List of essential Volatility commands

Volatility is an open-source tool which I use for memory analysis. Given a memory dump, volatility can be tagged with numerous extensions to trace processes, get memory dumps, list active network connections, get browser history, analyse command line history or copy clipboard as well.

Here are the essential commands I use often in CTFs.

  1. Imageinfo 
     volatility -f Win7mem.raw imageinfo
  2. Processes 
     volatility -f Win7mem.raw --profile=Win7SP1x64 pslist
 volatility -f Win7mem.raw --profile=Win7SP1x64 pstree
 volatility -f Win7mem.raw --profile=Win7SP1x64 psxview
  3. cmd 
     volatility -f Win7mem.raw --profile=Win7SP1x64 cmdscan
 volatility -f Win7mem.raw --profile=Win7SP1x64 consoles
 volatility -f Win7mem.raw --profile=Win7SP1x64 cmdline
  4. Clipboard 
     volatility -f Win7mem.raw --profile=Win7SP1x64 clipboard
  5. Dumps 
     volatility -f Win7mem.raw --profile=Win7SP1x64 procdump -p 1976 --dump-dir ./dumps # Process executable
 volatility -f Win7mem.raw --profile=Win7SP1x64 memdump -p 1976 --dump-dir ./dumps # Process addressable memory

    Next, do a strings + grep for the required keyword on the .dmp files.

  6. Dump files 
     volatility -f Win7mem.raw --profile=Win7SP1x64 dumpfiles -D dumps -r evt$ -i -S dumps/summary.txt # -r flag is regex, evt$ for files ending with evt

Usage in CTFs

I’ll also list my solutions to one of the CTFs I’ve participated in, Vulncon 2020 The challenges simulate an event where a maleware was sent as an email attachment to the victim. Some time after the attachment was downloaded, the computer crashed. We are provided a memory dump before the crash.

Challenge 1: Find the last website visited by the victim along with timestamp

Use chromehistory plugin.

volatility --plugins=volatility-plugins --profile=---- -f dump.raw

Flag : vulncon{gamblingsites.org-12-12-2020}

Challenge 2: Find the device id of attached USB stick

Use usbstor plugin.

volatility --plugins=kevthehermit-volatility_plugins/ -f dump.raw --profile=Win7SP1x64 usbstor

Flag : vulncon{68b70eb8-f3fd-5099-907d-4e542601b2c7}

Challenge 3: Find the email id from which the mail was sent

It can be observed that the email client used is mailspring. So we analyse the memory dump of mailspring. Pid of mailspring is 2596

volatility -f dump.raw --profile=Win7SP1x64 memdump -p 2596 --dump-dir ./memdumps
strings 2596.dmp | grep mail | grep ":)" | less

Flag : vulncon{sarojchaudhary581@gmail.com}

  1. Official Doc
  2. Cheatsheet
  3. Source1
  4. DEFCON DFIR
  5. Heap inspection of a process
  6. BSidesDelhi 2020