Category: Volatility

Cybersecurity, Dfir, Forensics, Volatility

Volatility, my own cheatsheet (Part 6): Windows Registry

Volatility has the ability to carve the Windows registry data. (Other articles about Volatility: https://www.andreafortuna.org/category/volatility) hivescan To find the physical addresses of CMHIVEs (registry hives) in memory, use the hivescan command. For more information: Enumerating Registry Hives The Windows registry can be an important forensic resource. Harlan Carvey has written extensively on various aspects of…moyix.blogspot.it This […]

Cybersecurity, Dfir, Forensics, Volatility

Volatility, my own cheatsheet (Part 5): Networking

This time we try to analyze the network connections, valuable material during the analysis phase. connections To view TCP connections that were active at the time of the memory acquisition, use the connections command. This walks the singly-linked list of connection structures pointed to by a non-exported symbol in the tcpip.sys module. This command is […]

Cybersecurity, Dfir, Forensics, Volatility

Volatility, my own cheatsheet (Part 4): Kernel Memory and Objects

Let’s go down a bit more deeply in the system, and let’s go to find kernel modules into the memory dump. modules To view the list of kernel drivers loaded on the system, use the modules command. This walks the doubly-linked list of LDR_DATA_TABLE_ENTRY structures pointed to by PsLoadedModuleList. Similar to the pslist command, this relies on […]

Cybersecurity, Dfir, Forensics, Volatility

Volatility, my own cheatsheet (Part 2): Processes and DLLs

Once identified the correct profile, we can start to analyze the processes in the memory and, when the dump come from a windows system, the loaded DLLs. pslist To list the processes of a system, use the pslist command. This walks the doubly-linked list pointed to by PsActiveProcessHead and shows the offset, process name, process ID, the parent process […]