Volatility2 core commands

There are a number of core commands within Volatility and a lot of them are covered by Andrea Fortuna in his blog. For those interested, I highly recommend his book "The little handbook of Windows Memory Analysis" (not an affiliate link).

The following is a short list of basic commands to get you up and running with Volatility. More commands will be covered later.

Using our Win7SP1x64_23418 profile identified previously, we can execute the following command to identify a list of commands we can use. $mem is set to the path of our imagedump.

$ python vol.py -f $mem --profile=Win7SP1x64_23418 -h

Depending on the size of your memory dump file, these commands can sometimes take a long time to return results. It's wise (as with any analysis) to identify your objectives. If you're starting fresh and don't have any investigative avenues, then running these core commands will help you identify any potentially foreign connections or malicious processes.

netscan

Netscan scans for network related artifacts, up to Windows 10. You'll see IPv4 and IPv6 addresses, local address (with port), remote address (with port), state, PID (processing ID), connection owner, and created time.

$ python vol.py -f $mem --profile=Win7SP1x64_23418 netscan

0x13d73d730        TCPv4    0.0.0.0:3389                   0.0.0.0:0            LISTENING        1160     svchost.exe
0x13d73d730        TCPv6    :::3389                        :::0                 LISTENING        1160     svchost.exe
0x13f2e5010        TCPv4    192.168.10.146:54284           13.107.21.200:443    CLOSED           -1
0x13f304280        TCPv4    192.168.10.146:54283           13.107.21.200:443    CLOSED           -1

pslist

pslist generates a list of the procsses used by the system. It shows the offset, process name, PID (process ID), PPID (parent process ID), as well as process start and exit time.

$ python vol.py -f $mem --profile=Win7SP1x64_23418 pslist

Volatility Foundation Volatility Framework 2.6.1
Offset(V)          Name                    PID   PPID   Thds     Hnds   Sess  Wow64 Start                          Exit
------------------ -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
0xfffffa8030e57b00 System                    4      0    108      572 ------      0 2020-04-20 22:44:37 UTC+0000
0xfffffa8032005aa0 smss.exe                280      4      2       30 ------      0 2020-04-20 22:44:37 UTC+0000
0xfffffa8032f05b00 csrss.exe               364    352      9      532      0      0 2020-04-20 22:44:38 UTC+0000
0xfffffa803254d580 wininit.exe             408    352      3       76      0      0 2020-04-20 22:44:38 UTC+0000
0xfffffa8032a29350 csrss.exe               440    416     11      534      1      0 2020-04-20 22:44:38 UTC+0000
0xfffffa803317e8e0 services.exe            472    408      7      241      0      0 2020-04-20 22:44:38 UTC+0000
0xfffffa8033197060 winlogon.exe            508    416      5      117      1      0 2020-04-20 22:44:38 UTC+0000
0xfffffa80331a7b00 lsass.exe               536    408      7      648      0      0 2020-04-20 22:44:38 UTC+0000
0xfffffa80331adb00 lsm.exe                 544    408     10      211      0      0 2020-04-20 22:44:38 UTC+0000
0xfffffa8033227b00 svchost.exe             660    472     11      378      0      0 2020-04-20 22:44:38 UTC+0000
0xfffffa803325c060 vmacthlp.exe            728    472      3       66      0      0 2020-04-20 22:44:38 UTC+0000
0xfffffa8033266060 svchost.exe             772    472     10      336      0      0 2020-04-20 22:44:39 UTC+0000
0xfffffa80332b0b00 svchost.exe             860    472     21      514      0      0 2020-04-20 22:44:39 UTC+0000
0xfffffa80332fa5f0 svchost.exe             936    472     20      460      0      0 2020-04-20 22:44:39 UTC+0000
0xfffffa80333379b0 svchost.exe             980    472     15      655      0      0 2020-04-20 22:44:39 UTC+0000
0xfffffa803333db00 svchost.exe             112    472     44     1260      0      0 2020-04-20 22:44:39 UTC+0000
0xfffffa8033424860 svchost.exe            1160    472     21      668      0      0 2020-04-20 22:44:39 UTC+0000
0xfffffa803343eb00 spoolsv.exe            1304    472     13      287      0      0 2020-04-20 22:44:39 UTC+0000
0xfffffa80334d8b00 svchost.exe            1332    472     19      346      0      0 2020-04-20 22:44:39 UTC+0000
0xfffffa803357c5f0 svchost.exe            1444    472     10      146      0      0 2020-04-20 22:44:39 UTC+0000
0xfffffa80335e7720 VGAuthService.         1520    472      3       86      0      0 2020-04-20 22:44:39 UTC+0000
0xfffffa803364a060 vmtoolsd.exe           1576    472     10      289      0      0 2020-04-20 22:44:39 UTC+0000
0xfffffa80335edb00 wlms.exe               1636    472      4       46      0      0 2020-04-20 22:44:39 UTC+0000
0xfffffa8033735060 sppsvc.exe             1952    472      4      170      0      0 2020-04-20 22:44:40 UTC+0000
0xfffffa803362c060 svchost.exe            2032    472      6      105      0      0 2020-04-20 22:44:40 UTC+0000
0xfffffa803376e060 svchost.exe            1080    472      7      101      0      0 2020-04-20 22:44:40 UTC+0000
0xfffffa803379eb00 WmiPrvSE.exe           2108    660     12      221      0      0 2020-04-20 22:44:40 UTC+0000
0xfffffa80338145f0 dllhost.exe            2216    472     13      195      0      0 2020-04-20 22:44:40 UTC+0000
0xfffffa803386db00 msdtc.exe              2324    472     12      148      0      0 2020-04-20 22:44:40 UTC+0000
0xfffffa803365b060 svchost.exe            2944    472      9      136      0      0 2020-04-20 22:46:40 UTC+0000
0xfffffa80310b3b00 svchost.exe             360    472     13      361      0      0 2020-04-20 22:46:40 UTC+0000
0xfffffa8031090060 SearchIndexer.         2580    472     13      694      0      0 2020-04-20 22:46:41 UTC+0000
0xfffffa80316f9060 taskhost.exe           1396    472     10      223      1      0 2020-04-20 23:16:53 UTC+0000
0xfffffa8031ea9940 dwm.exe                2852    936      3       82      1      0 2020-04-20 23:16:53 UTC+0000
0xfffffa80317ff060 explorer.exe           2672   2148     31     1018      1      0 2020-04-20 23:16:53 UTC+0000
0xfffffa803140c5f0 WerFault.exe           2164   2508      5      133      1      0 2020-04-20 23:16:54 UTC+0000
0xfffffa8031e80b00 vmtoolsd.exe           2928   2672      9      178      1      0 2020-04-20 23:16:54 UTC+0000
0xfffffa80324e1940 audiodg.exe            1728    860      5      136      0      0 2020-04-20 23:16:54 UTC+0000
0xfffffa803165eb00 slack.exe              2208   2412     28      553      1      0 2020-04-20 23:16:54 UTC+0000
0xfffffa8031ed3710 slack.exe              2728   2208      9      213      1      0 2020-04-20 23:16:59 UTC+0000
0xfffffa8031471b00 slack.exe              1172   2208      7      135      1      0 2020-04-20 23:17:00 UTC+0000
0xfffffa8031688b00 slack.exe              2812   2208     15      325      1      0 2020-04-20 23:17:00 UTC+0000
0xfffffa80338cdb00 slack.exe              2848   2208     14      276      1      0 2020-04-20 23:17:00 UTC+0000
0xfffffa803177bb00 WINWORD.EXE            3180   2672     15      698      1      0 2020-04-20 23:17:06 UTC+0000
0xfffffa8031e2c2c0 chrome.exe             3384   2672     30     1039      1      0 2020-04-20 23:17:07 UTC+0000
0xfffffa8032429060 chrome.exe             3392   3384      7       95      1      0 2020-04-20 23:17:07 UTC+0000
0xfffffa803258cb00 wuauclt.exe            3464    112      3       94      1      0 2020-04-20 23:17:08 UTC+0000
0xfffffa80324ca5c0 chrome.exe             3492   3384      2       56      1      0 2020-04-20 23:17:09 UTC+0000

pstree -v

pstree shows the process list, but as a tree which may be easier to follow/visualise. pstree also supports verbose listings (-v) which shows the entire process path, arguments attached during execution, and some other technical information.

$ python vol.py -f $mem --profile=Win7SP1x64_23418 pstree -v

Name                                                  Pid   PPid   Thds   Hnds Time
-------------------------------------------------- ------ ------ ------ ------ ----
 0xfffffa803254d580:wininit.exe                       408    352      3     76 2020-04-20 22:44:38 UTC+0000
    audit: \Device\HarddiskVolume1\Windows\System32\wininit.exe
    cmd: wininit.exe
    path: C:\Windows\system32\wininit.exe
. 0xfffffa80331a7b00:lsass.exe                        536    408      7    648 2020-04-20 22:44:38 UTC+0000
     audit: \Device\HarddiskVolume1\Windows\System32\lsass.exe
     cmd: C:\Windows\system32\lsass.exe
     path: C:\Windows\system32\lsass.exe
. 0xfffffa80331adb00:lsm.exe                          544    408     10    211 2020-04-20 22:44:38 UTC+0000
     audit: \Device\HarddiskVolume1\Windows\System32\lsm.exe
     cmd: C:\Windows\system32\lsm.exe
     path: C:\Windows\system32\lsm.exe
. 0xfffffa803317e8e0:services.exe                     472    408      7    241 2020-04-20 22:44:38 UTC+0000
     audit: \Device\HarddiskVolume1\Windows\System32\services.exe
     cmd: C:\Windows\system32\services.exe
     path: C:\Windows\system32\services.exe
.. 0xfffffa803365b060:svchost.exe                    2944    472      9    136 2020-04-20 22:46:40 UTC+0000
      audit: \Device\HarddiskVolume1\Windows\System32\svchost.exe
      cmd: C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
      path: C:\Windows\system32\svchost.exe
.. 0xfffffa8033424860:svchost.exe                    1160    472     21    668 2020-04-20 22:44:39 UTC+0000
      audit: \Device\HarddiskVolume1\Windows\System32\svchost.exe
      cmd: C:\Windows\system32\svchost.exe -k NetworkService
      path: C:\Windows\system32\svchost.exe
.. 0xfffffa8033227b00:svchost.exe                     660    472     11    378 2020-04-20 22:44:38 UTC+0000
      audit: \Device\HarddiskVolume1\Windows\System32\svchost.exe
      cmd: C:\Windows\system32\svchost.exe -k DcomLaunch
      path: C:\Windows\system32\svchost.exe
... 0xfffffa803379eb00:WmiPrvSE.exe                  2108    660     12    221 2020-04-20 22:44:40 UTC+0000
       audit: \Device\HarddiskVolume1\Windows\System32\wbem\WmiPrvSE.exe
       cmd: C:\Windows\system32\wbem\wmiprvse.exe
       path: C:\Windows\system32\wbem\wmiprvse.exe
... 0xfffffa80333d6060:WmiPrvSE.exe                  3440    660     13    332 2020-04-20 23:17:13 UTC+0000
       audit: \Device\HarddiskVolume1\Windows\System32\wbem\WmiPrvSE.exe
       cmd: C:\Windows\system32\wbem\wmiprvse.exe
       path: C:\Windows\system32\wbem\wmiprvse.exe
.. 0xfffffa8033266060:svchost.exe                     772    472     10    336 2020-04-20 22:44:39 UTC+0000
      audit: \Device\HarddiskVolume1\Windows\System32\svchost.exe
      cmd: C:\Windows\system32\svchost.exe -k RPCSS
      path: C:\Windows\system32\svchost.exe
.. 0xfffffa803325c060:vmacthlp.exe                    728    472      3     66 2020-04-20 22:44:38 UTC+0000
      audit: \Device\HarddiskVolume1\Program Files\VMware\VMware Tools\vmacthlp.exe
      cmd: "C:\Program Files\VMware\VMware Tools\vmacthlp.exe"
      path: C:\Program Files\VMware\VMware Tools\vmacthlp.exe
.. 0xfffffa803333db00:svchost.exe                     112    472     44   1260 2020-04-20 22:44:39 UTC+0000
      audit: \Device\HarddiskVolume1\Windows\System32\svchost.exe
      cmd: C:\Windows\system32\svchost.exe -k netsvcs
      path: C:\Windows\system32\svchost.exe
... 0xfffffa803258cb00:wuauclt.exe                   3464    112      3     94 2020-04-20 23:17:08 UTC+0000
       audit: \Device\HarddiskVolume1\Windows\System32\wuauclt.exe
       cmd: "C:\Windows\system32\wuauclt.exe"
       path: C:\Windows\system32\wuauclt.exe
.. 0xfffffa803357c5f0:svchost.exe                    1444    472     10    146 2020-04-20 22:44:39 UTC+0000
      audit: \Device\HarddiskVolume1\Windows\System32\svchost.exe
      cmd: C:\Windows\System32\svchost.exe -k utcsvc
      path: C:\Windows\System32\svchost.exe
.. 0xfffffa803364a060:vmtoolsd.exe                   1576    472     10    289 2020-04-20 22:44:39 UTC+0000
      audit: \Device\HarddiskVolume1\Program Files\VMware\VMware Tools\vmtoolsd.exe
      cmd: "C:\Program Files\VMware\VMware Tools\vmtoolsd.exe"
      path: C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
.. 0xfffffa8031090060:SearchIndexer.                 2580    472     13    694 2020-04-20 22:46:41 UTC+0000
. 0xfffffa8031ac2b00:FTK Imager.exe                  4332   2672     12    421 2020-04-20 23:19:17 UTC+0000
     audit: \Device\HarddiskVolume1\Users\Warren\Downloads\Imager_Lite_3.1.1\FTK Imager.exe
     cmd: "C:\Users\Warren\Downloads\Imager_Lite_3.1.1\FTK Imager.exe"
     path: C:\Users\Warren\Downloads\Imager_Lite_3.1.1\FTK Imager.exe
. 0xfffffa8031e2c2c0:chrome.exe                      3384   2672     30   1039 2020-04-20 23:17:07 UTC+0000
     audit: \Device\HarddiskVolume1\Program Files (x86)\Google\Chrome\Application\chrome.exe
     cmd: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"
     path: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
.. 0xfffffa8032429060:chrome.exe                     3392   3384      7     95 2020-04-20 23:17:07 UTC+0000
      audit: \Device\HarddiskVolume1\Program Files (x86)\Google\Chrome\Application\chrome.exe
      cmd:
      path: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
.. 0xfffffa8032150b00:chrome.exe                     4484   3384     16    184 2020-04-20 23:24:22 UTC+0000
      audit: \Device\HarddiskVolume1\Program Files (x86)\Google\Chrome\Application\chrome.exe
.. 0xfffffa8033234a80:chrome.exe                     3596   3384      9    211 2020-04-20 23:17:09 UTC+0000
      audit: \Device\HarddiskVolume1\Program Files (x86)\Google\Chrome\Application\chrome.exe
      cmd: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1180,5807443729157421817,599969772842496716,131072 --gpu-preferences=KAAAAAAAAADgAAAwAAAAAAAAYAAAAAAAEAAAAAAAAAAAAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --mojo-platform-channel-handle=1188 --ignored=" --type=renderer " /prefetch:2
      path: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

getsids

getsids identifies security identifiers (SIDs) associated with executed processes. This will enable you to find processes running as certain users and entities (such as service accounts).

$ python vol.py -f $mem --profile=Win7SP1x64_23418 getsids

WINWORD.EXE (3180): S-1-5-21-4288132831-552422005-3632184702-1000 (Warren)
WINWORD.EXE (3180): S-1-5-21-4288132831-552422005-3632184702-513 (Domain Users)
WINWORD.EXE (3180): S-1-1-0 (Everyone)
WINWORD.EXE (3180): S-1-5-114 (Local Account (Member of Administrators))
WINWORD.EXE (3180): S-1-5-32-544 (Administrators)
WINWORD.EXE (3180): S-1-5-32-545 (Users)
WINWORD.EXE (3180): S-1-5-4 (Interactive)
WINWORD.EXE (3180): S-1-2-1 (Console Logon (Users who are logged onto the physical console))
WINWORD.EXE (3180): S-1-5-11 (Authenticated Users)
WINWORD.EXE (3180): S-1-5-15 (This Organization)
WINWORD.EXE (3180): S-1-5-113 (Local Account)
WINWORD.EXE (3180): S-1-5-5-0-691206 (Logon Session)
WINWORD.EXE (3180): S-1-2-0 (Local (Users with the ability to log in locally))
WINWORD.EXE (3180): S-1-5-64-10 (NTLM Authentication)
WINWORD.EXE (3180): S-1-16-12288 (High Mandatory Level)

hashdump

You may be required to identify a password belonging to a certain account. Use the hashdump command to dump credentials either stored on, or cached on the system.

$ python vol.py -f $mem --profile=Win7SP1x64_23418 hashdump
Volatility Foundation Volatility Framework 2.6.1
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Warren:1000:aad3b435b51404eeaad3b435b51404ee:2aa81fb8c8cdfd8f420f7f94615036b0:::

Last updated