Volatility for analysing volatile memory

Volatility and how we use it

What is it?

Volatility is a FREE tool created by The Volatility Foundation (http://www.volatilityfoundation.org). It works by using python scripts, to analyse volatile information from memory dumps.

When would it be used?

Volatility is used frequently in analysing RAM captures.

What can it do?

All sorts; ranging from listing running processes to actively finding malware and open connections

How do I use it?

Note: this post is based on the standalone version on a windows machine

You need the profile of your machine before you can do anything, which can be done with the following command in the command line: in the directory of the volatility executable: *Volatility executable* -f *path to file* imageinfo

note: you must be in the directory that volatility is in to run it

-f means file

imageinfo is the plugin script being used

here is an example:

there are a few profiles given; but you should pic the first one.

The basic outline of the commands

in the directory of volatility:

*Volatility executable* -f *path to file*  --profile= *profile given* *plugin*

below is an example

so we can see using the pstree plugin, I was able to see running processes at the time in a tree view. This view allows me to easily see the parent id of files that were running. So we can see that explorer.exe ran xrytray.exe. 

A list of commands can be found here.

Tip: you may want to later view the plugin results without having to re-type the command, this can be done by " > nameoftextfile.txt" at the end of the file. This will give the results in a text document in the directory you're working in (you can choose directory as well, but I find it easier to have it all in one")

Test your knowledge

Using this link, download and analyse a memory image:

can you find; running processes, open connections, clipboard data and more?

note: you should refer to the earlier mentioned command webpage