❑ Volatility is the forensic tool to analyze the dumped memory.
❑ Feature
❍ It is the widely used memory forensics platform.
❍ It supports various platforms.
❑ How to install(Windows) : Download from the volatility foundation.
❑ How to install(Ubuntu) : $ sudo apt-get install volatility
❑ How to use : $ volatility -f [Dump file] --profile=[System profile] [Plugin]
* Check the volatility documentation for details.
| Plugin | Description |
| imageinfo | Print the information of the dump file. |
| psscan | Print the information of the process.
* Result : start time, end time, deactivated process. hidden process, disconnected process.
|
| userassist | It prints list of executable programs. |
| dlllist | Print list of DLL files loaded from the process. |
| timeliner | Print file execution information as a timeline. |
| consoles | Print the command list and results entered from the command line. |
| netscan | Print the network session information similar to netstat. |
| mftparser | Print which files created specific files. |
| hivelist | Print the virtual memory address and path of the registry hives |
| envars | Print the environment variables of processes. |
| dlldump | Find DLL files of [PID number] and save them in the [Directory path].
* e.g. dlldump --pid [PID number] --dump-dir [Directory path]
|
| hashdump | Print system account information. |