Uncategorized

• Use volatility 2 & 3 with docker

• Volatility 2 - Volatility2 framework
• AutoVolatility - Run several volatility plugins at the same time

Profiles

• Linux profiles (Debian, Ubuntu, Fedora, Almalinux, RockyLinux)
• MacOS & Linux profiles

Plugins

• BitLocker 1 - Plugin that retrieves the Full Volume Encryption Key (FVEK) in memory
• BitLocker 2 - Plugin finds and extracts Full Volume Encryption Key (FVEK) from memory dumps and/or hibernation files
• BitLocker 3 - Volatility plugin to extract BitLocker Full Volume Encryption Keys (FVEK)
• Doppelfind - Process Doppelganging - plugin to detect Process Doppelganging
• apt17scan - Plugin for Detecting APT17 malware
• cobaltstrikescan - Plugin for Detecting Cobalt Strike Beacon
• redleavesscan - Plugin for Detecting RedLeaves Malware
• MalConfScan - Plugin extracts configuration data of known malware
• AutoRuns - Finding persistence points (also called "Auto-Start Extensibility Points", or ASEPs) is a recurring task of any investigation potentially involving malware.
• Volatility Explorer - This program functions similarly to Process Explorer/Hacker, but additionally it allows the user access to a Memory Dump
• zbotscan - Zeusbot plugin
• browserhooks - Plugin to detect various types of hooks as performed by banking Trojans
• OpenVPN credentials extractor - Plugin that can extract credentials from the memory of an OpenVPN process
• HollowFind - Plugin to detect different types of process hollowing techniques used in the wild to bypass, confuse, deflect and divert the forensic analysis techniques
• FileVault2 - Plugin which attempts to extract Apple FileVault 2 Volume Master Keys.
• dnscache - Plugin to extract the Windows DNS Resolver Cache.
• ACPI rootkit scan - Plugin to detect ACPI rootkits
• Psinfo - plugin which collects the process related information from the VAD (Virtual Address Descriptor) and PEB (Process Enivornment Block) and displays the collected information and suspicious memory regions for all the processes running on the system
• Other plugins 1
• impfuzzy - Plugin for comparing the impfuzzy and imphash. This plugin can be used to scan malware in memory image.
• uninstallinfo - Dumps `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall` from memory
• Prefetch - scan memory for prefetch files and dump filename and timestamps
• idxparser - scan memory Java IDX files and extract details
• firefoxhistory - firefoxhistory, firefoxcookies, and firefoxdownloads plugins to extract the following firefox history data: moz_places, moz_cookies, and moz_downloads
• chromehistory - chromehistory, chromevisits, chromesearchterms, chromedownloads, chromedownloadchains, and chromecookies plugins to extract Chrome SQLite artifacts
• sqlite_help - supporting functions SQLite used in Firefox and Chrome plugins
• trustrecords - extract Office TrustRecords registry key information
• ssdeepscan - like yarascan, but searches for pages matching an ssdeep hash
• malfinddeep - whitelist code found by malfind based on an ssdeep hash
• apihooksdeep - whitelist code found by apihooks based on an ssdeep hash
• LastPass - Read browser memory space and attempt to recover any resident artefact's.
• USBSTOR - Scans registries for values relating to USB devices plugged in to the system.
• zeusscan1 - Zeusbot 1 plugin
• zeusscan2 - Zeusbot 2 plugin
• dyrescan - Dyre is a banking malware discovered in middle of 2014
• mimikatz - Mimikatz plugin
• DLLInjectionDetection - DLLInjectionDetection
• ProcInjectionsFind - plugin runs against malware-infected memory images or memory of live VMs and examines each memory region of all running processes to conclude if it is the result of process injection.
• Malfofind - Find indications of process hollowing/RunPE injections
• malprocfind - Finds malicious processes based on discrepancies from observed, normal behavior and properties
• SchTasks - Scans for and parses potential Scheduled Task (.JOB) files

Books

• The Art of Memory Forensics - Detectiong malware and threats in Windows, Linux, and Mac memory

Books

• Volatility 3
• Generate an ISF file for Volatitlity3
• Symbol Tables
• How to Use Volatility 3 Offline
• Volatility3 Linux ISF Server

Symbol

• Linux symbols (Debian, Ubuntu, Almalinux, RockyLinux, MacOS)
• Windows Symbol Tables - Japan CERT

Plugins

• pypykatz - pypykatz plugin for volatility3 framework
• Autoruns - Finding persistence points (also called "Auto-Start Extensibility Points", or ASEPs) is a recurring task of any investigation potentially involving malware. (Port of tomchop's autoruns plugin for Volatility 3)
• rootkit - plugins that detect advanced rootkit hooking methods.
• CheckSpoof - A useful and old technique analysts use for detecting anomalous activity is identifying parent-child relationships. Today attackers can change the Parent PID (PPID) quite
• volatility-docker - A suite of Volatility 3 plugins for memory forensics of Docker containers
• eBPF programs & rootkit detection - Detects loaded eBPF programs and indicates for each if they are suspected as an eBPF rootkit
• Others plugin 1
• Others plugin 2
• Inodes - The plugin is a pushed verion of the lsof plugin extracting inode metadata information from each files.
• Prefetch - The plugin is scanning, extracting and parsing Windows Prefetch files from Windows XP to Windows 11.
• impfuzzy - Plugin for comparing the impfuzzy and imphash. This plugin can be used to scan malware in memory image.
• AnyDesk - The plugin is scanning, extracting and parsing Windows AnyDesk trace files.
• cobaltstrike - Scans process memory for each process to identify CobaltStrike config and prints the config elements
• Password Managers - Extracts cached passwords from browser process memory. Supports: **Lastpass**
• Rich Header - Prints the XOR Key and Rich Header Hash for all process executables.
• ZoneID3 - Scans memory for ZoneIdentifier 3 ADS streams assocaited with files downloaded from the internet
• apisearch - This plugin helps identifying pointers to APIs (functions defined in loaded DLLs). It does that by iterating over all loaded DLLs, enumerating their exports and searching for any pointers to the exported functions.
• imgmalfind - This plugin reveals modifications to mapped image files.
• CryptoScan - To find coin's address with regex
• Stelte Syslog - Sending Volatility output to a syslog server
• Stelte Evtx - Provides the capability to extract evtx entries from physical memory of Windows systems
• Sheffer Shaked Docker - forensics of Docker containers.
• MountInfo - Previous Volatility file system analysis capabilities did not fully enumerate information related to containers, which left much work on part of the analyst. This plugin closes that gap by replicating the per-process mount information as exported in the /proc/<pid>/mountinfo file on live systems.
• Hyper-V - Hyper-V memory plugin for volatility
• rootkit - plugins that detect advanced rootkit hooking methods.
• OpenSSH Session Key Recovery - Recover the OpenSSH session keys used to encrypt/ decrypt SSH traffic.
• Keepass Plugin - Allows an investigator to recover the plaintext password from a memory sample
• ApiHash - Scans for API hashes used as arguments to functions in memory regions that wouldn’t typically have executable code. It then attempts to resolve the hashes leveraging a publicly available hash database
• evtxlog Plugin - Plugin to extract the extractable EVTX files and spit it out to console (very verbose, immediately pipe it to a file to ease investigation)
• check_tracepoints Plugin - Plugins to help detecting Linux Rootkits
• eBPF suite - bpf_listmaps Plugin - Enumerates the list of BPF maps that are currently loaded into the kernel. It simulates the functionality of the map subcommand of bpftool.
• Alternate Data Stream Scanning Plugin - Scans for MFT entries looking for alternate data streams that may be cached in memory
• Windows Import Address Table Plugin - The Import Address Table (IAT) plugin reconstructs the IAT from process-executable images in Windows memory samples.
• eBPF suite - bpf_listprocs Plugin - Displays a list of processes that hold BPF objects via a file descriptor.
• sticky Plugin - Plugin to extract the content for Sticky Notes on both Win10 and Win7 (Note: not always working, depends on whether the machine cached the sticky note file or not)
• bpf_graph Plugin - Helps visualize the state of the BPF subsystem as a graph
• eBPF suite - bpf_listlinks Plugin - Displays the list of all BPF links in the memory sample
• eBPF suite - bpf_listprogs Plugin - Displays a list of the BPF programs that are currently loaded into the kernel. It simulates the functionality of the prog subcommand of bpftool.
• eBPF suite - bpf_lsm Plugin - Attempts to enumerate each LSM hook with attached BPF programs
• eBPF suite - bpf_netdev Plugin

GUI

• Volatility Explorer - This program functions similarly to Process Explorer/Hacker, but additionally it allows the user access to a Memory Dump
• Orochi - The Volatility Collaborative GUI
• VolWeb - A centralized and enhanced memory analysis platform

New capabilities

• Remote Analysis on Cloud Object-Storage
• Modern Windows Hibernation File Analysis

GUI

• 2022 Volatility Plugin Contest
• 2021 Volatility Plugin Contest
• 2020 Volatility Plugin Contest
• 2019 Volatility Plugin & Analysis Contests
• 2018 Volatility Plugin & Analysis Contests
• 2017 Volatility Plugin Contest
• 2016 Volatility Plugin Contest
• 2015 Volatility Plugin Contest
• 2014 Volatility Plugin Contest
• 2013 Volatility Plugin Contest
• 2023 Volatility Plugin Contest