Here we go:
As soon as you have the memory image, copy it on to your forensics machine and start analyzing it using volatility.
1. Specify the --profile if needed
Processes
2. Run both of these modules:
- pslist
- psscan
OR
Run just this module:
- psxview
3. Run connscan - this will give you all the connections that are being attempted
4. Run sockscan - this will give you all the ports that are being used
5. Run procdump (or procexedump) - this will let you 'dump' the process (get an 'exe' for the process that you are after, out of the mem image)
6. Run dlllist - this will give you a list of all the DLLs (analyzing DLL-injections)
7. Run malfind - this will find the suspicious sections of code for you. This module combines 'pefile' and 'pydasm' both. Very useful.
8. Run printkey - this will extract the registry keys for you, again, very helpful.
Virtual Memory
9. Run pslist - this will give you the process list, which you can use for finding virtual memory space for the desired processes
10. Run memdump - this will dump the memory of the process
11. Run driverscan - gives you all the drivers that are on the system memory
12. Run modules and modscan - gives you all modules and drivers loaded on to the system memory
13. Run consoles - give you all the commands that have been used.
14. Run cmdscan - again, gives you all the commands, only without the output.
15. Run apihooks - run this to get a list of all in-line hooks in user and kernel mode.
16. Run vaddump - finally, this will give you an extraction of mem regions from the VAD tree.
This is the sequence that I always use for any mem analysis job and it works for me. There are other modules that come handy time to time but that is mostly on an ad-hoc basis, as required.
Hope this helps you in your analysis tasks!
No comments:
Post a Comment