Working with Volatility

Volatility has a basic syntax with individual commands. The first portion of the command is the memory image that is under analysis. Second is the profile of the memory image. OSes each have their own specific methods of memory addressing. The profile points Volatility to the specific areas of memory in which to find the appropriate data. Third, the command syntax will have a plugin that dictates the information the responder would like Volatility to access. Here is an example of Volatility command syntax:

dfir@Desktop-SFARF6G~$ volatility -f memoryimage.mem -profile=Win7SP1x64 plugin

There are several other options available, such as pointing Volatility to a PID or to output the results to a text file. Information on the various plugins is available on the Volatility GitHub page at https://github.com/volatilityfoundation/volatility/wiki/Command-Reference.

The Volatility section will work with the Cridex memory image discussed earlier. While this is a known infected image, it will provide a known context for understanding the data that can be obtained with Volatility. In this case, for ease of use, the memory image was renamed cridex_laptop.mem in the following examples.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.137.178.133