Forensics with Volatility
| Command | Description |
|---|---|
$./volatility –filename=./coreflood.vmem –profile=WinXPSP2x86 psscan | Check for hidden processes (would show as False in pslist or psscan) |
| $./volatility –filename=./coreflood.vmem –profile=WinXPSP2x86 psxview | Check for hidden processes (would show as False in pslist or psscan) |
| $./volatility –filename=./coreflood.vmem –profile=WinXPSP2x86 envars -p 123 | Check for hidden processes (would show as False in pslist or psscan) |
| $./volatility –filename=./coreflood.vmem –profile=WinXPSP2x86 connscan | View active network connections |
| $./volatility –filename=./coreflood.vmem –profile=WinXPSP2x86 malfind -D ./dump | Dump all procs with injected code |
| $./volatility –filename=./coreflood.vmem –profile=WinXPSP2x86 malfind -p 123 -D ./dump | Dump injected code in process with PID 960 |
| $./volatility –filename=./coreflood.vmem –profile=WinXPSP2x86 dlllist | Get a list of all dlls loaded by each process |
| $./volatility –filename=./coreflood.vmem –profile=WinXPSP2x86 hivelist | Get a list of all reg hives |