Try   HackMD

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Volatility Foundation

Volatility CheatSheet - Windows memdump

OS Information

imageinfo

Volatility 2

vol.py -f "filename" imageinfo
vol.py -f "filename" kdbgscan

Volatility 3

vol3 -f "filename" windows.info

Process Information

process list

Volatility 2

vol.py -f "filename" ‑‑profile <profile> pslist
vol.py -f "filename" ‑‑profile <profile> psscan
vol.py -f "filename" ‑‑profile <profile> pstree
vol.py -f "filename" ‑‑profile <profile> psxview

Volatility 3

vol3 -f "filename"  windows.pslist
vol3 -f "filename"  windows.psscan
vol3 -f "filename"  windows.pstree

procdump

Volatility 2

vol.py -f "filename" ‑‑profile <profile> procdump -p <PID> ‑‑dump-dir="output/dir"

Volatility 3

vol3 -f "filename" -o "output/dir" windows.dumpfiles ‑‑pid <PID>

memdump

Volatility 2

vol.py -f "filename" ‑‑profile <profile> memdump -p <PID> ‑‑dump-dir="output/dir"

Volatility 3

vol3 -f "filename" -o "output/dir" windows.memmap ‑‑dump ‑‑pid <PID>

handles

Volatility 2

vol.py -f "filename" ‑‑profile <profile> handles -p <PID>

Volatility 3

vol3 -f "filename" windows.handles ‑‑pid <PID>

dlls

Volatility 2

vol.py -f "filename" ‑‑profile <profile> dlllist -p <PID>

Volatility 3

vol3 -f "filename" windows.dlllist ‑‑pid <PID>

cmdline

Volatility 2

vol.py -f "filename" ‑‑profile <profile> netscan
vol.py -f "filename" ‑‑profile <profile> netstat

XP/2003 SPECIFIC

vol.py -f "filename" ‑‑profile <profile> connscan
vol.py -f "filename" ‑‑profile <profile> connections
vol.py -f "filename" ‑‑profile <profile> sockscan
vol.py -f "filename" ‑‑profile <profile> sockets

Volatility 3

vol3 -f "filename" windows.netscan
vol3 -f "filename" windows.netstat

Network Information

netscan

Volatility 2

vol.py -f "filename" ‑‑profile <profile> dlllist -p <PID>

Volatility 3

vol3 -f "filename" windows.dlllist ‑‑pid <PID>

Registry

hivelist

Volatility 2

vol.py -f "filename" ‑‑profile <profile> hivescan
vol.py -f "filename" ‑‑profile <profile> hivelist

Volatility 3

vol3 -f "filename" windows.registry.hivescan
vol3 -f "filename" windows.registry.hivelist

printkey

Volatility 2

vol.py -f "filename" ‑‑profile <profile> printkey
vol.py -f "filename" ‑‑profile <profile> printkey -K “Software\Microsoft\Windows\CurrentVersion”

Volatility 3

vol3 -f "filename" windows.registry.printkey
vol3 -f "filename" windows.registry.printkey ‑‑key “Software\Microsoft\Windows\CurrentVersion”

hivedump

Volatility 2

vol.py -f "filename" ‑‑profile <profile> hivedump -o <offset>

Volatility 3

Files

filescan

Volatility 2

vol.py -f "filename" ‑‑profile <profile> filescan

Volatility 3

vol3 -f "filename" windows.filescan

filedump

Volatility 2

vol.py -f "filename" ‑‑profile <profile> dumpfiles ‑‑dump-dir="output/dir"
vol.py -f "filename" ‑‑profile <profile> dumpfiles ‑‑dump-dir="output/dir" -Q <offset>
vol.py -f "filename" ‑‑profile <profile> dumpfiles ‑‑dump-dir="output/dir" -p <PID>

Volatility 3

vol3 -f -o "output/dir"  "filename" windows.dumpfiles
vol3 -f -o "output/dir"  "filename" windows.dumpfiles ‑‑virtaddr <offset>
vol3 -f -o "output/dir"  "filename" windows.dumpfiles ‑‑physaddr <offset>

Sources

tags: Volatility CheatSheet Forensic
Last changed by 
TuX-
1
16026

Read more

Space Heroes CTF 2023 | Writeup

Space Heroes CTF 2023 Awesome crypto / Rick Sanchez Algorithm In and out morty a 20 second adventure C = 9763756615749453697711832780290994218209540404092892743938023440562066399337084806157794233931635560977303517688862942257802526956879788034993931726625296410536964617856623732243706473693892876612392958249751369450647924807557768944650776039737608599803384984393221357912052309688764443108728369555676864557154290341642297847267177703428571478156111473165047499325994426058207523594208311563026561922495973859252628019530188566290941667031627386907620019898570109210940914849323148182914949910332546487694304519512036993844651268173759652768515378113523432311285558813699594606327838489283405761035709838557940909309 n = 25886873815836479531102333881328256781823746377127140122698729076485535125711666889354560018621629598913480717734088432525491694576333336789245603514248141818159233105461757115009985693551920113198731562587185893937220809465123357884500614412967739550998756643760039322502299417470414994227318221114452157902944737622386655242568227060393806757218477070728859359570853449231546318892600962043047963934362830601068072327572283570635649379318478675132647932890596210095121862798891396418206480147312633875596896359215713337014482857089996281525920299938916154923799963866283612072794046640286442045137533183412128422223 e = 3412227947038934182478852627564512970725877639428828744897413324202816073614248101081376540697482845313507125163089428254245096018283445899452858022211718628390653483026409446914537083191082941622293729786517851124468666633780447090080209520381218492938112166177839174421554838099214223129604698311531540363994640048732628930103674878115331383263452987483186144997440066159073515630319057855626746004248806849195662788941903776396118558065192757367266853647652706247900976106843337363721026272734784391404675859060134421742669727121306927682580867089725963848606261214171291213498225968719857795306299660931604391979 Author:SolarDebris

Apr 24, 2023
BucketCTF 2023 | Writeup

BucketCTF 2023 Awesome BucketCTF 2023 Play with the TCP1P team. MISC / Transmission The United States space force was one day containing routine tests on intergalactic light when they captured a random beam of light. Senior General Hexy Pictora believes this beam of light may actually be a new communication method used by aliens. Analyze the image to find out of any secrets are present.

Apr 12, 2023
Cyber Apocalypse 2023 - The Cursed Mission | Writeup

Cyber Apocalypse 2023 - The Cursed Mission Writeup Awesome Cyber Apocalypse 2023 Reversing / Hunting License STOP! Adventurer, have you got an up to date relic hunting license? If you don&apos;t, you&apos;ll need to take the exam again before you&apos;ll be allowed passage into the spacelanes! rev_hunting_license.zip

Mar 25, 2023
SpringForwardCTF 2023 | Forensics & Writeup

SpringForwardCTF 2023 Forensics Writeup Awesome SpringForwardCTF 2023 Forensics/No Expectation of Privacy We&apos;ve been monitoring data coming and going from around campus. Might be worth looking into it to see if anything weird stands out. Could be that&apos;s how whoever is behind the weird stuff on campus is communicating? We&apos;re looking for something from someone named RB.

Mar 14, 2023
Read more from TuX-
Published on HackMD