{"id":22804358,"url":"https://github.com/divinemonk/memory_forensics_with_volatility","last_synced_at":"2026-01-27T02:35:28.894Z","repository":{"id":204179099,"uuid":"711272314","full_name":"Divinemonk/memory_forensics_with_volatility","owner":"Divinemonk","description":"Memory Forensics with Volatility","archived":false,"fork":false,"pushed_at":"2023-10-28T18:31:52.000Z","size":17,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"m41n","last_synced_at":"2025-06-06T00:08:06.327Z","etag":null,"topics":["forensics","memory","memory-forensics","volatility"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Divinemonk.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2023-10-28T18:19:16.000Z","updated_at":"2024-11-07T16:05:05.000Z","dependencies_parsed_at":null,"dependency_job_id":"31381007-293b-438d-a6b1-410e06c42974","html_url":"https://github.com/Divinemonk/memory_forensics_with_volatility","commit_stats":null,"previous_names":["divinemonk/memory_forensics"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/Divinemonk/memory_forensics_with_volatility","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Divinemonk%2Fmemory_forensics_with_volatility","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Divinemonk%2Fmemory_forensics_with_volatility/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Divinemonk%2Fmemory_forensics_with_volatility/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Divinemonk%2Fmemory_forensics_with_volatility/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Divinemonk","download_url":"https://codeload.github.com/Divinemonk/memory_forensics_with_volatility/tar.gz/refs/heads/m41n","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Divinemonk%2Fmemory_forensics_with_volatility/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28796977,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-27T01:07:07.743Z","status":"online","status_checked_at":"2026-01-27T02:00:07.755Z","response_time":168,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["forensics","memory","memory-forensics","volatility"],"created_at":"2024-12-12T10:07:58.422Z","updated_at":"2026-01-27T02:35:28.879Z","avatar_url":"https://github.com/Divinemonk.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# Memory Forensics with Volatility\n\u003e https://www.volatilityfoundation.org/releases\n\n\u003cbr\u003e\n\n## Obtaining Memory Samples\n\n### Live machines\n- memory image extractor\n```\n FTK Imager\n Redline\n DumpIt.exe\n win32dd.exe / win64dd.exe (psexec)\n```\n- these tools will typically output a `.raw` file\n\n### Offline machines\n- windows:\n  - _windows hibernation file_ (`%SystemDrive%/hiberfil.sys`) stores compressed memory image from previous boot\n\n### Virtual machines\n- memory images\n```\n VMware - .vmem file\n Hyper-V - .bin file\n Parallels - .mem file\n VirtualBox - .sav file\n```\n- can be found on data store of the corresponding hypervisor \u0026 can be copied without shuting vm off\n- allows for virtually zero disturbance to the virtual machine, preserving it's forensic integrity\n\n\u003cbr\u003e\n\u003chr\u003e\n\u003cbr\u003e\n\n## [Eg.] examine `.vmem` memory sample\n\u003e [download memory sample](https://github.com/Divinemonk/memory_forensics_with_volatility/releases/download/mem_sample/cridexmemdump.zip)\n\n\u003cbr\u003e\n\n### Basic commands \n\u003e tested using [volatility version 2.6 (linux standalone executable x64)](https://www.volatilityfoundation.org/26)\n\n|command|details|\n|---|---|\n|`volatility -f MEMORY_FILE.raw imageinfo`|Profiles determine how _volatility_ treats our memory image since every version of windows is a little bit different.|\n|`volatility -f MEMORY_FILE.raw --profile=PROFILE pslist`|Test these profiles using the pslist command, validating our profile selection by the sheer number of returned results.|\n|`volatility -f MEMORY_FILE.raw --profile=PROFILE netscan`|View active network connections at the time of image creation.|\n|`volatility -f MEMORY_FILE.raw --profile=PROFILE psxview`|View intentionally hidden processes.|\n|`volatility -f MEMORY_FILE.raw --profile=PROFILE ldrmodules`|In addition to viewing hidden processes via psxview, we can also check this with a greater focus via the command 'ldrmodules'. Three columns will appear here in the middle, InLoad, InInit, InMem. If any of these are false, that module has likely been injected which is a really bad thing. On a normal system the grep statement above should return no output.|\n|`volatility -f MEMORY_FILE.raw --profile=PROFILE apihooks`|View unexpected patches in the standard system DLLs. If we see an instance where Hooking module: \u003cunknown\u003e that's really bad. This command will take a while to run, however, it will show you all of the extraneous code introduced by the malware.|\n|`volatility -f MEMORY_FILE.raw --profile=PROFILE malfind -D \u003cDestination Directory\u003e`|Injected code can be a huge issue and is highly indicative of very very bad things. With `malfind` command, we can not only find this code, but also dump it to our specified directory.|\n|`volatility -f MEMORY_FILE.raw --profile=PROFILE dlllist`|List all of the DLLs in memory.|\n|`volatility -f MEMORY_FILE.raw --profile=PROFILE --pid=PID dlldump -D`|Dump the DLLs running in memory, where the PID is the process ID of the infected process|\n\n\u003cbr\u003e\n\n### Post actions \n- we spoted \u0026 extracted malicious code from infected process (done with basic forensics)\n- now upload to code to [VirusTotal](https://www.virustotal.com/gui/home/upload) or [Hybrid Analysis](https://www.hybrid-analysis.com/) for checking any previous matches of malware\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdivinemonk%2Fmemory_forensics_with_volatility","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdivinemonk%2Fmemory_forensics_with_volatility","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdivinemonk%2Fmemory_forensics_with_volatility/lists"}