Forensics with Volatility
Command | Description |
---|---|
$./volatility –filename=./coreflood.vmem –profile=WinXPSP2x86 psscan | Check for hidden processes (would show as False in pslist or psscan) |
$./volatility –filename=./coreflood.vmem –profile=WinXPSP2x86 psxview | Check for hidden processes (would show as False in pslist or psscan) |
$./volatility –filename=./coreflood.vmem –profile=WinXPSP2x86 envars -p 123 | Check for hidden processes (would show as False in pslist or psscan) |
$./volatility –filename=./coreflood.vmem –profile=WinXPSP2x86 connscan | View active network connections |
$./volatility –filename=./coreflood.vmem –profile=WinXPSP2x86 malfind -D ./dump | Dump all procs with injected code |
$./volatility –filename=./coreflood.vmem –profile=WinXPSP2x86 malfind -p 123 -D ./dump | Dump injected code in process with PID 960 |
$./volatility –filename=./coreflood.vmem –profile=WinXPSP2x86 dlllist | Get a list of all dlls loaded by each process |
$./volatility –filename=./coreflood.vmem –profile=WinXPSP2x86 hivelist | Get a list of all reg hives |