
cmd: C:\Windows\system32\services.exe
path: C:\Windows\system32\services.exe
.. 0xfffffa803365b060:svchost.exe 2944 472 9 136 2020-04-20 22:46:40 UTC+0000
audit: \Device\HarddiskVolume1\Windows\System32\svchost.exe
cmd: C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
path: C:\Windows\system32\svchost.exe
.. 0xfffffa8033424860:svchost.exe 1160 472 21 668 2020-04-20 22:44:39 UTC+0000
audit: \Device\HarddiskVolume1\Windows\System32\svchost.exe
cmd: C:\Windows\system32\svchost.exe -k NetworkService
path: C:\Windows\system32\svchost.exe
.. 0xfffffa8033227b00:svchost.exe 660 472 11 378 2020-04-20 22:44:38 UTC+0000
audit: \Device\HarddiskVolume1\Windows\System32\svchost.exe
cmd: C:\Windows\system32\svchost.exe -k DcomLaunch
path: C:\Windows\system32\svchost.exe
... 0xfffffa803379eb00:WmiPrvSE.exe 2108 660 12 221 2020-04-20 22:44:40 UTC+0000
audit: \Device\HarddiskVolume1\Windows\System32\wbem\WmiPrvSE.exe
cmd: C:\Windows\system32\wbem\wmiprvse.exe
path: C:\Windows\system32\wbem\wmiprvse.exe
... 0xfffffa80333d6060:WmiPrvSE.exe 3440 660 13 332 2020-04-20 23:17:13 UTC+0000
audit: \Device\HarddiskVolume1\Windows\System32\wbem\WmiPrvSE.exe
cmd: C:\Windows\system32\wbem\wmiprvse.exe
path: C:\Windows\system32\wbem\wmiprvse.exe
.. 0xfffffa8033266060:svchost.exe 772 472 10 336 2020-04-20 22:44:39 UTC+0000
audit: \Device\HarddiskVolume1\Windows\System32\svchost.exe
cmd: C:\Windows\system32\svchost.exe -k RPCSS
path: C:\Windows\system32\svchost.exe
.. 0xfffffa803325c060:vmacthlp.exe 728 472 3 66 2020-04-20 22:44:38 UTC+0000
audit: \Device\HarddiskVolume1\Program Files\VMware\VMware Tools\vmacthlp.exe
cmd: "C:\Program Files\VMware\VMware Tools\vmacthlp.exe"
path: C:\Program Files\VMware\VMware Tools\vmacthlp.exe
.. 0xfffffa803333db00:svchost.exe 112 472 44 1260 2020-04-20 22:44:39 UTC+0000
audit: \Device\HarddiskVolume1\Windows\System32\svchost.exe
cmd: C:\Windows\system32\svchost.exe -k netsvcs
path: C:\Windows\system32\svchost.exe
... 0xfffffa803258cb00:wuauclt.exe 3464 112 3 94 2020-04-20 23:17:08 UTC+0000
audit: \Device\HarddiskVolume1\Windows\System32\wuauclt.exe
cmd: "C:\Windows\system32\wuauclt.exe"
path: C:\Windows\system32\wuauclt.exe
.. 0xfffffa803357c5f0:svchost.exe 1444 472 10 146 2020-04-20 22:44:39 UTC+0000
audit: \Device\HarddiskVolume1\Windows\System32\svchost.exe
cmd: C:\Windows\System32\svchost.exe -k utcsvc
path: C:\Windows\System32\svchost.exe
.. 0xfffffa803364a060:vmtoolsd.exe 1576 472 10 289 2020-04-20 22:44:39 UTC+0000
audit: \Device\HarddiskVolume1\Program Files\VMware\VMware Tools\vmtoolsd.exe
cmd: "C:\Program Files\VMware\VMware Tools\vmtoolsd.exe"
path: C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
.. 0xfffffa8031090060:SearchIndexer. 2580 472 13 694 2020-04-20 22:46:41 UTC+0000
. 0xfffffa8031ac2b00:FTK Imager.exe 4332 2672 12 421 2020-04-20 23:19:17 UTC+0000
audit: \Device\HarddiskVolume1\Users\Warren\Downloads\Imager_Lite_3.1.1\FTK Imager.exe
cmd: "C:\Users\Warren\Downloads\Imager_Lite_3.1.1\FTK Imager.exe"
path: C:\Users\Warren\Downloads\Imager_Lite_3.1.1\FTK Imager.exe
. 0xfffffa8031e2c2c0:chrome.exe 3384 2672 30 1039 2020-04-20 23:17:07 UTC+0000
audit: \Device\HarddiskVolume1\Program Files (x86)\Google\Chrome\Application\chrome.exe
cmd: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"
path: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
.. 0xfffffa8032429060:chrome.exe 3392 3384 7 95 2020-04-20 23:17:07 UTC+0000
audit: \Device\HarddiskVolume1\Program Files (x86)\Google\Chrome\Application\chrome.exe
cmd:
path: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
.. 0xfffffa8032150b00:chrome.exe 4484 3384 16 184 2020-04-20 23:24:22 UTC+0000
audit: \Device\HarddiskVolume1\Program Files (x86)\Google\Chrome\Application\chrome.exe
.. 0xfffffa8033234a80:chrome.exe 3596 3384 9 211 2020-04-20 23:17:09 UTC+0000
audit: \Device\HarddiskVolume1\Program Files (x86)\Google\Chrome\Application\chrome.exe
cmd: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1180,5807443729157421817,599969772842496716,131072 --gpu-preferences=KAAAAAAAAADgAAAwAAAAAAAAYAAAAAAAEAAAAAAAAAAAAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --mojo-platform-channel-handle=1188 --ignored=" --type=renderer " /prefetch:2
path: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
getsids
getsids identifies security identifiers (SIDs) associated with executed processes. This will enable you to find processes running as certain users and entities (such as service accounts).
$ python vol.py -f $mem --profile=Win7SP1x64_23418 getsids
WINWORD.EXE (3180): S-1-5-21-4288132831-552422005-3632184702-1000 (Warren)
WINWORD.EXE (3180): S-1-5-21-4288132831-552422005-3632184702-513 (Domain Users)
WINWORD.EXE (3180): S-1-1-0 (Everyone)
WINWORD.EXE (3180): S-1-5-114 (Local Account (Member of Administrators))
WINWORD.EXE (3180): S-1-5-32-544 (Administrators)
WINWORD.EXE (3180): S-1-5-32-545 (Users)
WINWORD.EXE (3180): S-1-5-4 (Interactive)
WINWORD.EXE (3180): S-1-2-1 (Console Logon (Users who are logged onto the physical console))
WINWORD.EXE (3180): S-1-5-11 (Authenticated Users)
WINWORD.EXE (3180): S-1-5-15 (This Organization)
WINWORD.EXE (3180): S-1-5-113 (Local Account)
WINWORD.EXE (3180): S-1-5-5-0-691206 (Logon Session)
WINWORD.EXE (3180): S-1-2-0 (Local (Users with the ability to log in locally))
WINWORD.EXE (3180): S-1-5-64-10 (NTLM Authentication)
WINWORD.EXE (3180): S-1-16-12288 (High Mandatory Level)
hashdump
You may be required to identify a password belonging to a certain account. Use the hashdump command to dump credentials either stored on, or cached on the system.
$ python vol.py -f $mem --profile=Win7SP1x64_23418 hashdump
Volatility Foundation Volatility Framework 2.6.1
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Warren:1000:aad3b435b51404eeaad3b435b51404ee:2aa81fb8c8cdfd8f420f7f94615036b0:::
Last updated