When you start analyzing a Linux memory dump using volatility, the first problem you may need to face is choosing the correct memory profile.
Category: Volatility
How to analyze a VMware memory image with Volatility
A very brief post, just a reminder about a very useful volatility feature.
How to retrieve user’s passwords from a Windows memory dump using Volatility
About Volatility i have written a lot of tutorials, now let’s try to use this information in a real context extracting the password hashes from a windows memory dump, in 4 simple steps. 1. Identify the memory profile First, we need to identify the correct profile of the system: root@Lucille:~# volatility imageinfo -f test.elf Volatility […]
Volatility, my own cheatsheet (Part 8): Filesystem
With this part, we ended the series dedicated to Volatility: the last ‘episode’ is focused on file system. If you want to read the other parts, take a look to this index: Image Identification Processes and DLLs Process Memory Kernel Memory and Objects Networking Windows Registry Analyze and convert crash dumps and hibernation files Filesystem And […]
Volatility, my own cheatsheet (Part 7): Analyze and convert crash dumps and hibernation files
Volatility supports memory dumps in several different formats, to ensure the highest compatibility with different acquisition tools. You can analyze hibernation files, crash dumps, virtualbox core dumps, etc in the same way as any raw memory dump and Volatility will detect the underlying file format and apply the appropriate address space. You can also convert […]