Misc&& Memory Forensics Common Commands

# Misc&& Memory Forensics Common Commands # memory forensics volatility In preparing for the provincial competition, I simply learned a tool. This article simply records the commands commonly used in memory forensics. ```shell vol.py -f xp.raw imageinfo //View the system type of the system image vol.py -f memory.raw --profile=Win7SP1x64 cmdscan //Command to scan cmd vol.py -f memory.raw --profile=Win7SP1x64 pslist vol.py -f memory.raw --profile=Win7SP1x64 pstree //View process information vol.py -f memory.img --profile=Win2003SP1x86 dlllist vol.py -f memory.img --profile=Win2003SP1x86 ldrmodules vol.py -f memory.img --profile=Win2003SP1x86 malfind//dynamic library list vol.py -f memory.raw --profile=Win7SP1x64 hashdump//username and password information vol.py -f memory.raw --profile=Win7SP1x64 printkey//registry key vol.py -f memory.raw --profile=Win7SP1x64 hivelist vol.py -f memory.raw --profile=Win7SP1x64 hivedump -o 0xfffff8a001cce010 (Registry Volatility address) //View registry information vol.py -f memory.raw --profile=Win7SP1x64 netscan//Scan network links vol.py -f memory.raw --profile=Win7SP1x64 svcscan//View service running status vol.py -f memory.raw --profile=Win7SP1x64 envars//View process environment variables vol.py -f memory.raw --profile=Win7SP1x64 filesscan//View cached files, scan vol.py -f mem.vmem --profile=WinXPSP2x86 memdump -p 2012 -D ./ //After viewing with pslist, use memdump to add -p to specify the process to export vol.py -f mem.raw --profile=Win7SP1X64 filescan | grep flag//scan file flag vol.py -f mem.raw --profile=Win7SP1X64 dumpfiles -Q vol_address -D ./ //Dump with dumpfiles and -Q vol.py -f mem.raw --profile=Win7SP1X64 memdump -p 536 -D ./ Then read directly with strings, strings -e -l 536.dmp|grep flag vol.py -f zy.raw --profile=WinXPSP2x86 iehistory//Get browser history vol.py --plugins=./volatility-master/volatility/plugins -f OtterCTF.vmem --profile=Win7SP1x64 mimikatz //Get the system password with mimikatz vol.py --plugins=./volatility-master/volatility/plugins -f OtterCTF.vmem --profile=Win7SP1x64 pslist // view the process vol.py --plugins=./volatility-master/volatility/plugins -f OtterCTF.vmem --profile=Win7SP1x64 -o process address printkey //print process information vol.py --plugins=./volatility-master/volatility/plugins -f OtterCTF.vmem --profile=Win7SP1x64 -o process address printkey -k "Controlset001\contril\computerName\computername" // print the computer hostname through the process strings xxx.vmem| grep Luar-3 -A 5 -B 5//Find data about Luar-3 in xxx.vmem file hexdump -C 708.dmp | grep "5a 0c 00" -A 3 //Find the hexadecimal data about the process that was dumped vol.py -f mem.raw --profile=Win7SP1X64 clipboard //View the information on the clipboard vol.py -f mem.raw --profile=Win7SP1X64 memdump -n chrome -D ./chromepes //dump information about the chrome browser ```