Volatility Memory Forensics Cheat Sheet, Cheat Sheet of Human Memory

Download Volatility Memory Forensics Cheat Sheet and more Cheat Sheet Human Memory in PDF only on Docsity! This cheat sheet supports the SANS FOR508 Advanced Digital Forensics, Incident Response, and Threat Hunting & SANS FOR526 Memory Forensics In- Depth courses. It is not intended to be an exhaustive resource for Volatility™ or other highlighted tools. Volatility™ is a trademark of Verizon. The SANS Institute is not sponsored, approved by or affiliated with Verizon. The timeliner plugin parses time-stamped objects found in memory images. Output is sorted by: ➢ Process creation time ➢ Thread creation time ➢ Driver compile time ➢ DLL / EXE compile time ➢ Network socket creation time ➢ Memory resident registry key last write time ➢ Memory resident event log entry creation time timeliner --output-file Optional file to write output --output=body Bodyfile format (also text,xlsx) --type=Registry Extract registry key last write times # vol.py -f mem.img timeliner --output-file out.body --output=body --profile=Win10x64 Memory Artifact Timelining Purpose How To Use This Document Memory analysis is one of the most powerful tools available to forensic examiners. This guide hopes to simplify the overwhelming number of available options. Analysis can generally be accomplished in six steps: 1. Identify Rogue Processes 2. Analyze Process DLLs and Handles 3. Review Network Artifacts 4. Look for Evidence of Code Injection 5. Check for Signs of a Rootkit 6. Extract Processes, Drivers, and Objects We outline the most useful Volatility™ plugins supporting these six steps here. Further information is provided for: ➢ Memory Acquisition ➢ Alternate Memory Locations ➢ Converting Hibernation Files and Crash Dumps ➢ Memory Artifact Timelining ➢ Registry Analysis Plugins Remember to open command prompt as Administrator winpmem -o Output file location -p <path to pagefile.sys> Include page file -e Extract raw image from AFF4 file -l Load driver for live memory analysis C:\> winpmem_<version>.exe -o F:\mem.aff4 C:\> winpmem_<version>.exe F:\mem.aff4 -e PhysicalMemory -o mem.raw DumpIt /f Output file location /s <value> Hash function to use /t <addr> Send to remote host (set up listener with /l) C:\> DumpIt.exe /f F:\mem.raw /s 1 Memory Acquisition Hibernation File Compressed RAM Image; available in Volume Shadow Copies %SystemDrive%\hiberfil.sys Page and Swap Files %SystemDrive%\pagefile.sys %SystemDrive%\swapfile.sys (Win8+\2012+) Memory Dump %WINDIR%\MEMORY.DMP Alternate Memory Locations Memory Forensics Cheat Sheet v2.0 POCKET REFERENCE GUIDE by C. Tilbury hivelist - Find and list available registry hives # vol.py hivelist hivedump - Print all keys and subkeys in a hive -o Offset of registry hive to dump (virtual offset) # vol.py hivedump –o 0xe1a14b60 printkey - Output a registry key, subkeys, and values -K “Registry key path” # vol.py printkey –K “Microsoft\Windows\CurrentVersion\Run” dumpregistry - Extract all available registry hives -o Extract using virtual offset of registry hive --dump-dir Directory to save extracted files # vol.py dumpregistry --dump-dir ./output userassist - Find and parse userassist key values # vol.py userassist hashdump - Dump user NTLM and Lanman hashes # vol.py hashdump autoruns - Map ASEPs to running processes -v Show everything # vol.py autoruns -v Registry Analysis Plugins Converting Hibernation Files and Crash Dumps imagecopy - Convert alternate memory sources to raw -f Name of source file -O Output file name --profile Source OS from imageinfo # vol.py imagecopy -f hiberfil.sys -O hiber.raw --profile=Win7SP1x64 # vol.py imagecopy -f MEMORY.DMP -O crashdump.raw –-profile=Win2016x64_14393