内存取证神器Volatility常用指令大全
具体指令开头部分根据Volatility版本做修改即可
查找文件
volatility -f 19.mem --profile=Win7SP1x86_23418 filescan | grep “Information.xlsx”
列举注册表
volatility -f neicun.mem --profile=Win7SP1x64 hivelist
查询cmd指令
volatility -f neicun.mem --profile=Win7SP1x64 cmdline | grep “jdk1.8.0”
查看网络通讯
volatility -f neicun.mem --profile=Win7SP1x64 netscan
查看系统用户名
volatility -f neicun.mem --profile=Win7SP1x64 printkey -K “SAM\Domains\Account\Users\Names”
查看用户密码的哈希
volatility -f neicun.mem --profile=Win7SP1x64 hashdump -y 0xfffff8a000024010 -s 0xfffff8a000300010
查看导出文件
volatility -f neicun.mem --profile=Win7SP1x64 dumpfiles -Q 0x000000007e4e5070 -D /root/
查看进程(pslist)
volatility_2.6_win64_standalone -f win7.vmem --profile=Win7SP1x86 pslist > win7_sp1_x86_pslist.txt
进程树形查看方式
volatility_2.6_win64_standalone -f win7.vmem --profile=Win7SP1x86 pstree
查看隐藏进程
volatility_2.6_win64_standalone -f win7.vmem --profile=Win7SP1x86 psxview
查看网络通讯连接(netscan)–类似Windows命令 netstat -an
volatility_2.6_win64_standalone -f win7.vmem --profile=Win7SP1x86 netscan > win7_sp1_x86_NetScan.txt
查看Windows帐户密码Hash(haspdump)
volatility_2.6_win64_standalone -f win7.vmem --profile=Win7SP1x86 hashdump > win7_sp1_x86_hashdump.txt
查看UserAssist应用程序运行记录
volatility_2.6_win64_standalone -f win7.vmem --profile=Win7SP1x86 userassist > win7_sp1_x86_UserAssist.txt
查看进程对应的SID(含用户名)
volatility_2.6_win64_standalone -f win7.vmem --profile=Win7SP1x86 getsids > win7_sp1_x86_GetSID.txt
查看Windows系统挂载的注册表配置单元列表
volatility_2.6_win64_standalone -f win7.vmem --profile=Win7SP1x86 hivelist
导出内存中的注册表配置单元数据(可在取证软件中再次分析)
volatility_2.6_win64_standalone -f win7.vmem --profile=Win7SP1x86 dumpregistry --dump-dir=K:\volatility
查看内存中IE访问历史记录
volatility_2.6_win64_standalone -f win7.vmem --profile=Win7SP1x86 iehistory > win7_sp1_x86_IE_History.txt
查看应用程序运行记录(ShimCache)
volatility_2.6_win64_standalone -f win7.vmem --profile=Win7SP1x86 shimcache > win7_sp1_x86_shimecache.txt
查看系统服务列表及状态
volatility_2.6_win64_standalone -f win7.vmem --profile=Win7SP1x86 svcscan > win7_sp1_x86_ServiceList.txt
导出事件时间线信息(用于基于时间顺序的事件分析)
volatility_2.6_win64_standalone -f win7.vmem --profile=Win7SP1x86 timeliner > win7_sp1_x86_TimeLineEvent.txt
查看VAD信息
volatility_2.6_win64_standalone -f win7.vmem --profile=Win7SP1x86 vadinfo > win7_sp1_x86_VAD_info.txt
查看yara信息
volatility_2.6_win64_standalone -f win7.vmem --profile=Win7SP1x86 yarascan > win7_sp1_x86_yarascan.txt
查看剪贴板(Clipboard)信息
volatility_2.6_win64_standalone -f win7.vmem --profile=Win7SP1x86 clipboard > win7_sp1_x86_Clipboard.txt
查看进程加载的DLL动态链接库
volatility_2.6_win64_standalone -f win7.vmem --profile=Win7SP1x86 dlllist > win7_sp1_x86_DllList.txt
查看GDT信息
volatility_2.6_win64_standalone -f win7.vmem --profile=Win7SP1x86 gdt> win7_sp1_x86_GDT.txt
查看Sockets连接
volatility_2.6_win64_standalone -f win7.vmem --profile=Win7SP1x86 sockets > win7_sp1_x86_Sockets.txt (Win7SP1x86不支持)
volatility_2.6_win64_standalone -f win7.vmem --profile=Win7SP1x86 sockscan > win7_sp1_x86_SockScan.txt (Win7SP1x86不支持)
查看SSDT表
volatility_2.6_win64_standalone -f win7.vmem --profile=Win7SP1x86 ssdt > win7_sp1_x86_SSDT.txt
volatility_2.6_win64_standalone -f win7.vmem --profile=Win7SP1x86 eventhooks
查看内存中MFT记录信息
volatility_2.6_win64_standalone -f win7.vmem --profile=Win7SP1x86 mftparser > win7_sp1_x86_MFT_Records.txt
volatility_2.6_win64_standalone -f win7.vmem --profile=Win7SP1x86 mftparser --output-file=mftverbose.txt -D mftoutput
查看磁盘MBR扇区信息
volatility_2.6_win64_standalone -f win7.vmem --profile=Win7SP1x86 mbrparser > win7_sp1_x86_MBR_Sector.txt
volatility_2.6_win64_standalone -f win7.vmem --profile=Win7SP1x86 servicediff > win7_sp1_x86_ServiceDiff.txt
volatility_2.6_win64_standalone -f win7.vmem --profile=Win7SP1x86 hibinfo (Win7SP1x86不支持)
查看打开的文件夹列表
volatility_2.6_win64_standalone -f win7.vmem --profile=Win7SP1x86 shellbags > win7_sp1_x86_shellbags.txt
查看系统最后一次关机时间
volatility_2.6_win64_standalone -f win7.vmem --profile=Win7SP1x86 shutdowntime
获取域缓存密码hash
volatility_2.6_win64_standalone -f win7.vmem --profile=Win7SP1x86 cachedump
获取RSA私钥和SSL公钥
volatility_2.6_win64_standalone -f win7.vmem --profile=Win7SP1x86 dumpcerts --dump-dir=K:\volatility
volatility_2.6_win64_standalone -f win7.vmem --profile=Win7SP1x86 volshell
volatility_2.6_win64_standalone -f win7.vmem --profile=Win7SP1x86 truecryptmaster
volatility_2.6_win64_standalone -f win7.vmem --profile=Win7SP1x86 truecryptpassphrase