Skip to content
/ DFIR-Notes Public

Cheat sheet on memory forensics using various tools such as volatility.

10 stars 2 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

cyb3rmik3/DFIR-Notes

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

25 Commits
01. DumpUtilities
01. DumpUtilities
 
 
02. OtherUtilities
02. OtherUtilities
 
 
10. Various Artifacts
10. Various Artifacts
 
 
README.md
README.md
 
 

Repository files navigation

Memory Dump Procedures

Volatility cheat sheet

Command Description
python vol.py -f mem.dmp imageinfo imageinfo will help you to get more information about the memory dump
python vol.py -f mem.dmp --profile=prof specify to volatility the OS profile (--profile=WinXPSP2x86)
python vol.py -f mem.dmp --profile=prof pslist what were the running processes using the pslist plugin
python vol.py -f mem.dmp --profile=prof pstree display the processes and their parent processes
python vol.py -f mem.dmp --profile=prof psxview processes that are trying to hide themselves while running on the computer
python vol.py -f mem.dmp --profile=prof connscan scanner for TCP connections
python vol.py -f mem.dmp --profile=prof sockets will print a list of open sockets
python vol.py -f mem.dmp --profile=prof netscan will scan a Vista (or later) image for connections and sockets

Notes

  • mem.dmp = filename.filetype
  • prof = profile name as defined by imageinfo

Memory Forensics References

Volatility GitHub

About

Cheat sheet on memory forensics using various tools such as volatility.

Topics

security memory malware forensics malware-analysis forensic-analysis forensics-investigations forensics-tools

Resources

Readme
Activity

Stars

10 stars

Watchers

2 watching

Forks

2 forks
Report repository

Releases

No releases published

Packages

No packages published