Problem with Volatility or the problem isn’t merely Volatility it’s how lazy a person can be. So you don’t need to install Volatility to a Virtual Machine but high recommended but if you still don’t care use Volix. This is an automatic setup for Volatility Framework which can own memory dumps to an extreme level. – https://twitter.com/ro0ted/
So download the standalone .exe of Volatility here:
Click the Volatility Paths tab
And enter the path to where you downloaded the Volatility standalone .exe:
Click Miscellaneous, select a place for logs:
Download John the Ripper:
Click John and point to john.exe:
This window will pop up:
Enter the path to image file you want to inspect in this case I made a memory dump on this machine:
Click okay and this menu will appear:
There’s ton of information you can extract with this program in conjunction with the Volatility Framework.
If you think your PC’s infected make a memory dump here in this tutorial:
Depending how large the memory dump is for your machine determines the time. In Forensics you want it to take as much as needed. After all, Computer Forensics is science of analyzing data.
I decided to use a Dark Comet Memory Sample.
This is to show if you don’t want to setup a VM or know any volatility commands you can still have fun in Windows.
Image Info of Subject DCM.raw:
Let’s say you don’t know the this malware was meant to execute on you. Well Volatility runs with several profiles of Windows, Linux, and Mac.
When you are at this menu after you upload your memory sample click this:
You really just have to play around with it yourself.
I usually am against Automatic tools but I am more against malware.
With this you can reverse the intruder to fullest extent.
Thanks for reading and supporting.
If you liked this tutorial,
Check out my last tutorial for the VM Setup in using Volatility on the Linux Distro Remnux; Watch how I owned the infamous ZeuS bot and extracted it out of an infected process here:
REMnux: Volatility Framework ~ Memory Forensics
Volatility Analyzing the ZeuS Bot Part 2
Infected Machine? Create a memory dump
What the gov doesn’t want you to know: All your pastebin data is being LOGGED
Connect to IRC more securely with SSL, add a fingerprint to your nick
Meet Volatility Frameworks automatic cousin: Volix +
- You can follow any responses to this entry through the RSS 2.0 feed.
- Both comments and pings are currently closed.