Appearance
Volatility Cheat Sheet
Overview
Volatility is an advanced memory forensics framework written in Python that provides a comprehensive platform for extracting digital artifacts from volatile memory (RAM) samples. Developed by the Volatility Foundation, this powerful tool enables digital forensics investigators, incident responders, and malware analysts to analyze memory dumps from Windows, Linux, macOS, and Android systems. Volatility can extract a wide range of information including running processes, network connections, loaded modules, registry data, cached files, encryption keys, and evidence of malware activity. Its plugin-based architecture makes it highly extensible, allowing researchers to develop custom analysis modules for specific investigation needs.
⚠️ Legal Notice: Volatility should only be used for legitimate forensic analysis, incident response, and authorized security research. Ensure you have proper legal authority before analyzing memory dumps, and follow your organization's data handling and privacy policies.
Installation
Volatility 3 Installation (Recommended)
bash
# Install via pip (Python 3.6+)
pip3 install volatility3
# Install from GitHub (latest development version)
git clone https://github.com/volatilityfoundation/volatility3.git
cd volatility3
pip3 install -r requirements.txt
python3 setup.py install
# Verify installation
vol -h
# Install additional dependencies
pip3 install yara-python pycryptodome capstone distorm3Volatility 2 Installation (Legacy)
bash
# Install Volatility 2 (Python 2.7)
git clone https://github.com/volatilityfoundation/volatility.git
cd volatility
python2 setup.py install
# Install dependencies
pip2 install distorm3 yara-python pycrypto openpyxl ujson
# Verify installation
python2 vol.py -h
# Create alias for easier usage
echo 'alias vol2="python2 /path/to/volatility/vol.py"' >> ~/.bashrcDocker Installation
bash
# Pull Volatility Docker image
docker pull phocean/volatility
# Run Volatility in Docker
docker run --rm -v $(pwd):/dumps phocean/volatility -f /dumps/memory.dmp imageinfo
# Create alias for Docker usage
echo 'alias vol="docker run --rm -v $(pwd):/dumps phocean/volatility"' >> ~/.bashrc
source ~/.bashrc
# Run with specific memory dump
vol -f memory.dmp --profile=Win7SP1x64 pslistUbuntu/Debian Installation
bash
# Install from package repository
sudo apt update
sudo apt install volatility3-tools
# Install additional tools
sudo apt install python3-pip python3-dev build-essential
pip3 install volatility3
# Install legacy Volatility 2
sudo apt install volatility-tools
# Verify installations
vol -h
volatility -hWindows Installation
bash
# Download standalone executable from GitHub releases
# https://github.com/volatilityfoundation/volatility3/releases
# Or install via Python
pip install volatility3
# Install Python dependencies
pip install yara-python pycryptodome capstone distorm3
# Verify installation
vol.exe -hBasic Usage
Memory Dump Analysis Workflow
bash
# Step 1: Identify the operating system and version
vol -f memory.dmp windows.info
# Step 2: List running processes
vol -f memory.dmp windows.pslist
# Step 3: Analyze network connections
vol -f memory.dmp windows.netstat
# Step 4: Examine loaded modules
vol -f memory.dmp windows.modules
# Step 5: Check for malicious processes
vol -f memory.dmp windows.malfind
# Step 6: Extract suspicious files
vol -f memory.dmp windows.dumpfiles --pid 1234Volatility 2 Legacy Commands
bash
# Identify image information (Volatility 2)
vol2 -f memory.dmp imageinfo
# Use specific profile
vol2 -f memory.dmp --profile=Win7SP1x64 pslist
# List available plugins
vol2 --info
# Get plugin help
vol2 pslist -hBasic System Information
bash
# Get system information (Vol 3)
vol -f memory.dmp windows.info
# Get system information (Vol 2)
vol2 -f memory.dmp --profile=Win7SP1x64 imageinfo
# Check system uptime
vol -f memory.dmp windows.info | grep "System time"
# Get kernel information
vol -f memory.dmp windows.info | grep "Kernel"
# Check for hibernation file
vol -f memory.dmp windows.info | grep "hibernation"Process Analysis
Process Listing and Analysis
bash
# List all processes (Vol 3)
vol -f memory.dmp windows.pslist
# List processes with parent-child relationships
vol -f memory.dmp windows.pstree
# Show process command lines
vol -f memory.dmp windows.cmdline
# List processes with detailed information
vol -f memory.dmp windows.pslist --pid 1234
# Find hidden processes
vol -f memory.dmp windows.psxview
# Scan for process objects
vol -f memory.dmp windows.psscanProcess Memory Analysis
bash
# Dump process memory
vol -f memory.dmp windows.memmap --pid 1234 --dump
# Extract process executable
vol -f memory.dmp windows.procdump --pid 1234
# Analyze process handles
vol -f memory.dmp windows.handles --pid 1234
# Check process privileges
vol -f memory.dmp windows.privileges --pid 1234
# Examine process environment variables
vol -f memory.dmp windows.envars --pid 1234
# Analyze process VAD (Virtual Address Descriptor)
vol -f memory.dmp windows.vadinfo --pid 1234Malware Detection
bash
# Detect code injection
vol -f memory.dmp windows.malfind
# Scan for YARA rules
vol -f memory.dmp yarascan --yara-rules malware_rules.yar
# Check for API hooks
vol -f memory.dmp windows.apihooks
# Detect rootkits
vol -f memory.dmp windows.ssdt
# Find suspicious processes
vol -f memory.dmp windows.psxview | grep False
# Check for process hollowing
vol -f memory.dmp windows.hollowfindNetwork Analysis
Network Connections
bash
# List network connections (Vol 3)
vol -f memory.dmp windows.netstat
# List network connections (Vol 2)
vol2 -f memory.dmp --profile=Win7SP1x64 netscan
# Show listening sockets
vol -f memory.dmp windows.netstat | grep LISTEN
# Find connections by process
vol -f memory.dmp windows.netstat --pid 1234
# Analyze network artifacts
vol -f memory.dmp windows.netscan
# Extract network configuration
vol -f memory.dmp windows.netstat -vDNS and Network Artifacts
bash
# Extract DNS cache (Vol 2)
vol2 -f memory.dmp --profile=Win7SP1x64 dnscache
# Find network-related strings
vol -f memory.dmp windows.strings | grep -E "(http|ftp|smtp|dns)"
# Analyze browser artifacts
vol -f memory.dmp windows.iehistory
# Extract network configuration
vol -f memory.dmp windows.netstat --verboseFile System Analysis
File and Directory Analysis
bash
# List files (Vol 3)
vol -f memory.dmp windows.filescan
# List files (Vol 2)
vol2 -f memory.dmp --profile=Win7SP1x64 filescan
# Dump specific files
vol -f memory.dmp windows.dumpfiles --virtaddr 0x12345678
# Find files by name
vol -f memory.dmp windows.filescan | grep "malware.exe"
# Extract MFT records
vol -f memory.dmp windows.mftscan
# Analyze file handles
vol -f memory.dmp windows.handles --object-type FileRegistry Analysis
bash
# List registry hives
vol -f memory.dmp windows.registry.hivelist
# Print registry keys
vol -f memory.dmp windows.registry.printkey --key "Software\\Microsoft\\Windows\\CurrentVersion\\Run"
# Dump registry hive
vol -f memory.dmp windows.registry.hivescan --dump
# Extract user assist data
vol -f memory.dmp windows.registry.userassist
# Analyze registry artifacts
vol -f memory.dmp windows.registry.printkey --key "SYSTEM\\CurrentControlSet\\Services"
# Find registry keys by pattern
vol -f memory.dmp windows.registry.printkey --key "Software" --recurse | grep -i malwareAdvanced Analysis
Memory Strings Analysis
bash
# Extract ASCII strings
vol -f memory.dmp windows.strings
# Extract Unicode strings
vol -f memory.dmp windows.strings --strings-file strings.txt
# Search for specific patterns
vol -f memory.dmp windows.strings | grep -i "password"
# Extract strings from specific process
vol -f memory.dmp windows.strings --pid 1234
# Find URLs and domains
vol -f memory.dmp windows.strings | grep -E "(http|https|ftp)://[^\s]+"
# Search for email addresses
vol -f memory.dmp windows.strings | grep -E "[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}"Cryptographic Analysis
bash
# Find encryption keys
vol -f memory.dmp windows.truecryptpassphrase
# Extract cached credentials
vol -f memory.dmp windows.cachedump
# Find LSA secrets
vol -f memory.dmp windows.lsadump
# Extract password hashes
vol -f memory.dmp windows.hashdump
# Find BitLocker keys
vol -f memory.dmp windows.bitlocker
# Analyze cryptographic artifacts
vol -f memory.dmp yarascan --yara-rules crypto_rules.yarTimeline Analysis
bash
# Create timeline (Vol 2)
vol2 -f memory.dmp --profile=Win7SP1x64 timeliner --output=body --output-file=timeline.body
# Convert to CSV format
vol2 -f memory.dmp --profile=Win7SP1x64 timeliner --output=csv --output-file=timeline.csv
# Analyze specific time range
vol2 -f memory.dmp --profile=Win7SP1x64 timeliner --output=body | grep "2023-12-01"
# Create Mactime timeline
mactime -b timeline.body -d > timeline.txt
# Filter timeline by activity type
grep "m.c" timeline.body > modified_files.txtAutomation Scripts
Comprehensive Memory Analysis
bash
#!/bin/bash
# Comprehensive memory analysis using Volatility
MEMORY_DUMP="$1"
OUTPUT_DIR="volatility_analysis_$(date +%Y%m%d_%H%M%S)"
VOLATILITY_CMD="vol"
if [ -z "$MEMORY_DUMP" ]; then
echo "Usage: $0 <memory_dump_file>"
echo "Example: $0 memory.dmp"
exit 1
fi
if [ ! -f "$MEMORY_DUMP" ]; then
echo "Error: Memory dump file not found: $MEMORY_DUMP"
exit 1
fi
mkdir -p "$OUTPUT_DIR"
# Function to run Volatility command with error handling
run_vol_cmd() {
local plugin="$1"
local output_file="$2"
local additional_args="$3"
echo "[+] Running $plugin analysis..."
if [ -n "$additional_args" ]; then
$VOLATILITY_CMD -f "$MEMORY_DUMP" $plugin $additional_args > "$OUTPUT_DIR/$output_file" 2>&1
else
$VOLATILITY_CMD -f "$MEMORY_DUMP" $plugin > "$OUTPUT_DIR/$output_file" 2>&1
fi
if [ $? -eq 0 ]; then
echo " [+] $plugin analysis completed: $output_file"
return 0
else
echo " [-] $plugin analysis failed"
return 1
fi
}
# Function to analyze system information
analyze_system_info() {
echo "[+] Analyzing system information"
run_vol_cmd "windows.info" "system_info.txt"
# Extract key system information
if [ -f "$OUTPUT_DIR/system_info.txt" ]; then
grep -E "(Kernel|System time|NTBuildLab)" "$OUTPUT_DIR/system_info.txt" > "$OUTPUT_DIR/system_summary.txt"
fi
}
# Function to analyze processes
analyze_processes() {
echo "[+] Analyzing processes"
run_vol_cmd "windows.pslist" "process_list.txt"
run_vol_cmd "windows.pstree" "process_tree.txt"
run_vol_cmd "windows.cmdline" "command_lines.txt"
run_vol_cmd "windows.psxview" "hidden_processes.txt"
run_vol_cmd "windows.malfind" "malicious_code.txt"
# Extract suspicious processes
if [ -f "$OUTPUT_DIR/process_list.txt" ]; then
# Find processes with suspicious names
grep -iE "(cmd|powershell|wscript|cscript|rundll32|regsvr32)" "$OUTPUT_DIR/process_list.txt" > "$OUTPUT_DIR/suspicious_processes.txt"
# Find processes with no parent
awk '$3 == 0 && NR > 1 {print}' "$OUTPUT_DIR/process_list.txt" > "$OUTPUT_DIR/orphan_processes.txt"
fi
}
# Function to analyze network activity
analyze_network() {
echo "[+] Analyzing network activity"
run_vol_cmd "windows.netstat" "network_connections.txt"
# Extract external connections
if [ -f "$OUTPUT_DIR/network_connections.txt" ]; then
grep -vE "(127\.0\.0\.1|0\.0\.0\.0|::1)" "$OUTPUT_DIR/network_connections.txt" > "$OUTPUT_DIR/external_connections.txt"
# Extract unique remote IPs
awk '{print $3}' "$OUTPUT_DIR/external_connections.txt" | cut -d: -f1 | sort -u > "$OUTPUT_DIR/remote_ips.txt"
fi
}
# Function to analyze files
analyze_files() {
echo "[+] Analyzing files"
run_vol_cmd "windows.filescan" "file_list.txt"
# Find executable files
if [ -f "$OUTPUT_DIR/file_list.txt" ]; then
grep -iE "\.(exe|dll|sys|bat|cmd|ps1|vbs|js)$" "$OUTPUT_DIR/file_list.txt" > "$OUTPUT_DIR/executable_files.txt"
# Find files in temp directories
grep -iE "(temp|tmp|appdata)" "$OUTPUT_DIR/file_list.txt" > "$OUTPUT_DIR/temp_files.txt"
fi
}
# Function to analyze registry
analyze_registry() {
echo "[+] Analyzing registry"
run_vol_cmd "windows.registry.hivelist" "registry_hives.txt"
# Analyze common autostart locations
local autostart_keys=(
"Software\\Microsoft\\Windows\\CurrentVersion\\Run"
"Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce"
"Software\\Microsoft\\Windows\\CurrentVersion\\RunServices"
"Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce"
)
for key in "${autostart_keys[@]}"; do
local safe_key=$(echo "$key" | tr '\\' '_')
run_vol_cmd "windows.registry.printkey" "registry_${safe_key}.txt" "--key \"$key\""
done
}
# Function to extract strings
extract_strings() {
echo "[+] Extracting strings"
run_vol_cmd "windows.strings" "all_strings.txt"
if [ -f "$OUTPUT_DIR/all_strings.txt" ]; then
# Extract URLs
grep -oE "(http|https|ftp)://[^\s]+" "$OUTPUT_DIR/all_strings.txt" | sort -u > "$OUTPUT_DIR/urls.txt"
# Extract email addresses
grep -oE "[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}" "$OUTPUT_DIR/all_strings.txt" | sort -u > "$OUTPUT_DIR/email_addresses.txt"
# Extract IP addresses
grep -oE "([0-9]{1,3}\.){3}[0-9]{1,3}" "$OUTPUT_DIR/all_strings.txt" | sort -u > "$OUTPUT_DIR/ip_addresses.txt"
# Extract potential passwords
grep -iE "(password|passwd|pwd|pass)" "$OUTPUT_DIR/all_strings.txt" > "$OUTPUT_DIR/potential_passwords.txt"
fi
}
# Function to perform YARA scanning
yara_scan() {
echo "[+] Performing YARA scanning"
# Create basic malware detection rules
cat > "$OUTPUT_DIR/basic_malware.yar" << 'EOF'
rule Suspicious_Strings {
strings:
$s1 = "cmd.exe" nocase
$s2 = "powershell" nocase
$s3 = "rundll32" nocase
$s4 = "regsvr32" nocase
$s5 = "wscript" nocase
$s6 = "cscript" nocase
condition:
any of them
}
rule Network_Indicators {
strings:
$n1 = "http://" nocase
$n2 = "https://" nocase
$n3 = "ftp://" nocase
$n4 = "tcp://" nocase
condition:
any of them
}
rule Crypto_Indicators {
strings:
$c1 = "AES" nocase
$c2 = "RSA" nocase
$c3 = "encrypt" nocase
$c4 = "decrypt" nocase
$c5 = "cipher" nocase
condition:
any of them
}
EOF
run_vol_cmd "yarascan" "yara_scan_results.txt" "--yara-rules $OUTPUT_DIR/basic_malware.yar"
}
# Function to generate analysis report
generate_report() {
echo "[+] Generating analysis report"
local report_file="$OUTPUT_DIR/analysis_report.html"
cat > "$report_file" << EOF
<!DOCTYPE html>
<html>
<head>
<title>Volatility Memory Analysis Report</title>
<style>
body { font-family: Arial, sans-serif; margin: 20px; }
.header { background-color: #f0f0f0; padding: 20px; border-radius: 5px; }
.section { margin: 20px 0; padding: 15px; border: 1px solid #ddd; border-radius: 5px; }
.warning { background-color: #fff3cd; border-color: #ffeaa7; }
.critical { background-color: #ffebee; border-color: #f44336; }
table { border-collapse: collapse; width: 100%; }
th, td { border: 1px solid #ddd; padding: 8px; text-align: left; }
th { background-color: #f2f2f2; }
pre { background-color: #f5f5f5; padding: 10px; border-radius: 3px; overflow-x: auto; }
.file-list { max-height: 300px; overflow-y: auto; }
</style>
</head>
<body>
<div class="header">
<h1>Volatility Memory Analysis Report</h1>
<p><strong>Memory Dump:</strong> $(basename "$MEMORY_DUMP")</p>
<p><strong>Analysis Date:</strong> $(date)</p>
<p><strong>Output Directory:</strong> $OUTPUT_DIR</p>
</div>
EOF
# Add system information
if [ -f "$OUTPUT_DIR/system_summary.txt" ]; then
cat >> "$report_file" << EOF
<div class="section">
<h2>System Information</h2>
<pre>$(cat "$OUTPUT_DIR/system_summary.txt")</pre>
</div>
EOF
fi
# Add suspicious processes
if [ -f "$OUTPUT_DIR/suspicious_processes.txt" ] && [ -s "$OUTPUT_DIR/suspicious_processes.txt" ]; then
cat >> "$report_file" << EOF
<div class="section warning">
<h2>⚠️ Suspicious Processes</h2>
<div class="file-list">
<pre>$(cat "$OUTPUT_DIR/suspicious_processes.txt")</pre>
</div>
</div>
EOF
fi
# Add network connections
if [ -f "$OUTPUT_DIR/external_connections.txt" ] && [ -s "$OUTPUT_DIR/external_connections.txt" ]; then
cat >> "$report_file" << EOF
<div class="section">
<h2>External Network Connections</h2>
<div class="file-list">
<pre>$(head -20 "$OUTPUT_DIR/external_connections.txt")</pre>
</div>
</div>
EOF
fi
# Add URLs found
if [ -f "$OUTPUT_DIR/urls.txt" ] && [ -s "$OUTPUT_DIR/urls.txt" ]; then
cat >> "$report_file" << EOF
<div class="section">
<h2>URLs Found</h2>
<div class="file-list">
<pre>$(head -20 "$OUTPUT_DIR/urls.txt")</pre>
</div>
</div>
EOF
fi
# Add file summary
cat >> "$report_file" << EOF
<div class="section">
<h2>Analysis Summary</h2>
<table>
<tr><th>Category</th><th>Count</th><th>File</th></tr>
<tr><td>Total Processes</td><td>$(wc -l < "$OUTPUT_DIR/process_list.txt" 2>/dev/null || echo 0)</td><td>process_list.txt</td></tr>
<tr><td>Suspicious Processes</td><td>$(wc -l < "$OUTPUT_DIR/suspicious_processes.txt" 2>/dev/null || echo 0)</td><td>suspicious_processes.txt</td></tr>
<tr><td>Network Connections</td><td>$(wc -l < "$OUTPUT_DIR/network_connections.txt" 2>/dev/null || echo 0)</td><td>network_connections.txt</td></tr>
<tr><td>External Connections</td><td>$(wc -l < "$OUTPUT_DIR/external_connections.txt" 2>/dev/null || echo 0)</td><td>external_connections.txt</td></tr>
<tr><td>Files Found</td><td>$(wc -l < "$OUTPUT_DIR/file_list.txt" 2>/dev/null || echo 0)</td><td>file_list.txt</td></tr>
<tr><td>URLs Found</td><td>$(wc -l < "$OUTPUT_DIR/urls.txt" 2>/dev/null || echo 0)</td><td>urls.txt</td></tr>
<tr><td>Email Addresses</td><td>$(wc -l < "$OUTPUT_DIR/email_addresses.txt" 2>/dev/null || echo 0)</td><td>email_addresses.txt</td></tr>
</table>
</div>
<div class="section">
<h2>Generated Files</h2>
<ul>
$(ls -1 "$OUTPUT_DIR"/*.txt "$OUTPUT_DIR"/*.yar 2>/dev/null | while read file; do echo " <li>$(basename "$file")</li>"; done)
</ul>
</div>
</body>
</html>
EOF
echo " [+] Analysis report generated: $report_file"
}
# Function to create investigation summary
create_summary() {
echo "[+] Creating investigation summary"
local summary_file="$OUTPUT_DIR/investigation_summary.txt"
cat > "$summary_file" << EOF
Volatility Memory Analysis Summary
=================================
Memory Dump: $(basename "$MEMORY_DUMP")
Analysis Date: $(date)
Output Directory: $OUTPUT_DIR
Key Findings:
============
System Information:
$(cat "$OUTPUT_DIR/system_summary.txt" 2>/dev/null || echo "Not available")
Process Analysis:
- Total processes: $(wc -l < "$OUTPUT_DIR/process_list.txt" 2>/dev/null || echo 0)
- Suspicious processes: $(wc -l < "$OUTPUT_DIR/suspicious_processes.txt" 2>/dev/null || echo 0)
- Orphan processes: $(wc -l < "$OUTPUT_DIR/orphan_processes.txt" 2>/dev/null || echo 0)
Network Analysis:
- Total connections: $(wc -l < "$OUTPUT_DIR/network_connections.txt" 2>/dev/null || echo 0)
- External connections: $(wc -l < "$OUTPUT_DIR/external_connections.txt" 2>/dev/null || echo 0)
- Unique remote IPs: $(wc -l < "$OUTPUT_DIR/remote_ips.txt" 2>/dev/null || echo 0)
File Analysis:
- Total files: $(wc -l < "$OUTPUT_DIR/file_list.txt" 2>/dev/null || echo 0)
- Executable files: $(wc -l < "$OUTPUT_DIR/executable_files.txt" 2>/dev/null || echo 0)
- Temp files: $(wc -l < "$OUTPUT_DIR/temp_files.txt" 2>/dev/null || echo 0)
String Analysis:
- URLs found: $(wc -l < "$OUTPUT_DIR/urls.txt" 2>/dev/null || echo 0)
- Email addresses: $(wc -l < "$OUTPUT_DIR/email_addresses.txt" 2>/dev/null || echo 0)
- IP addresses: $(wc -l < "$OUTPUT_DIR/ip_addresses.txt" 2>/dev/null || echo 0)
Recommendations:
===============
1. Review suspicious processes for malicious activity
2. Investigate external network connections
3. Analyze files in temporary directories
4. Check autostart registry entries
5. Correlate findings with system logs and network traffic
Next Steps:
==========
1. Extract and analyze suspicious executables
2. Perform deeper malware analysis if needed
3. Check for persistence mechanisms
4. Validate findings with additional tools
5. Document findings for incident response
Files Generated:
===============
$(ls -1 "$OUTPUT_DIR" | grep -v "\.html$" | sed 's/^/- /')
EOF
echo " [+] Investigation summary created: $summary_file"
}
# Main execution
echo "[+] Starting comprehensive memory analysis"
echo "[+] Memory dump: $MEMORY_DUMP"
echo "[+] Output directory: $OUTPUT_DIR"
# Check if Volatility is available
if ! command -v $VOLATILITY_CMD &> /dev/null; then
echo "[-] Volatility not found. Please install Volatility 3."
exit 1
fi
# Perform analysis
analyze_system_info
analyze_processes
analyze_network
analyze_files
analyze_registry
extract_strings
yara_scan
# Generate reports
generate_report
create_summary
echo "[+] Comprehensive memory analysis completed"
echo "[+] Results saved in: $OUTPUT_DIR"
echo "[+] Open $OUTPUT_DIR/analysis_report.html for detailed report"
echo "[+] Review $OUTPUT_DIR/investigation_summary.txt for key findings"Malware Analysis Automation
bash
#!/bin/bash
# Automated malware analysis using Volatility
MEMORY_DUMP="$1"
MALWARE_DIR="malware_analysis_$(date +%Y%m%d_%H%M%S)"
YARA_RULES_DIR="/opt/yara-rules"
if [ -z "$MEMORY_DUMP" ]; then
echo "Usage: $0 <memory_dump_file>"
exit 1
fi
mkdir -p "$MALWARE_DIR"
# Function to detect process injection
detect_injection() {
echo "[+] Detecting process injection"
vol -f "$MEMORY_DUMP" windows.malfind > "$MALWARE_DIR/malfind_results.txt"
# Extract injected code
if [ -s "$MALWARE_DIR/malfind_results.txt" ]; then
echo " [+] Potential code injection detected"
# Extract unique PIDs with injected code
awk '/Process:/ {print $2}' "$MALWARE_DIR/malfind_results.txt" | sort -u > "$MALWARE_DIR/injected_pids.txt"
# Dump memory for each injected process
while read pid; do
echo " [+] Dumping memory for PID $pid"
vol -f "$MEMORY_DUMP" windows.memmap --pid "$pid" --dump --output-dir "$MALWARE_DIR/dumps/"
done < "$MALWARE_DIR/injected_pids.txt"
fi
}
# Function to analyze suspicious processes
analyze_suspicious_processes() {
echo "[+] Analyzing suspicious processes"
# Get process list
vol -f "$MEMORY_DUMP" windows.pslist > "$MALWARE_DIR/process_list.txt"
# Find processes with suspicious characteristics
cat > "$MALWARE_DIR/suspicious_patterns.txt" << 'EOF'
# Suspicious process patterns
cmd.exe
powershell.exe
wscript.exe
cscript.exe
rundll32.exe
regsvr32.exe
mshta.exe
bitsadmin.exe
certutil.exe
schtasks.exe
EOF
# Search for suspicious processes
while read pattern; do
if [[ ! "$pattern" =~ ^# ]]; then
grep -i "$pattern" "$MALWARE_DIR/process_list.txt" >> "$MALWARE_DIR/suspicious_processes.txt"
fi
done < "$MALWARE_DIR/suspicious_patterns.txt"
# Analyze command lines for suspicious processes
if [ -s "$MALWARE_DIR/suspicious_processes.txt" ]; then
echo " [+] Found suspicious processes, analyzing command lines"
awk '{print $2}' "$MALWARE_DIR/suspicious_processes.txt" | while read pid; do
vol -f "$MEMORY_DUMP" windows.cmdline --pid "$pid" >> "$MALWARE_DIR/suspicious_cmdlines.txt"
done
fi
}
# Function to extract and analyze executables
extract_executables() {
echo "[+] Extracting suspicious executables"
# Get file list
vol -f "$MEMORY_DUMP" windows.filescan > "$MALWARE_DIR/file_list.txt"
# Find executable files in suspicious locations
grep -iE "(temp|tmp|appdata|programdata).*\.(exe|dll|sys)$" "$MALWARE_DIR/file_list.txt" > "$MALWARE_DIR/suspicious_files.txt"
# Extract suspicious files
if [ -s "$MALWARE_DIR/suspicious_files.txt" ]; then
echo " [+] Extracting suspicious files"
mkdir -p "$MALWARE_DIR/extracted_files"
while read line; do
local offset=$(echo "$line" | awk '{print $1}')
local filename=$(echo "$line" | awk '{print $NF}' | tr '\\' '_')
vol -f "$MEMORY_DUMP" windows.dumpfiles --virtaddr "$offset" --output-dir "$MALWARE_DIR/extracted_files/"
done < "$MALWARE_DIR/suspicious_files.txt"
fi
}
# Function to perform YARA scanning
perform_yara_scan() {
echo "[+] Performing YARA scanning"
# Create comprehensive malware detection rules
cat > "$MALWARE_DIR/malware_detection.yar" << 'EOF'
rule Suspicious_API_Calls {
strings:
$api1 = "VirtualAlloc" nocase
$api2 = "VirtualProtect" nocase
$api3 = "CreateRemoteThread" nocase
$api4 = "WriteProcessMemory" nocase
$api5 = "ReadProcessMemory" nocase
$api6 = "SetWindowsHookEx" nocase
$api7 = "GetProcAddress" nocase
$api8 = "LoadLibrary" nocase
condition:
3 of them
}
rule Network_Communication {
strings:
$net1 = "WinINet" nocase
$net2 = "URLDownloadToFile" nocase
$net3 = "InternetOpen" nocase
$net4 = "InternetConnect" nocase
$net5 = "HttpOpenRequest" nocase
$net6 = "send" nocase
$net7 = "recv" nocase
$net8 = "WSAStartup" nocase
condition:
2 of them
}
rule Persistence_Mechanisms {
strings:
$reg1 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" nocase
$reg2 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce" nocase
$svc1 = "CreateService" nocase
$svc2 = "StartService" nocase
$task1 = "schtasks" nocase
$task2 = "at.exe" nocase
condition:
any of them
}
rule Evasion_Techniques {
strings:
$eva1 = "IsDebuggerPresent" nocase
$eva2 = "CheckRemoteDebuggerPresent" nocase
$eva3 = "OutputDebugString" nocase
$eva4 = "GetTickCount" nocase
$eva5 = "Sleep" nocase
$eva6 = "VirtualQuery" nocase
condition:
2 of them
}
rule Encryption_Indicators {
strings:
$cry1 = "CryptAcquireContext" nocase
$cry2 = "CryptCreateHash" nocase
$cry3 = "CryptEncrypt" nocase
$cry4 = "CryptDecrypt" nocase
$cry5 = "CryptGenKey" nocase
$cry6 = "AES" nocase
$cry7 = "RSA" nocase
$cry8 = "MD5" nocase
$cry9 = "SHA" nocase
condition:
2 of them
}
EOF
# Perform YARA scan
vol -f "$MEMORY_DUMP" yarascan --yara-rules "$MALWARE_DIR/malware_detection.yar" > "$MALWARE_DIR/yara_results.txt"
# Use external YARA rules if available
if [ -d "$YARA_RULES_DIR" ]; then
echo " [+] Scanning with external YARA rules"
find "$YARA_RULES_DIR" -name "*.yar" -o -name "*.yara" | while read rule_file; do
local rule_name=$(basename "$rule_file" .yar)
vol -f "$MEMORY_DUMP" yarascan --yara-rules "$rule_file" > "$MALWARE_DIR/yara_${rule_name}.txt"
done
fi
}
# Function to analyze network artifacts
analyze_network_artifacts() {
echo "[+] Analyzing network artifacts"
# Get network connections
vol -f "$MEMORY_DUMP" windows.netstat > "$MALWARE_DIR/network_connections.txt"
# Extract external IPs
grep -vE "(127\.0\.0\.1|0\.0\.0\.0|::1|192\.168\.|10\.|172\.1[6-9]\.|172\.2[0-9]\.|172\.3[0-1]\.)" "$MALWARE_DIR/network_connections.txt" > "$MALWARE_DIR/external_connections.txt"
# Extract unique remote IPs
awk '{print $3}' "$MALWARE_DIR/external_connections.txt" | cut -d: -f1 | sort -u > "$MALWARE_DIR/remote_ips.txt"
# Analyze remote IPs
if [ -s "$MALWARE_DIR/remote_ips.txt" ]; then
echo " [+] Analyzing remote IP addresses"
while read ip; do
echo "Analyzing IP: $ip" >> "$MALWARE_DIR/ip_analysis.txt"
# Perform reverse DNS lookup
local hostname=$(dig +short -x "$ip" 2>/dev/null | head -1)
echo " Hostname: ${hostname:-No PTR record}" >> "$MALWARE_DIR/ip_analysis.txt"
# Check if IP is in known malicious ranges (basic check)
if [[ "$ip" =~ ^(185\.159\.|91\.121\.|5\.196\.) ]]; then
echo " WARNING: IP in potentially suspicious range" >> "$MALWARE_DIR/ip_analysis.txt"
fi
echo "---" >> "$MALWARE_DIR/ip_analysis.txt"
done < "$MALWARE_DIR/remote_ips.txt"
fi
}
# Function to check for rootkit indicators
check_rootkit_indicators() {
echo "[+] Checking for rootkit indicators"
# Check SSDT hooks
vol -f "$MEMORY_DUMP" windows.ssdt > "$MALWARE_DIR/ssdt_hooks.txt" 2>/dev/null || echo "SSDT analysis not available"
# Check for hidden processes
vol -f "$MEMORY_DUMP" windows.psxview > "$MALWARE_DIR/hidden_processes.txt"
# Find processes that are hidden from certain detection methods
grep "False" "$MALWARE_DIR/hidden_processes.txt" > "$MALWARE_DIR/potentially_hidden.txt"
# Check for API hooks
vol -f "$MEMORY_DUMP" windows.apihooks > "$MALWARE_DIR/api_hooks.txt" 2>/dev/null || echo "API hooks analysis not available"
}
# Function to generate malware analysis report
generate_malware_report() {
echo "[+] Generating malware analysis report"
local report_file="$MALWARE_DIR/malware_analysis_report.html"
cat > "$report_file" << EOF
<!DOCTYPE html>
<html>
<head>
<title>Malware Analysis Report</title>
<style>
body { font-family: Arial, sans-serif; margin: 20px; }
.header { background-color: #f0f0f0; padding: 20px; border-radius: 5px; }
.section { margin: 20px 0; padding: 15px; border: 1px solid #ddd; border-radius: 5px; }
.critical { background-color: #ffebee; border-color: #f44336; }
.warning { background-color: #fff3cd; border-color: #ffeaa7; }
.info { background-color: #e3f2fd; border-color: #2196f3; }
table { border-collapse: collapse; width: 100%; }
th, td { border: 1px solid #ddd; padding: 8px; text-align: left; }
th { background-color: #f2f2f2; }
pre { background-color: #f5f5f5; padding: 10px; border-radius: 3px; overflow-x: auto; }
.file-list { max-height: 300px; overflow-y: auto; }
</style>
</head>
<body>
<div class="header">
<h1>🔍 Malware Analysis Report</h1>
<p><strong>Memory Dump:</strong> $(basename "$MEMORY_DUMP")</p>
<p><strong>Analysis Date:</strong> $(date)</p>
<p><strong>Analyst:</strong> Volatility Automated Analysis</p>
</div>
EOF
# Add executive summary
cat >> "$report_file" << EOF
<div class="section info">
<h2>📋 Executive Summary</h2>
<table>
<tr><th>Indicator</th><th>Count</th><th>Risk Level</th></tr>
<tr><td>Suspicious Processes</td><td>$(wc -l < "$MALWARE_DIR/suspicious_processes.txt" 2>/dev/null || echo 0)</td><td>$([ $(wc -l < "$MALWARE_DIR/suspicious_processes.txt" 2>/dev/null || echo 0) -gt 0 ] && echo "High" || echo "Low")</td></tr>
<tr><td>Code Injection Detected</td><td>$(grep -c "Process:" "$MALWARE_DIR/malfind_results.txt" 2>/dev/null || echo 0)</td><td>$([ $(grep -c "Process:" "$MALWARE_DIR/malfind_results.txt" 2>/dev/null || echo 0) -gt 0 ] && echo "Critical" || echo "Low")</td></tr>
<tr><td>External Connections</td><td>$(wc -l < "$MALWARE_DIR/external_connections.txt" 2>/dev/null || echo 0)</td><td>$([ $(wc -l < "$MALWARE_DIR/external_connections.txt" 2>/dev/null || echo 0) -gt 5 ] && echo "Medium" || echo "Low")</td></tr>
<tr><td>Hidden Processes</td><td>$(wc -l < "$MALWARE_DIR/potentially_hidden.txt" 2>/dev/null || echo 0)</td><td>$([ $(wc -l < "$MALWARE_DIR/potentially_hidden.txt" 2>/dev/null || echo 0) -gt 0 ] && echo "High" || echo "Low")</td></tr>
</table>
</div>
EOF
# Add code injection findings
if [ -s "$MALWARE_DIR/malfind_results.txt" ]; then
cat >> "$report_file" << EOF
<div class="section critical">
<h2>🚨 Code Injection Detected</h2>
<p>Potential code injection has been detected in the following processes:</p>
<div class="file-list">
<pre>$(head -50 "$MALWARE_DIR/malfind_results.txt")</pre>
</div>
</div>
EOF
fi
# Add suspicious processes
if [ -s "$MALWARE_DIR/suspicious_processes.txt" ]; then
cat >> "$report_file" << EOF
<div class="section warning">
<h2>⚠️ Suspicious Processes</h2>
<div class="file-list">
<pre>$(cat "$MALWARE_DIR/suspicious_processes.txt")</pre>
</div>
</div>
EOF
fi
# Add network analysis
if [ -s "$MALWARE_DIR/external_connections.txt" ]; then
cat >> "$report_file" << EOF
<div class="section warning">
<h2>🌐 External Network Connections</h2>
<div class="file-list">
<pre>$(head -20 "$MALWARE_DIR/external_connections.txt")</pre>
</div>
</div>
EOF
fi
# Add YARA results
if [ -s "$MALWARE_DIR/yara_results.txt" ]; then
cat >> "$report_file" << EOF
<div class="section info">
<h2>🔍 YARA Detection Results</h2>
<div class="file-list">
<pre>$(cat "$MALWARE_DIR/yara_results.txt")</pre>
</div>
</div>
EOF
fi
# Add recommendations
cat >> "$report_file" << EOF
<div class="section">
<h2>📝 Recommendations</h2>
<ol>
<li><strong>Immediate Actions:</strong>
<ul>
<li>Isolate affected systems from the network</li>
<li>Preserve memory dumps and disk images for further analysis</li>
<li>Check for lateral movement indicators</li>
</ul>
</li>
<li><strong>Investigation:</strong>
<ul>
<li>Analyze extracted executables with static analysis tools</li>
<li>Correlate network connections with firewall logs</li>
<li>Check for persistence mechanisms in registry and file system</li>
</ul>
</li>
<li><strong>Remediation:</strong>
<ul>
<li>Remove identified malicious processes and files</li>
<li>Update antivirus signatures and endpoint protection</li>
<li>Implement network monitoring for identified IOCs</li>
</ul>
</li>
</ol>
</div>
<div class="section">
<h2>📁 Generated Files</h2>
<ul>
$(ls -1 "$MALWARE_DIR" | grep -v "\.html$" | while read file; do echo " <li>$file</li>"; done)
</ul>
</div>
</body>
</html>
EOF
echo " [+] Malware analysis report generated: $report_file"
}
# Main execution
echo "[+] Starting automated malware analysis"
echo "[+] Memory dump: $MEMORY_DUMP"
echo "[+] Output directory: $MALWARE_DIR"
# Perform malware analysis
detect_injection
analyze_suspicious_processes
extract_executables
perform_yara_scan
analyze_network_artifacts
check_rootkit_indicators
# Generate report
generate_malware_report
echo "[+] Automated malware analysis completed"
echo "[+] Results saved in: $MALWARE_DIR"
echo "[+] Open $MALWARE_DIR/malware_analysis_report.html for detailed findings"
# Display summary
echo ""
echo "=== ANALYSIS SUMMARY ==="
echo "Suspicious processes: $(wc -l < "$MALWARE_DIR/suspicious_processes.txt" 2>/dev/null || echo 0)"
echo "Code injection detected: $(grep -c "Process:" "$MALWARE_DIR/malfind_results.txt" 2>/dev/null || echo 0)"
echo "External connections: $(wc -l < "$MALWARE_DIR/external_connections.txt" 2>/dev/null || echo 0)"
echo "Hidden processes: $(wc -l < "$MALWARE_DIR/potentially_hidden.txt" 2>/dev/null || echo 0)"
echo "========================"Timeline Analysis
bash
#!/bin/bash
# Timeline analysis using Volatility
MEMORY_DUMP="$1"
TIMELINE_DIR="timeline_analysis_$(date +%Y%m%d_%H%M%S)"
if [ -z "$MEMORY_DUMP" ]; then
echo "Usage: $0 <memory_dump_file>"
exit 1
fi
mkdir -p "$TIMELINE_DIR"
# Function to create comprehensive timeline
create_timeline() {
echo "[+] Creating comprehensive timeline"
# Note: Timeline functionality varies between Volatility versions
# This example shows both Vol2 and Vol3 approaches
# For Volatility 2 (if available)
if command -v vol2 &> /dev/null; then
echo " [+] Creating timeline with Volatility 2"
# Determine profile first
local profile=$(vol2 -f "$MEMORY_DUMP" imageinfo | grep "Suggested Profile" | head -1 | awk '{print $4}' | tr -d ',')
if [ -n "$profile" ]; then
# Create body file
vol2 -f "$MEMORY_DUMP" --profile="$profile" timeliner --output=body --output-file="$TIMELINE_DIR/timeline.body"
# Convert to readable format
if [ -f "$TIMELINE_DIR/timeline.body" ]; then
mactime -b "$TIMELINE_DIR/timeline.body" -d > "$TIMELINE_DIR/timeline_readable.txt"
fi
fi
fi
# Alternative approach: Extract timestamps from various sources
echo " [+] Extracting timestamps from various sources"
# Process creation times
vol -f "$MEMORY_DUMP" windows.pslist > "$TIMELINE_DIR/process_times.txt"
# File modification times
vol -f "$MEMORY_DUMP" windows.filescan > "$TIMELINE_DIR/file_times.txt"
# Registry timestamps (if available)
vol -f "$MEMORY_DUMP" windows.registry.hivelist > "$TIMELINE_DIR/registry_times.txt"
}
# Function to analyze process timeline
analyze_process_timeline() {
echo "[+] Analyzing process timeline"
# Extract process creation times and sort chronologically
awk 'NR>1 {print $6, $7, $2, $3, $4}' "$TIMELINE_DIR/process_times.txt" | sort > "$TIMELINE_DIR/process_chronology.txt"
# Find processes created in quick succession (potential malware)
cat > "$TIMELINE_DIR/rapid_process_creation.py" << 'EOF'
#!/usr/bin/env python3
import sys
from datetime import datetime
def parse_timestamp(ts_str):
try:
return datetime.strptime(ts_str, "%Y-%m-%d %H:%M:%S")
except:
return None
def analyze_rapid_creation(filename):
processes = []
with open(filename, 'r') as f:
for line in f:
parts = line.strip().split()
if len(parts) >= 5:
date_str = parts[0]
time_str = parts[1]
pid = parts[2]
ppid = parts[3]
name = parts[4]
timestamp = parse_timestamp(f"{date_str} {time_str}")
if timestamp:
processes.append((timestamp, pid, ppid, name))
# Sort by timestamp
processes.sort(key=lambda x: x[0])
# Find rapid succession (within 10 seconds)
rapid_groups = []
current_group = []
for i, (ts, pid, ppid, name) in enumerate(processes):
if not current_group:
current_group = [(ts, pid, ppid, name)]
else:
time_diff = (ts - current_group[-1][0]).total_seconds()
if time_diff <= 10:
current_group.append((ts, pid, ppid, name))
else:
if len(current_group) >= 3:
rapid_groups.append(current_group)
current_group = [(ts, pid, ppid, name)]
# Check last group
if len(current_group) >= 3:
rapid_groups.append(current_group)
return rapid_groups
if __name__ == "__main__":
if len(sys.argv) != 2:
print("Usage: python3 rapid_process_creation.py <process_chronology_file>")
sys.exit(1)
rapid_groups = analyze_rapid_creation(sys.argv[1])
if rapid_groups:
print("Rapid Process Creation Detected:")
print("=" * 50)
for i, group in enumerate(rapid_groups):
print(f"\nGroup {i+1} ({len(group)} processes):")
for ts, pid, ppid, name in group:
print(f" {ts} - PID:{pid} PPID:{ppid} {name}")
else:
print("No rapid process creation patterns detected.")
EOF
python3 "$TIMELINE_DIR/rapid_process_creation.py" "$TIMELINE_DIR/process_chronology.txt" > "$TIMELINE_DIR/rapid_creation_analysis.txt"
}
# Function to create visual timeline
create_visual_timeline() {
echo "[+] Creating visual timeline"
cat > "$TIMELINE_DIR/create_timeline_chart.py" << 'EOF'
#!/usr/bin/env python3
import matplotlib.pyplot as plt
import matplotlib.dates as mdates
from datetime import datetime
import sys
def create_timeline_chart(process_file, output_file):
timestamps = []
processes = []
try:
with open(process_file, 'r') as f:
for line in f:
parts = line.strip().split()
if len(parts) >= 5:
try:
date_str = parts[0]
time_str = parts[1]
name = parts[4]
timestamp = datetime.strptime(f"{date_str} {time_str}", "%Y-%m-%d %H:%M:%S")
timestamps.append(timestamp)
processes.append(name)
except:
continue
if not timestamps:
print("No valid timestamps found")
return
# Create timeline chart
fig, ax = plt.subplots(figsize=(15, 8))
# Plot process creation events
y_positions = range(len(timestamps))
ax.scatter(timestamps, y_positions, alpha=0.6, s=50)
# Format x-axis
ax.xaxis.set_major_formatter(mdates.DateFormatter('%H:%M:%S'))
ax.xaxis.set_major_locator(mdates.HourLocator(interval=1))
plt.xticks(rotation=45)
# Add labels
ax.set_xlabel('Time')
ax.set_ylabel('Process Creation Events')
ax.set_title('Process Creation Timeline')
# Add grid
ax.grid(True, alpha=0.3)
plt.tight_layout()
plt.savefig(output_file, dpi=300, bbox_inches='tight')
print(f"Timeline chart saved: {output_file}")
except Exception as e:
print(f"Error creating timeline chart: {e}")
if __name__ == "__main__":
if len(sys.argv) != 3:
print("Usage: python3 create_timeline_chart.py <process_file> <output_file>")
sys.exit(1)
create_timeline_chart(sys.argv[1], sys.argv[2])
EOF
# Install matplotlib if not available
pip3 install matplotlib &>/dev/null || echo "Warning: matplotlib not available for timeline visualization"
# Create timeline chart
python3 "$TIMELINE_DIR/create_timeline_chart.py" "$TIMELINE_DIR/process_chronology.txt" "$TIMELINE_DIR/process_timeline.png" 2>/dev/null || echo "Timeline visualization skipped"
}
# Function to correlate events
correlate_events() {
echo "[+] Correlating timeline events"
cat > "$TIMELINE_DIR/event_correlation.txt" << EOF
Timeline Event Correlation Analysis
==================================
Analysis Date: $(date)
Memory Dump: $(basename "$MEMORY_DUMP")
Process Timeline Analysis:
$(cat "$TIMELINE_DIR/rapid_creation_analysis.txt" 2>/dev/null || echo "No rapid creation patterns detected")
Key Observations:
================
EOF
# Analyze process parent-child relationships
echo "Process Parent-Child Relationships:" >> "$TIMELINE_DIR/event_correlation.txt"
vol -f "$MEMORY_DUMP" windows.pstree >> "$TIMELINE_DIR/event_correlation.txt"
# Look for suspicious timing patterns
echo "" >> "$TIMELINE_DIR/event_correlation.txt"
echo "Timing Pattern Analysis:" >> "$TIMELINE_DIR/event_correlation.txt"
# Find processes created at unusual times (e.g., outside business hours)
awk 'NR>1 {
split($7, time_parts, ":");
hour = time_parts[1];
if (hour < 6 || hour > 22) {
print "Unusual time: " $0;
}
}' "$TIMELINE_DIR/process_times.txt" >> "$TIMELINE_DIR/event_correlation.txt"
}
# Function to generate timeline report
generate_timeline_report() {
echo "[+] Generating timeline analysis report"
local report_file="$TIMELINE_DIR/timeline_report.html"
cat > "$report_file" << EOF
<!DOCTYPE html>
<html>
<head>
<title>Timeline Analysis Report</title>
<style>
body { font-family: Arial, sans-serif; margin: 20px; }
.header { background-color: #f0f0f0; padding: 20px; border-radius: 5px; }
.section { margin: 20px 0; padding: 15px; border: 1px solid #ddd; border-radius: 5px; }
.timeline { background-color: #e8f5e9; border-color: #4caf50; }
.warning { background-color: #fff3cd; border-color: #ffeaa7; }
table { border-collapse: collapse; width: 100%; }
th, td { border: 1px solid #ddd; padding: 8px; text-align: left; }
th { background-color: #f2f2f2; }
pre { background-color: #f5f5f5; padding: 10px; border-radius: 3px; overflow-x: auto; }
.file-list { max-height: 400px; overflow-y: auto; }
.chart { text-align: center; margin: 20px 0; }
</style>
</head>
<body>
<div class="header">
<h1>⏰ Timeline Analysis Report</h1>
<p><strong>Memory Dump:</strong> $(basename "$MEMORY_DUMP")</p>
<p><strong>Analysis Date:</strong> $(date)</p>
<p><strong>Timeline Scope:</strong> Process creation and system events</p>
</div>
EOF
# Add timeline visualization if available
if [ -f "$TIMELINE_DIR/process_timeline.png" ]; then
cat >> "$report_file" << EOF
<div class="section timeline">
<h2>📊 Process Creation Timeline</h2>
<div class="chart">
<img src="process_timeline.png" alt="Process Timeline Chart" style="max-width: 100%; height: auto;">
</div>
</div>
EOF
fi
# Add rapid creation analysis
if [ -s "$TIMELINE_DIR/rapid_creation_analysis.txt" ]; then
cat >> "$report_file" << EOF
<div class="section warning">
<h2>⚡ Rapid Process Creation Analysis</h2>
<div class="file-list">
<pre>$(cat "$TIMELINE_DIR/rapid_creation_analysis.txt")</pre>
</div>
</div>
EOF
fi
# Add process chronology
cat >> "$report_file" << EOF
<div class="section">
<h2>📋 Process Chronology</h2>
<div class="file-list">
<pre>$(head -50 "$TIMELINE_DIR/process_chronology.txt" 2>/dev/null || echo "Process chronology not available")</pre>
</div>
</div>
EOF
# Add event correlation
if [ -f "$TIMELINE_DIR/event_correlation.txt" ]; then
cat >> "$report_file" << EOF
<div class="section">
<h2>🔗 Event Correlation Analysis</h2>
<div class="file-list">
<pre>$(cat "$TIMELINE_DIR/event_correlation.txt")</pre>
</div>
</div>
EOF
fi
# Add summary statistics
cat >> "$report_file" << EOF
<div class="section">
<h2>📈 Timeline Statistics</h2>
<table>
<tr><th>Metric</th><th>Value</th></tr>
<tr><td>Total Processes Analyzed</td><td>$(wc -l < "$TIMELINE_DIR/process_times.txt" 2>/dev/null || echo 0)</td></tr>
<tr><td>Chronological Events</td><td>$(wc -l < "$TIMELINE_DIR/process_chronology.txt" 2>/dev/null || echo 0)</td></tr>
<tr><td>Timeline Span</td><td>$(head -1 "$TIMELINE_DIR/process_chronology.txt" 2>/dev/null | awk '{print $1, $2}') to $(tail -1 "$TIMELINE_DIR/process_chronology.txt" 2>/dev/null | awk '{print $1, $2}')</td></tr>
</table>
</div>
<div class="section">
<h2>📁 Generated Files</h2>
<ul>
$(ls -1 "$TIMELINE_DIR" | grep -v "\.html$" | while read file; do echo " <li>$file</li>"; done)
</ul>
</div>
<div class="section">
<h2>🎯 Key Findings & Recommendations</h2>
<ul>
<li><strong>Process Creation Patterns:</strong> Review rapid process creation events for potential malware activity</li>
<li><strong>Timing Analysis:</strong> Investigate processes created during unusual hours</li>
<li><strong>Parent-Child Relationships:</strong> Analyze process trees for suspicious spawning patterns</li>
<li><strong>Correlation:</strong> Cross-reference timeline events with network logs and file system changes</li>
</ul>
</div>
</body>
</html>
EOF
echo " [+] Timeline analysis report generated: $report_file"
}
# Main execution
echo "[+] Starting timeline analysis"
echo "[+] Memory dump: $MEMORY_DUMP"
echo "[+] Output directory: $TIMELINE_DIR"
# Perform timeline analysis
create_timeline
analyze_process_timeline
create_visual_timeline
correlate_events
# Generate report
generate_timeline_report
echo "[+] Timeline analysis completed"
echo "[+] Results saved in: $TIMELINE_DIR"
echo "[+] Open $TIMELINE_DIR/timeline_report.html for detailed timeline analysis"Integration with Other Tools
Rekall Integration
bash
# Use Rekall for additional analysis
rekall -f memory.dmp pslist
# Compare Volatility and Rekall results
vol -f memory.dmp windows.pslist > vol_pslist.txt
rekall -f memory.dmp pslist > rekall_pslist.txt
diff vol_pslist.txt rekall_pslist.txtYARA Integration
bash
# Create custom YARA rules
cat > custom_rules.yar << 'EOF'
rule Suspicious_Process_Names {
strings:
$s1 = "svchost.exe" nocase
$s2 = "explorer.exe" nocase
$s3 = "winlogon.exe" nocase
condition:
any of them
}
EOF
# Scan memory with YARA rules
vol -f memory.dmp yarascan --yara-rules custom_rules.yarBulk Extractor Integration
bash
# Extract strings and artifacts with bulk_extractor
bulk_extractor -o bulk_output memory.dmp
# Compare with Volatility strings
vol -f memory.dmp windows.strings > vol_strings.txt
diff vol_strings.txt bulk_output/telephone.txtTroubleshooting
Common Issues
Profile Detection Problems
bash
# Manual profile specification (Vol 2)
vol2 -f memory.dmp --profile=Win10x64_19041 pslist
# List available profiles
vol2 --info | grep "Win"
# Use kdbgscan for profile detection
vol2 -f memory.dmp kdbgscanMemory Corruption
bash
# Check for memory corruption
vol -f memory.dmp windows.info | grep -i corrupt
# Use alternative scanning methods
vol -f memory.dmp windows.psscan
vol -f memory.dmp windows.filescanLarge Memory Dumps
bash
# Process large dumps efficiently
vol -f memory.dmp windows.pslist --output-file pslist.txt
# Use specific address ranges
vol -f memory.dmp windows.vadinfo --pid 1234 --address 0x12345678Plugin Errors
bash
# Check plugin availability
vol --list-plugins
# Get plugin help
vol windows.pslist -h
# Debug plugin execution
vol -f memory.dmp windows.pslist -vvPerformance Optimization
bash
# Use output files to avoid re-processing
vol -f memory.dmp windows.pslist -o pslist.txt
# Limit output for large datasets
vol -f memory.dmp windows.filescan | head -1000
# Use specific PIDs for targeted analysis
vol -f memory.dmp windows.handles --pid 1234
# Parallel processing for multiple dumps
for dump in *.dmp; do
vol -f "$dump" windows.pslist > "${dump%.dmp}_pslist.txt" &
done
waitResources
- Volatility Foundation
- Volatility 3 Documentation
- Volatility GitHub Repository
- Memory Forensics with Volatility
- Digital Forensics Framework
- YARA Rules Repository
- Memory Analysis Techniques
This cheat sheet provides a comprehensive reference for using Volatility for memory forensics analysis. Always ensure proper legal authorization before analyzing memory dumps and follow your organization's forensic procedures and chain of custody requirements.