Volatility: An Open Source Memory Forensic Tool

Saurav ChapagainSaurav Chapagain
3 min read

Volatility basic commands, and it’s brief explanation.

Firstly we will breakdown the command and explain the plugin sub-commands separately

  1. "volatility": It is the main command from the Volatility Framework, an open-source memory forensic tool, it is used to analyse volatile memory dumps.

  2. "-f cridex.vmem": The -f argument here specifies the memory sample file downloaded from GitHub. It is the name of the input file to be analyzed and examined.

  • volatility -f cridex.vmem imageinfo

Imageinfo: It shows us the information about the memory image analysis of the memory dump and displays details such as the profile, operating system, service pack, image creation date, number of processors etc.

  • volatility -f cridex.vmem pslist

pslist : it prints the list of the processes that were runnin,g excluding hidden and unlinked processes by following the EPROCESS list

  • volatility -f cirdex.vmem psscan

Psscan It can help us to find processes that were previously terminated (inactive) and processes that have been hidden or unlinked by a rootkit.

  • volatility -f cridex.vmem netscan

This sub-command helps to find TCP endpoints, TCP listeners, UDP endpoints, and UDP listeners. It distinguishes between IPv4 and IPv6, prints the local and remote IP (if applicable), the local and remote port (if applicable), the time when the connection was established, and the current state (for TCP connections only). The output will be similar to netstat command

  • volatility -f cridex.vmem connscan

This networking subcommand will be helpful in finding pieces of information from active connection and previous connections that have since been terminated.

  • volatility -f cridex.vmem filescan

It is a pool scanner for file objects, this will find open files even if a rootkit is hiding the files on disk and if the rootkit is attached with some API functions to hide the open handles on a live system. The output shows the physical offset of the FILE_OBJECT, file name, number of pointers to the object, number of handles to the object, and the effective permissions granted to the object.

  • volatility -f cridex.vmem hivelist

The hivelist subcommand is used to locate the virtual addresses of registry hives in memory, and the full paths to the corresponding hive on disk. here ,

A hive is a logical group of keys, subkeys, and values in the registry that has a set of supporting files

  • volatility -f cridex.vmem printkey

The printkey subcommand is used to display the subkeys, values, data, and data types contained within a specified registry key. By default, it will search all hives and print the key information (if found) for the requested key.

  • volatility -f cridex.vmem malfind

Malfind sub-command will let us find hidden and injected code

0
Subscribe to my newsletter

Read articles from Saurav Chapagain directly inside your inbox. Subscribe to the newsletter, and don't miss out.

#digitalforensic #cybersecurity

Written by

Saurav Chapagain
Saurav Chapagain

am a Cybersecurity and Cloud Support Professional with over 9 years of experience in securing IT infrastructure, managing cloud environments, and ensuring compliance with industry standards. My expertise spans security operations, incident response, vulnerability management, and cloud infrastructure management across AWS and Azure platforms. Throughout my career, I’ve successfully: Reduced unauthorized access attempts by 40% through IAM best practices and security hardening. Improved incident response times by 30% by implementing automated SIEM alert triaging systems. Conducted security audits and vulnerability assessments to ensure compliance with HIPAA, HiTrust, and SOC 2 standards. Managed hybrid cloud environments, optimizing security policies and reducing attack surfaces by 50%. I hold two Post Graduate Certificates in Cloud Architecture & Administration (Seneca Polytechnic) and Cybersecurity (Canadore College), along with certifications such as ISC2 Cybersecurity, CompTIA Security+, and Red Hat Certified System Administrator (RHCSA). My technical skills include expertise in tools like Microsoft Sentinel, Splunk, Palo Alto, and scripting with PowerShell and Bash. I am passionate about leveraging my skills to protect organizations from cyber threats and ensure the integrity of their systems and data. I thrive in collaborative environments, working with cross-functional teams to deliver secure and reliable IT solutions. Let’s connect and discuss how I can contribute to your organization’s IT operation and cybersecurity goals!