{"id":61,"date":"2018-01-13T16:09:46","date_gmt":"2018-01-13T16:09:46","guid":{"rendered":"http:\/\/malwrforensics.com\/en\/?p=61"},"modified":"2024-01-09T21:29:27","modified_gmt":"2024-01-09T21:29:27","slug":"forensics-with-volatility","status":"publish","type":"post","link":"https:\/\/malwrforensics.com\/en\/2018\/01\/13\/forensics-with-volatility\/","title":{"rendered":"Forensics with Volatility"},"content":{"rendered":"\n<figure class=\"wp-block-table\"><table><thead><tr><th>Command<\/th><th>Description<\/th><\/tr><\/thead><tbody><tr><td><br>$.\/volatility &#8211;filename=.\/coreflood.vmem &#8211;profile=WinXPSP2x86 psscan<\/td><td>Check for hidden processes (would show as False in pslist or psscan)<\/td><\/tr><tr><td>$.\/volatility &#8211;filename=.\/coreflood.vmem &#8211;profile=WinXPSP2x86 psxview<\/td><td>Check for hidden processes (would show as False in pslist or psscan)<\/td><\/tr><tr><td>$.\/volatility &#8211;filename=.\/coreflood.vmem &#8211;profile=WinXPSP2x86 envars -p 123<\/td><td>Check for hidden processes (would show as False in pslist or psscan)<\/td><\/tr><tr><td>$.\/volatility &#8211;filename=.\/coreflood.vmem &#8211;profile=WinXPSP2x86 connscan<\/td><td>View active network connections<\/td><\/tr><tr><td>$.\/volatility &#8211;filename=.\/coreflood.vmem &#8211;profile=WinXPSP2x86 malfind -D .\/dump<\/td><td>Dump all procs with injected code<\/td><\/tr><tr><td>$.\/volatility &#8211;filename=.\/coreflood.vmem &#8211;profile=WinXPSP2x86 malfind -p 123 -D .\/dump<\/td><td>Dump injected code in process with PID 960<\/td><\/tr><tr><td>$.\/volatility &#8211;filename=.\/coreflood.vmem &#8211;profile=WinXPSP2x86 dlllist<\/td><td>Get a list of all dlls loaded by each process<\/td><\/tr><tr><td>$.\/volatility &#8211;filename=.\/coreflood.vmem &#8211;profile=WinXPSP2x86 hivelist<\/td><td>Get a list of all reg hives<\/td><\/tr><\/tbody><\/table><\/figure>\n","protected":false},"excerpt":{"rendered":"<p>Command Description $.\/volatility &#8211;filename=.\/coreflood.vmem &#8211;profile=WinXPSP2x86 psscan Check for hidden processes (would show as False in pslist or psscan) $.\/volatility &#8211;filename=.\/coreflood.vmem &#8211;profile=WinXPSP2x86 psxview Check for hidden processes (would show as False in pslist or psscan) $.\/volatility &#8211;filename=.\/coreflood.vmem &#8211;profile=WinXPSP2x86 envars -p 123 Check for hidden processes (would show as False in pslist or psscan) $.\/volatility &#8211;filename=.\/coreflood.vmem &#8211;profile=WinXPSP2x86 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[14,13,18,17,4],"class_list":["post-61","post","type-post","status-publish","format-standard","hentry","category-security","tag-artefacts","tag-forensics","tag-malware","tag-volatility","tag-windows"],"blocksy_meta":{"styles_descriptor":{"styles":{"desktop":"","tablet":"","mobile":""},"google_fonts":[]}},"featured_image_urls_v2":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":""},"post_excerpt_stackable_v2":"<p>CommandDescription$.\/volatility &#8211;filename=.\/coreflood.vmem &#8211;profile=WinXPSP2x86 psscanCheck for hidden processes (would show as False in pslist or psscan)$.\/volatility &#8211;filename=.\/coreflood.vmem &#8211;profile=WinXPSP2x86 psxviewCheck for hidden processes (would show as False in pslist or psscan)$.\/volatility &#8211;filename=.\/coreflood.vmem &#8211;profile=WinXPSP2x86 envars -p 123Check for hidden processes (would show as False in pslist or psscan)$.\/volatility &#8211;filename=.\/coreflood.vmem &#8211;profile=WinXPSP2x86 connscanView active network connections$.\/volatility &#8211;filename=.\/coreflood.vmem &#8211;profile=WinXPSP2x86 malfind -D .\/dumpDump all procs with injected code$.\/volatility &#8211;filename=.\/coreflood.vmem &#8211;profile=WinXPSP2x86 malfind -p 123 -D .\/dumpDump injected code in process with PID 960$.\/volatility &#8211;filename=.\/coreflood.vmem &#8211;profile=WinXPSP2x86 dlllistGet a list of all dlls loaded by each process$.\/volatility &#8211;filename=.\/coreflood.vmem &#8211;profile=WinXPSP2x86 hivelistGet a list of all reg hives<\/p>\n","category_list_v2":"<a href=\"https:\/\/malwrforensics.com\/en\/category\/security\/\" rel=\"category tag\">Security<\/a>","author_info_v2":{"name":"malwrforensics","url":"https:\/\/malwrforensics.com\/en\/author\/u_malwrforensics\/"},"comments_num_v2":"0 comments","_links":{"self":[{"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/posts\/61","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/comments?post=61"}],"version-history":[{"count":2,"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/posts\/61\/revisions"}],"predecessor-version":[{"id":825,"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/posts\/61\/revisions\/825"}],"wp:attachment":[{"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/media?parent=61"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/categories?post=61"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/tags?post=61"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}