Volitility Notes

Below are some notes on using Volitility I have for researching/discovering malware in memory. This most likely won’t apply to anyone other then me for at the moment. I’m currently in the process of automating most of these tasks when investigations are needed.

find operating system: imageinfo
display process listings: pslist
display the process tree: pstree
display actively running processes: psxview
display active network connections: connections- xp/2003 only
display previously closed connections: connscan - xp/2003 only
display previous network connections: netscan - 7/vista/2008
dump potentially malicious processes: malfind --dump-dir "directory" | to submit processes to virustotal run a hash
determine file handles still in memory: filescan
display registry key values: printkey -K "key file"
display available mutexes: mutantscan

Registry Keys to investigate

run = printkey -K "Software\Microsoft\Windows\Currentversion\Run"
internet zones = printkey -K "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0"

printkey -K "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1"
"Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2"
"Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3"

I started working on a srcript to automate these finding, if your interested in testing or reviewing the code please find it here.

comments powered by Disqus