Introduction to Memory Forensics with Volatility 3

DFIRScience
DFIRScience
60,722
0
Published 2022-02-22
Volatility is a very powerful memory forensics tool. It is used to extract information from memory images (memory dumps) of Windows, macOS, and Linux systems. There is also a huge community writing third-party plugins for volatility. You definitely want to include memory acquisition and analysis in your investigations, and volatility should be in your forensic toolkit.

Today we show how to use Volatility 3 from installation to basic commands. When analyzing memory, basic tasks include listing processes, checking network connections, extracting files, and conducting a basic Windows Registry analysis. We cover each of these tasks. After you understand the Volatility 3 command structure and extract some basic information, advanced memory analysis just builds on those concepts.

Thank you to our Members and Patrons, but especially to our Investigators, TheRantingGeek, Roman, and Alexis Brignoni! Thank you so much!

Memory analysis - with the help of volatility 3 - is becoming easier. It is an excellent source of action-related evidence. If you are not already routinely including memory acquisitions in your investigations, I strongly recommend you do. The amount of information available that will never be written to disk is well worth the extra effort.

00:00 Introduction to Volatility 3
00:27 Install Volatility 3 on Windows
04:49 Volatility first run check
05:49 Find the path of your target memory image
06:09 Get RAM image info with windows.info
07:35 Listing installed plugins
09:07 Get process list from RAM with windows.pslist
12:09 Filter Volatility output with PowerShell Select-String
13:55 Find process handles with windows.handles
16:52 Dump a specific file from RAm with windows.dumpfile
19:26 Dump all files related to a PID
20:12 Check executable run options with windows.cmdline
21:49 Find active network connections with windows.netstat
23:49 Find local user password hash with windows.hashdump
24:43 Analyze user actions with windows.registry.userassist
27:09 Find and dump Registry hives from RAM with windows.registry.hivelist
28:39 Analyze a specific Registry key from RAM with windows.registry.printkey
30:18 Intro to Volatility 3 review

πŸš€ Full Digital Forensic Courses β†’ learn.dfir.science/

Links:
* Python: python.org/ (get version 3)
* Git for Windows: gitforwindows.org/
* Microsoft C++ Build Tools: visualstudio.microsoft.com/visual-cpp-build-tools/
* Python Snappy: www.lfd.uci.edu/~gohlke/pythonlibs/#python-snappy
* Volatility 3: github.com/volatilityfoundation/volatility3
* Practice memory image: archive.org/details/Africa-DFIRCTF-2021-WK02

Volatility Community: www.volatilityfoundation.org/

Related books:
* The Art of Memory Forensics (amzn.to/33DTt9b)

#volatility #forensic #memory #analysis
010001000100011001010011011000110110100101100101011011100110001101100101
Get more Digital Forensic Science
πŸ‘ Subscribe β†’ bit.ly/2Ij9Ojc
❀️ YT Member β†’ bit.ly/DFIRSciMember
❀️ Patreon β†’ www.patreon.com/dfirscience

πŸ•ΈοΈ Blog β†’ DFIR.Science/
πŸ€– Code β†’ github.com/DFIRScience
🐦 Follow β†’ www.twitter.com/DFIRScience
πŸ“° DFIR Newsletter β†’ bit.ly/DFIRNews
010100110111010101100010011100110110001101110010011010010110001001100101

Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License. Please link back to the original video. If you want to use this video for commercial purposes, please contact us first. We would love to see what you are
All Comments (21)
  • @silvertechnolo3958
    Just started learning memory forensics with "The Art of Memory Forensics" and wanted a nice little video to supplement my learning. So glad you're here πŸ€— thanks a lot
  • @frooogle99
    Thank you! This video has been the best resource so far!! Much appreciate it man! 😊
  • @MrBitviper
    awesome tutorial. this is very informative and easy to understand thank you so much for this
  • @djnikx1
    πŸ‘Excellent presentation. Thank you!
  • @fianvar
    Thanks a lot. Very useful this explaining.
  • @yastazik1982
    Very informative with great tips thanks πŸ™πŸ»
  • @zerocool4580
    Excellent Video and thank you. The only thing I would add is, when I was trying to point Volatility to the .raw memory file I was receiving errors for permissions and so on. I then placed the .raw file in the same folder as the Volatility3 and it finally worked. Just in case others run into this issue.
  • @nemzyxt
    Awesome, new sub here, thanks a lot
  • @sruthisivaraman2290
    Hi thanks for the video. I would like to know what to do if the translation requirement and symbol table requirement are not fulfilled while listing installed plugins?
  • @alfonzo7822
    I just wrote a massive post then lost it.. my pc then subsequently my network got compromised back in June. Clean install did nothing. Microsoft, HP and bitdefender say that since all virus scans are clear and system has been reinstalled that it's fine. It's taken me literally months to get to the point where I have a good idea what is going on but still can't resolve it. Have seen boot files on wireshark from specific ips, my winRE is empty so concluded it must be a pxe boot. Sure enough managed to locate relevant files. However need more info to be able to work out safe removal as so far anything I do hasn't worked. Ran a massive memory dump and tried to use volatility but yeh couldn't get it going properly. However this vid has helped a lot and fingers crossed I'll find the treasure :) thanks a lot for uploading this!
  • @TheDarkMEXiCaN2020
    Can you make a follow up on the issues setting up when you are installing Microsoft tools? Maybe show us what we actually need?
  • @nk8681
    Thanks for this informative but extremely important video for those who need to give a start . There is a request, Can you make a video on Network Artifacts for Linux Memory Forensics, I will be grateful to you, Thanks in advanced.