Learning Volatility: TryHackMe

[Task1]: Installing

wget http://downloads.volatilityfoundation.org/releases/2.6/volatility_2.6_lin64_standalone.zip
unzip volatility_2.6_lin64_standalone.zipsudo cp volatility_2.6_lin64_standalone/volatility_2.6_lin64_standalone /usr/local/bin/volatilitysudo chmod +xr /usr/local/bin/volatility

[Task2]: Obtaining memory samples

(#1) What memory format is the most common?

(#2) What file contains a compressed memory image?

(#2) How about if we wanted to perform memory forensics on a VMware-based virtual machine?

[Task3]: Examining Our Patient

(#1) Viewing profiles

volatility -f cridex.vmem imageinfo

(#2) Guessing the profile

volatility -f cridex.vmem --profile=WinXPSP2x86 pslist

(#3) Finding PID’s using “pslist” plugin

volatility -f cridex.vmem --profile=WinXPSP2x86 pslist

(#4) Viewing active network connections

(#5) Viewing hidden processes

volatility -f cridex.vmem --profile=WinXPSP2x86 psxview

(#6) Viewing hidden DLL’s

volatility -f cridex.vmem --profile=WinXPSP2x86 ldrmodules
volatility -f cridex.vmem --profile=WinXPSP2x86 ldrmodules | grep "False"

(#7) Viewing unexpected API hooks

volatility -f cridex.vmem --profile=WinXPSP2x86 apihooks

(#8) Dumping malicious code

volatility -f cridex.vmem --profile=WinXPSP2x86 malfind -D /tmp/test

(#9) Viewing all DLL loaded into the memory

volatility -f cridex.vmem --profile=WinXPSP2x86 dlllist

[Task4]: Post Actions

(#1) Uploading the memory dumps to VirusTotal

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store