/r/memoryforensics
Memory Forensics is an ever growing field. With the emergence of malware that can avoid writing to disk, the need for memory forensics tools and education is growing.
Vote based on the quality of the content. Submissions linking to PDF files should denote "[PDF]" in the title. Irrelvant submissions will be pruned in an effort towards tidiness.
Links to Commit to "Memory"
Related Subreddits
/r/memoryforensics
I'm new to forensic stuff, infact this is my very first attempt wirh such a tool. Whenever i attempt memory dump, it crashes the computer. Im trying to use dumpit.exe by moonsols
I have been running image.info on a memdump for over 30 minutes and hasn't moved since
Hi, I've been dabbling with volatility 3 recently and learning along the way. I stumbled across 2 plugins that interested me, drivermodule and driverirp. I was able to extract information from the image using these plugins but I'm not sure what to do with the data. looking online most people only cover the basics of volatility and basic memory forensics techniques but none had a tutorial for driver plugins. the good thing is volatility extracts memory addresses of each driver listed in memory, it also briefly gives an idea on how each driver behaves such as irps and so on. my question is where do i find better resources that explain in detail how to work with that type of data (for example how would I go about removing hidden drivers). I also checked volatility 3 documentation but again they only briefly explain how the program works and how to set it up properly.
I am working on a file carving tool from memory dump of RAM. I am able to successfully carve files which have definite header and footer and those which are contiguous.
But how can I carve files which are non-contiguous? Essentially how can I locate the next fragment(s)?
I have noticed that profiles do not exist in volatility 3 but I am trying to figure out why and how and planning to write a blog on it to help people. Is it because of automatic? It is surprising that I haven't been able to find this information anywhere
Any help would be amazing!
Hi all,
Im taking a course, where I need perform memory analysis using Volatility 3.
When trying to install Volatility 3 on my Kali machine (as the course use Kali machine), using this guide https://seanthegeek.net/1172/how-to-install-volatility-2-and-volatility-3-on-debian-ubuntu-or-kali-linux/
I get the following error, when I try to run Volatility3:
Volatility 3 Framework 2.4.1
Traceback (most recent call last):
File "/home/jakob/.local/bin/vol", line 8, in <module>
sys.exit(main())
File "/home/jakob/.local/lib/python3.10/site-packages/volatility3/cli/__init__.py", line 797, in main
CommandLine().run()
File "/home/jakob/.local/lib/python3.10/site-packages/volatility3/cli/__init__.py", line 293, in run
failures = framework.import_files(
File "/home/jakob/.local/lib/python3.10/site-packages/volatility3/framework/__init__.py", line 152, in import_files
failures += import_file(
File "/home/jakob/.local/lib/python3.10/site-packages/volatility3/framework/__init__.py", line 184, in import_file
importlib.import_module(module)
File "/usr/lib/python3.10/importlib/__init__.py", line 126, in import_module
return _bootstrap._gcd_import(name[level:], package, level)
File "<frozen importlib._bootstrap>", line 1050, in _gcd_import
File "<frozen importlib._bootstrap>", line 1027, in _find_and_load
File "<frozen importlib._bootstrap>", line 1006, in _find_and_load_unlocked
File "<frozen importlib._bootstrap>", line 688, in _load_unlocked
File "<frozen importlib._bootstrap_external>", line 883, in exec_module
File "<frozen importlib._bootstrap>", line 241, in _call_with_frames_removed
File "/home/jakob/.local/lib/python3.10/site-packages/volatility3/framework/plugins/windows/hashdump.py", line 10, in <module>
from Crypto.Cipher import AES, ARC4, DES
File "/usr/local/lib/python3.10/dist-packages/Crypto/Cipher/ARC4.py", line 119, in <module>
key_size = xrange(1,256+1)
NameError: name 'xrange' is not defined. Did you mean: 'range'?
Can anyone tell me whats wrong?
Hi,
Does the volatility 2.6 repo have more features than the standalone install? I've started using volatility 2.6 for a college project and standalone works fine for my current requirements, but I want to avoid any gotchas further down the line.
In a nutshell, I'm asking; At this point in time what is the difference between the standalone and repo versions?
Thanks,
Hey All,
I've just began learning about memory forensics and am trying to see if it's possible to use Volatility2 to find local variables.
For background I've got a script that creates a symmetric encryption key which is used encrypt a text file. I created a memory dump. Using Windbg I was able to find the encryption key from the memory dump.
I"m wondering if there is a similar way of extracting this information with Volatility?
Does this happen to anyone else? How to fix it?
I know for macOS 10, osxpmem can be used to capture the memory. Have anyone got any success with macOS 12 with it?
Good morning,
It’s time for a new 13Cubed episode! This one covers a tool that I truly believe is revolutionary. Imagine being able to "mount" memory as if it were a disk image. With a single command, MemProcFS will create a virtual file system representing the processes, file handles, registry, $MFT, and more. The tool can be executed against a memory dump, or run against memory on a live system. This is a game changer for memory forensics!
Episode:
https://www.youtube.com/watch?v=hjWVUrf7Obk
Episode Guide:
https://www.13cubed.com/episodes/
13Cubed YouTube Channel:
https://www.youtube.com/13cubed
13Cubed Patreon (Help support the channel and get early access to content and other perks!):
Hello, is there any way to make a memory dump by hardware ? I know there is inception but I'd like to know if there is other way. Inception would be good but it works only with specific hardware profile like thunderbolt,firewire and so on.
So I have a linux dump, which I'm hoping to analyze using Volatility3.
However, it appears I need to import or create a symbols table for the particular kernel of that distribution. My question is how do I identify which kernel this kernel and how would I go about getting hold of it, so that I can use dwarf2json and import the symbols into Volatility3?
When running banners.Banners the output I get is:
$ ./vol.py -f ~/Downloads/memdump4.dmp banners.Banners
Volatility 3 Framework 2.2.0
Progress: 100.00 PDB scanning finished
Offset Banner
0xbc000e0 Linux version 4.9.0-6-amd64 (debian-kernel@lists.debian.org) (gcc version 6.3.0 20170516 (Debian 6.3.0-18+deb9u1) ) #1 SMP Debian 4.9.82-1+deb9u3 (2018-03-02)
0xc2b81ac Linux version 4.9.0-6-amd64 (debian-kernel@lists.debian.org) (gcc version 6.3.0 20170516 (Debian 6.3.0-18+deb9u1) ) #1 SMP Debian 4.9.82-1+deb9u3 (2018-03-02)
0xf88d8f8 Linux version 4.9.0-6-amd64 (debian-kernel@lists.debian.org) (gcc version 6.3.0 20170516 (Debian 6.3.0-18+deb9u1) ) #1 SMP Debian 4.9.82-1+deb9u3 (2018-03-02)
Volatility2 does not have a profile beyond build 19041 yet and Volatility3 lacks of advanced plugins when it comes to malware analysis.
How do you analyze a memory acquisition from Windows 10 build 19044?
I'm trying to write a script that will scan through a Linux memory capture and find processes in memory. However, I haven't been able to locate any signature bytes for the Linux task_struct in the same way EProcess blocks have a nice structure header in Windows. Can anyone point me in the right direction?
Good afternoon all,
I am attempting to run Volatility3 in a closed off network and am having errors when attempting to convert the windows symbol file with pdbconv.py
When I run it, it immediately errors out with the following "The module volatility3 could not be found"
Which doesn't make sense.... is there a specific plugin we need to add ontop of installing Volatility?
Any help would be appreciated on what we should do, thank you!
Is there a way to find out the last login time on a windows machine using volatility 3?
I seem to not know how to get Volatility 3 to display cmd command line history.
It seems like consoles was used in volatility 2 but that option doesn't appear to be present in 3.
I know there is windows.cmdline.CmdLine but that just lists process command line arguments. Not command line history.
Any help would be greatly appreciated.
Hi All,
I'm trying to use Volatility as part of a script I'm building.
Currently I keep getting this error:
Volatility Foundation Volatility Framework 2.6
ERROR : volatility.debug : The requested file doesn't exist
I'm on Kali Linux and i use the standalone version from the Volatility main website.
If I'm not using it within a script, it works well but as soon as I try to use volatility within a script it gives me this error.
This is what I'm using in my script:
./volatility_2.6_lin64_standalone -f $file imageinfo
I tried a few things to solves this but nothing helped.
Is it possible that because I have 2 versions (vol.py & standalone) installed, it messes it up?
I'm fairly new to volatility so I would love for some assistance here.
I’m using the volatility_2.6_win64_standalone application for this. I’m trying to find malware to a memory dump. To find hidden and injected code, I used the malfind switch. My filepath was: (Filepath>volatility_2.6_win64_standalone.exe -f imagename.img —profile=Win2003SP0x86 malfind.) It gave me a list of processes. I copied it’s output into a .txt file. How can I figure out which one of these processes caused malware to show up in the memory?
I'm trying to read for memory forensic using volatility. can someone explain me what is offset address in memory and how it is different from physical and virtual address.
Hi to all, There is a new player in town. They are called Trufflepig Forensics, and their software is Trufflepig Nexus. Has anybody had the chance to try their software already?
I am wondering if they offer any special features other than the ones which Volatility has already! I know they are not open source, but I still want to know if there is anything that they are doing differently.
Let me know.
Hello Community,
there is one cridex (xp) memory sample available on github and many tutorials to find evidence with Volatility.
But this an old os and old malware.
Does anyone have some samples to share?
Hello, anyone know whare can I search for the list of legal kernel drivers in win10 ? Or where search for win10 dump to extract the list of the legal kernel drivers ?
How do you add 3rd party volatility plugins without having to specify the - - plugins= argument each time? I want the plug-in to be available by default with the others.
Hey all, I'm a hiring manager directly recruiting (with the mods permission) for a senior DFIR position. I've hired people I've met from reddit before and have references.
The position is full time remote but we have offices in NYC and Ireland if you prefer being onsite. The first paragraph of the job description is a little corny but intended to convey we're looking for someone with enough experience to manage the full incident lifecycle not just use Autopsy/volatility on an image. https://www.ciphertechs.com/careers/senior-dfir
You can DM me here if interested. Thanks!
https://i.ibb.co/KmcLVtY/0508210031.jpg
Hey y'all, I know what I've got^^^^ There's a bitcoin on there, one of the first for sure.
I dismantled this HDD for fun in 2008 I think, but kept it for idk why besides I'm a dumb nerd. A friend gave our lan party group some bitcoin one day in like 2007. Its the actual physical character string of the bitcoin saved on a WinXP notepad file. Anyways I lost what I backed it up onto and lost the bitcoin. Didn't think anything of it until I moved recently and found this in a box. It's been in the dark of a dry box for years, prone to temperature swings and the such of protected outdoor storage.
...What might be the chances of data recovery? And how the hell would I go about doing it?
TLDR: Bitcoin address on them shiny hard disks in the link, might it still be recoverable? Thanks y'all 💙💙😘