Step 1: Identify the Memory Image#

NB: Volatility version 2

Ensure you have the memory dump file ready, potentially in a raw format or the specific format used by the capture tool.

Step 2: Determine the Profile#

Use the following command to identify the appropriate profile for the memory dump:

volatility -f [dumpfile] imageinfo

This command helps in suggesting the most likely profile(s) based on the memory dump.

Step 3: Basic Commands for Analysis#

Once the profile is identified, utilize the following commands to begin your analysis:

  • List Running Processes:

    volatility -f [dumpfile] --profile=[profile] pslist

  • Check Active Network Connections:

    volatility -f [dumpfile] --profile=[profile] netscan

  • View Open Files:

    volatility -f [dumpfile] --profile=[profile] filescan

  • Dump Process Memory:

    volatility -f [dumpfile] --profile=[profile] memdump -p [pid] -D [output_directory]

  • Extract Registry Keys:

    volatility -f [dumpfile] --profile=[profile] printkey -K "Software\Microsoft\Windows\CurrentVersion\Run"

Step 4: Advanced Analysis#

For more detailed investigation, consider these commands:

  • Check for Hidden Processes:

    volatility -f [dumpfile] --profile=[profile] psxview

  • Analyze Loaded DLLs:

    volatility -f [dumpfile] --profile=[profile] dlllist -p [pid]

  • Search for Rootkits:

    volatility -f [dumpfile] --profile=[profile] malfind

Step 5: Extract Artifacts#

Extract various artifacts for forensic analysis:

  • Dump Registry for Offline Analysis:

    volatility -f [dumpfile] --profile=[profile] hivelist
volatility -f [dumpfile] --profile=[profile] dumpregistry -H [hive_address] -D [output_directory]

  • Recover Passwords:

    volatility -f [dumpfile] --profile=[profile] hashdump

Replace [dumpfile], [profile], [pid], [hive_address], and [output_directory] with the actual details specific to your case.