Friday, January 25, 2013

The Volatility Framework

The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. The extraction techniques are performed completely independent of the system being investigated but offer unprecedented visibilty into the runtime state of the system. The framework is intended to introduce people to the techniques and complexities associated with extracting digital artifacts from volatile memory samples and provide a platform for further work into this exciting area of research.

The following video and command list are not created by me, I just copied them for the reference. Please credit to the video maker.

Commands list

./ –f zeus.vmem pslist

To list the processes of a system, use the pslist command.

./ –f zeus.vmem malfind

You can use it to find hidden or injected code/DLLs in user mode memory

./ –f zeus.vmem ldrmodules

To find out the hidden dll

./ –f zeus.vmem apihooks

To find API hooks in user mode or kernel mode

./ –f zeus.vmem idt

IDT (Interrupt Descriptor Table)

./ –f zeus.vmem gdt

Gdt (Global Descriptor Table)

./ –f zeus.vmem threads –L

The command gives you extensive details on threads

./ –f zeus.vmem callbacks

Callbacks for detecting Windows kernel use of these callbacks to monitor and/or react to events.

./ –f zeus.vmem driverirp

To print a driver's IRP Major Function table

./ –f zeus.vmem devicetree

Windows uses a layered driver architecture

./ –f zeus.vmem psxview

This plugin helps you detect hidden processes.

Source : - Volatility Wiki

That's all! See you.