IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [volatility]

Volatility is a memory forensics framework that provides functionality to analyse memory dumps and to extract valueable information from it.

Volatility is a memory forensics framework that provides functionality to analyse memory dumps and to extract valueable information from it.

16 questions
5
votes
1 answer

Convert raw memory dump into a format recognized by volatility

I dumped the RAM of a Windows 7 pc using LiveKd which basicly worked. The memory was dumped but then the convert of the binary dump into "summary format" failed. When I then tried to read the file using volatility it tells me there is no suitable…
davidb
  • 4,285
  • 3
  • 19
  • 31
4
votes
1 answer

Volatility Forensics with Large dumps

Today I was tasked with the analysis of a .vmem file of a Windows RDS one of our customers due to some "strange" connections coming from native Windows processes. The extracted .vmem file has a size of 20GB. Requesting the imageinfo with…
Nomad
  • 2,359
  • 2
  • 11
  • 23
4
votes
1 answer

Create memory dump from the windows commandline

I was following this blog post to dump the memory of a windows host. Sadly this method does not work on Windows Server 2012 because the memory drivers that come with mdd aren't signed and this is required in newer windows version. Is there a known…
davidb
  • 4,285
  • 3
  • 19
  • 31
3
votes
1 answer

Volatility.exe suggests two profiles for XP memory dump. Which one should I use?

Volatility suggests two profiles for XP memory dump. Which one should I use for further investigation? I am a beginner for the volatility.
PEO
  • 33
  • 3
3
votes
1 answer

Can a rootkit hide processes from "Volatility" or other memory forensics tools?

I know that a rootkit can hide processes from the OS by fooling around in the userspace. But can a rootkit also modify a processes metadata in a way that it won't even be recognized by a RAM forensic tool like volatility? Im asking this because even…
davidb
  • 4,285
  • 3
  • 19
  • 31
2
votes
0 answers

Extract Outlook email attachments from memory

Does anyone know if there is a way to extract Outlook emails with attachments from memory? What I have tried is to use volatility to dump PST files from memory and then use libpff to recover the attachments from PST files, but for some reason,…
Yang Yu
  • 439
  • 3
  • 5
  • 12
1
vote
0 answers

Finding NonPagedPool Start and End Address using volatility

I am exploiting bluekeep vulnerability in windows server 2008 R2 using metasploit framework. When I run the exploit windows/rdp/cve_2019_0708_bluekeep_rce, it ends in BSOD on server and then server restarts. I searched on internet and found that I…
aneela
  • 201
  • 3
  • 10
1
vote
0 answers

Why does Volatility fail on windows 10 dumps and what other tools can I use?

So I am trying to extract data from a full memory dump (Made with either dumpit or a BSOD). WinDBG manages to extract some information from it, but Volatility is silent: PS F:\> C:\Python27\python.exe C:\Python27\Scripts\vol.py -v -f…
Adalcar
  • 111
  • 4
1
vote
0 answers

Volatility: Issue with analyzing Windows 10 and Server 2016 systems

I have been trying to use Volatility 2.6 to analyze memory dumps generated by DumpIt. I am experiencing an issue analyzing the memory dumps (all 4 GB in size) of two Windows 10 64 bit boxes (build numbers 18362.1 and 18362.476) and a Windows Server…
synthesis
  • 155
  • 1
  • 1
  • 15
1
vote
0 answers

Volatility Plug-ins to investigate packed exe files

I am using volatility for malware analysis. I have got a process in my memory image that is packed by malware using UPX packer. Malfind plugin doesn't show injected code for it also. How can i use volatility plugin i.e volshell to investigate…
ayesha
  • 11
  • 1
0
votes
0 answers

Is there a way to get Windows login password hint from SAM hive with volatility?

We know that every user in Windows has a password hint. This password hint is stored in the SAM hive, more specifically in the SAM\Domains\Account\Users path. Is there a way to extract this password hint of a user with volatility if we have a memory…
bd55
  • 1
  • 1
0
votes
1 answer

How to identify hidden processes with volatility using psxview?

I was learning volatility and in this room in tryhackme they used psxview to find the hidden processes. The assignment was, It's fairly common for malware to attempt to hide itself and the process associated with it. That being said, we can view…
randomSapien
  • 1
  • 2
0
votes
1 answer

How to detect fileless kernel compromise in linux

Is there a way to detect fileless kernel compromise in Linux? The only one way to analyze this kind of attack is by volatility. Volatility is a very good product, but not often updated especially with modern kernels (obviously because kernel change…
Lews
  • 105
  • 3
0
votes
1 answer

How to build Linux Volatility Profiles With the Compiled Kernel

I'm familiar with creating Linux memory profiles as stated here. However, this is assuming that I have access to the live system which often times is not the case. I heard there is a way to build the profile with the compiled linux kernel but I…
user148614
  • 73
  • 1
  • 1
  • 5
0
votes
1 answer

Is there any difference between hiberfile.sys file and RAM dump made with 3rd party software for Volatility.py?

I was wondering how could I give some advice to one of my friend when attempting to analyze live Windows machine which was infected with malware. As far as I know, hibernation saves RAM memory contents and compresses them into hiberfile.sys file.…
RedS
  • 76
  • 5
1
2