Volatilität Cheat Sheet¶
Überblick¶
Volatility ist ein fortschrittliches Memory-Forensics-Framework in Python, das eine umfassende Plattform für die Extraktion digitaler Artefakte aus flüchtigen Speicher (RAM)-Proben bietet. Entwickelt von der Volatility Foundation, ermöglicht dieses leistungsstarke Tool digitale Forensik-Ermittler, Vorfall-Ansprecher und Malware-Analysten, um Speicher-Dumps von Windows, Linux, MacOS und Android-Systeme zu analysieren. Volatility kann eine breite Palette von Informationen einschließlich Laufprozesse, Netzwerk-Verbindungen, geladene Module, Registrierungsdaten, Cache-Dateien, Verschlüsselungsschlüssel und Beweise für Malware-Aktivität. Seine Plug-in-basierte Architektur macht es sehr erweiterbar, so dass Forscher kundenspezifische Analysemodule für spezifische Untersuchungsanforderungen entwickeln können.
ZEIT Legal Hinweis: Volatilität sollte nur für eine legitime forensische Analyse, Vorfallreaktion und eine autorisierte Sicherheitsforschung verwendet werden. Stellen Sie sicher, dass Sie eine ordnungsgemäße rechtliche Autorität haben, bevor Sie Speicher-Dumps analysieren und die Datenverarbeitung und Datenschutzrichtlinien Ihrer Organisation verfolgen.
Installation¶
Volatilität 3 Installation (empfohlen)¶
```bash
Install via pip (Python 3.6+)¶
pip3 install volatility3
Install from GitHub (latest development version)¶
git clone https://github.com/volatilityfoundation/volatility3.git cd volatility3 pip3 install -r requirements.txt python3 setup.py install
Verify installation¶
vol -h
Install additional dependencies¶
pip3 install yara-python pycryptodome capstone distorm3 ```_
Volatilität 2 Installation (Legacy)¶
```bash
Install Volatility 2 (Python 2.7)¶
git clone https://github.com/volatilityfoundation/volatility.git cd volatility python2 setup.py install
Install dependencies¶
pip2 install distorm3 yara-python pycrypto openpyxl ujson
Verify installation¶
python2 vol.py -h
Create alias for easier usage¶
echo 'alias vol2="python2 /path/to/volatility/vol.py"' >> ~/.bashrc ```_
Docker Installation¶
```bash
Pull Volatility Docker image¶
docker pull phocean/volatility
Run Volatility in Docker¶
docker run --rm -v $(pwd):/dumps phocean/volatility -f /dumps/memory.dmp imageinfo
Create alias for Docker usage¶
echo 'alias vol="docker run --rm -v $(pwd):/dumps phocean/volatility"' >> ~/.bashrc source ~/.bashrc
Run with specific memory dump¶
vol -f memory.dmp --profile=Win7SP1x64 pslist ```_
Ubuntu/Debian Installation¶
```bash
Install from package repository¶
sudo apt update sudo apt install volatility3-tools
Install additional tools¶
sudo apt install python3-pip python3-dev build-essential pip3 install volatility3
Install legacy Volatility 2¶
sudo apt install volatility-tools
Verify installations¶
vol -h volatility -h ```_
Windows Installation¶
```bash
Download standalone executable from GitHub releases¶
https://github.com/volatilityfoundation/volatility3/releases¶
Or install via Python¶
pip install volatility3
Install Python dependencies¶
pip install yara-python pycryptodome capstone distorm3
Verify installation¶
vol.exe -h ```_
Basisnutzung¶
Speicherort Analyse Workflow¶
```bash
Step 1: Identify the operating system and version¶
vol -f memory.dmp windows.info
Step 2: List running processes¶
vol -f memory.dmp windows.pslist
Step 3: Analyze network connections¶
vol -f memory.dmp windows.netstat
Step 4: Examine loaded modules¶
vol -f memory.dmp windows.modules
Step 5: Check for malicious processes¶
vol -f memory.dmp windows.malfind
Step 6: Extract suspicious files¶
vol -f memory.dmp windows.dumpfiles --pid 1234 ```_
Volatilität 2 Legacy Commands¶
```bash
Identify image information (Volatility 2)¶
vol2 -f memory.dmp imageinfo
Use specific profile¶
vol2 -f memory.dmp --profile=Win7SP1x64 pslist
List available plugins¶
vol2 --info
Get plugin help¶
vol2 pslist -h ```_
Grundlegende Systeminformationen¶
```bash
Get system information (Vol 3)¶
vol -f memory.dmp windows.info
Get system information (Vol 2)¶
vol2 -f memory.dmp --profile=Win7SP1x64 imageinfo
Check system uptime¶
vol -f memory.dmp windows.info|grep "System time"
Get kernel information¶
vol -f memory.dmp windows.info|grep "Kernel"
Check for hibernation file¶
vol -f memory.dmp windows.info|grep "hibernation" ```_
Prozessanalyse¶
Prozessliste und Analyse¶
```bash
List all processes (Vol 3)¶
vol -f memory.dmp windows.pslist
List processes with parent-child relationships¶
vol -f memory.dmp windows.pstree
Show process command lines¶
vol -f memory.dmp windows.cmdline
List processes with detailed information¶
vol -f memory.dmp windows.pslist --pid 1234
Find hidden processes¶
vol -f memory.dmp windows.psxview
Scan for process objects¶
vol -f memory.dmp windows.psscan ```_
Prozessspeicheranalyse¶
```bash
Dump process memory¶
vol -f memory.dmp windows.memmap --pid 1234 --dump
Extract process executable¶
vol -f memory.dmp windows.procdump --pid 1234
Analyze process handles¶
vol -f memory.dmp windows.handles --pid 1234
Check process privileges¶
vol -f memory.dmp windows.privileges --pid 1234
Examine process environment variables¶
vol -f memory.dmp windows.envars --pid 1234
Analyze process VAD (Virtual Address Descriptor)¶
vol -f memory.dmp windows.vadinfo --pid 1234 ```_
Malware-Detektion¶
```bash
Detect code injection¶
vol -f memory.dmp windows.malfind
Scan for YARA rules¶
vol -f memory.dmp yarascan --yara-rules malware_rules.yar
Check for API hooks¶
vol -f memory.dmp windows.apihooks
Detect rootkits¶
vol -f memory.dmp windows.ssdt
Find suspicious processes¶
vol -f memory.dmp windows.psxview|grep False
Check for process hollowing¶
vol -f memory.dmp windows.hollowfind ```_
Netzwerkanalyse¶
Netzwerkverbindungen¶
```bash
List network connections (Vol 3)¶
vol -f memory.dmp windows.netstat
List network connections (Vol 2)¶
vol2 -f memory.dmp --profile=Win7SP1x64 netscan
Show listening sockets¶
vol -f memory.dmp windows.netstat|grep LISTEN
Find connections by process¶
vol -f memory.dmp windows.netstat --pid 1234
Analyze network artifacts¶
vol -f memory.dmp windows.netscan
Extract network configuration¶
vol -f memory.dmp windows.netstat -v ```_
DNS und Netzwerk-Artefakte¶
```bash
Extract DNS cache (Vol 2)¶
vol2 -f memory.dmp --profile=Win7SP1x64 dnscache
Find network-related strings¶
| | vol -f memory.dmp windows.strings | grep -E "(http | ftp | smtp | dns)" | |
Analyze browser artifacts¶
vol -f memory.dmp windows.iehistory
Extract network configuration¶
vol -f memory.dmp windows.netstat --verbose ```_
Dateisystemanalyse¶
Datei- und Verzeichnisanalyse¶
```bash
List files (Vol 3)¶
vol -f memory.dmp windows.filescan
List files (Vol 2)¶
vol2 -f memory.dmp --profile=Win7SP1x64 filescan
Dump specific files¶
vol -f memory.dmp windows.dumpfiles --virtaddr 0x12345678
Find files by name¶
vol -f memory.dmp windows.filescan|grep "malware.exe"
Extract MFT records¶
vol -f memory.dmp windows.mftscan
Analyze file handles¶
vol -f memory.dmp windows.handles --object-type File ```_
Systemanalyse¶
```bash
List registry hives¶
vol -f memory.dmp windows.registry.hivelist
Print registry keys¶
vol -f memory.dmp windows.registry.printkey --key "Software\Microsoft\Windows\CurrentVersion\Run"
Dump registry hive¶
vol -f memory.dmp windows.registry.hivescan --dump
Extract user assist data¶
vol -f memory.dmp windows.registry.userassist
Analyze registry artifacts¶
vol -f memory.dmp windows.registry.printkey --key "SYSTEM\CurrentControlSet\Services"
Find registry keys by pattern¶
vol -f memory.dmp windows.registry.printkey --key "Software" --recurse|grep -i malware ```_
Erweiterte Analyse¶
Speicher Strings Analyse¶
```bash
Extract ASCII strings¶
vol -f memory.dmp windows.strings
Extract Unicode strings¶
vol -f memory.dmp windows.strings --strings-file strings.txt
Search for specific patterns¶
vol -f memory.dmp windows.strings|grep -i "password"
Extract strings from specific process¶
vol -f memory.dmp windows.strings --pid 1234
Find URLs and domains¶
| | vol -f memory.dmp windows.strings | grep -E "(http | https | ftp)://[^\s]+" | |
Search for email addresses¶
vol -f memory.dmp windows.strings|grep -E "[a-zA-Z0-9.%+-]+@[a-zA-Z0-9.-]+.[a-zA-Z]\\{2,\\}" ```
Kryptographische Analyse¶
```bash
Find encryption keys¶
vol -f memory.dmp windows.truecryptpassphrase
Extract cached credentials¶
vol -f memory.dmp windows.cachedump
Find LSA secrets¶
vol -f memory.dmp windows.lsadump
Extract password hashes¶
vol -f memory.dmp windows.hashdump
Find BitLocker keys¶
vol -f memory.dmp windows.bitlocker
Analyze cryptographic artifacts¶
vol -f memory.dmp yarascan --yara-rules crypto_rules.yar ```_
Zeitanalyse¶
```bash
Create timeline (Vol 2)¶
vol2 -f memory.dmp --profile=Win7SP1x64 timeliner --output=body --output-file=timeline.body
Convert to CSV format¶
vol2 -f memory.dmp --profile=Win7SP1x64 timeliner --output=csv --output-file=timeline.csv
Analyze specific time range¶
vol2 -f memory.dmp --profile=Win7SP1x64 timeliner --output=body|grep "2023-12-01"
Create Mactime timeline¶
mactime -b timeline.body -d > timeline.txt
Filter timeline by activity type¶
grep "m.c" timeline.body > modified_files.txt ```_
Automatisierungsskripte¶
Umfassende Speicheranalyse¶
```bash
!/bin/bash¶
Comprehensive memory analysis using Volatility¶
MEMORY_DUMP="\(1" OUTPUT_DIR="volatility_analysis_\)(date +%Y%m%d_%H%M%S)" VOLATILITY_CMD="vol"
if [ -z "$MEMORY_DUMP" ]; then
echo "Usage: $0
if [ ! -f "$MEMORY_DUMP" ]; then echo "Error: Memory dump file not found: $MEMORY_DUMP" exit 1 fi
mkdir -p "$OUTPUT_DIR"
Function to run Volatility command with error handling¶
run_vol_cmd() \\{ local plugin="\(1" local output_file="\)2" local additional_args="$3"
echo "[+] Running $plugin analysis..."
if [ -n "$additional_args" ]; then
$VOLATILITY_CMD -f "$MEMORY_DUMP" $plugin $additional_args > "$OUTPUT_DIR/$output_file" 2>&1
else
$VOLATILITY_CMD -f "$MEMORY_DUMP" $plugin > "$OUTPUT_DIR/$output_file" 2>&1
fi
if [ $? -eq 0 ]; then
echo " [+] $plugin analysis completed: $output_file"
return 0
else
echo " [-] $plugin analysis failed"
return 1
fi
\\}
Function to analyze system information¶
analyze_system_info() \\{ echo "[+] Analyzing system information"
run_vol_cmd "windows.info" "system_info.txt"
# Extract key system information
if [ -f "$OUTPUT_DIR/system_info.txt" ]; then
| | grep -E "(Kernel | System time | NTBuildLab)" "\(OUTPUT_DIR/system_info.txt" > "\)OUTPUT_DIR/system_summary.txt" | | fi \\}
Function to analyze processes¶
analyze_processes() \\{ echo "[+] Analyzing processes"
run_vol_cmd "windows.pslist" "process_list.txt"
run_vol_cmd "windows.pstree" "process_tree.txt"
run_vol_cmd "windows.cmdline" "command_lines.txt"
run_vol_cmd "windows.psxview" "hidden_processes.txt"
run_vol_cmd "windows.malfind" "malicious_code.txt"
# Extract suspicious processes
if [ -f "$OUTPUT_DIR/process_list.txt" ]; then
# Find processes with suspicious names
| | grep -iE "(cmd | powershell | wscript | cscript | rundll32 | regsvr32)" "\(OUTPUT_DIR/process_list.txt" > "\)OUTPUT_DIR/suspicious_processes.txt" | |
# Find processes with no parent
awk '$3 == 0 && NR > 1 \\\\{print\\\\}' "$OUTPUT_DIR/process_list.txt" > "$OUTPUT_DIR/orphan_processes.txt"
fi
\\}
Function to analyze network activity¶
analyze_network() \\{ echo "[+] Analyzing network activity"
run_vol_cmd "windows.netstat" "network_connections.txt"
# Extract external connections
if [ -f "$OUTPUT_DIR/network_connections.txt" ]; then
| | grep -vE "(127.0.0.1 | 0.0.0.0 | ::1)" "\(OUTPUT_DIR/network_connections.txt" > "\)OUTPUT_DIR/external_connections.txt" | |
# Extract unique remote IPs
| | awk '\\{print \(3\\\\}' "\)OUTPUT_DIR/external_connections.txt" | cut -d: -f1 | sort -u > "$OUTPUT_DIR/remote_ips.txt" | | fi \\}
Function to analyze files¶
analyze_files() \\{ echo "[+] Analyzing files"
run_vol_cmd "windows.filescan" "file_list.txt"
# Find executable files
if [ -f "$OUTPUT_DIR/file_list.txt" ]; then
| | grep -iE ".(exe | dll | sys | bat | cmd | ps1 | vbs | js)\(" "\)OUTPUT_DIR/file_list.txt" > "$OUTPUT_DIR/executable_files.txt" | |
# Find files in temp directories
| | grep -iE "(temp | tmp | appdata)" "\(OUTPUT_DIR/file_list.txt" > "\)OUTPUT_DIR/temp_files.txt" | | fi \\}
Function to analyze registry¶
analyze_registry() \\{ echo "[+] Analyzing registry"
run_vol_cmd "windows.registry.hivelist" "registry_hives.txt"
# Analyze common autostart locations
local autostart_keys=(
"Software\\Microsoft\\Windows\\CurrentVersion\\Run"
"Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce"
"Software\\Microsoft\\Windows\\CurrentVersion\\RunServices"
"Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce"
)
for key in "$\\\\{autostart_keys[@]\\\\}"; do
local safe_key=$(echo "$key"|tr '\\' '_')
run_vol_cmd "windows.registry.printkey" "registry_$\\\\{safe_key\\\\}.txt" "--key \"$key\""
done
\\}
Function to extract strings¶
extract_strings() \\{ echo "[+] Extracting strings"
run_vol_cmd "windows.strings" "all_strings.txt"
if [ -f "$OUTPUT_DIR/all_strings.txt" ]; then
# Extract URLs
| | grep -oE "(http | https | ftp)://[^\s]+" "\(OUTPUT_DIR/all_strings.txt" | sort -u > "\)OUTPUT_DIR/urls.txt" | |
# Extract email addresses
grep -oE "[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]\\\\{2,\\\\}" "$OUTPUT_DIR/all_strings.txt"|sort -u > "$OUTPUT_DIR/email_addresses.txt"
# Extract IP addresses
grep -oE "([0-9]\\\\{1,3\\\\}\.)\\\\{3\\\\}[0-9]\\\\{1,3\\\\}" "$OUTPUT_DIR/all_strings.txt"|sort -u > "$OUTPUT_DIR/ip_addresses.txt"
# Extract potential passwords
| | grep -iE "(password | passwd | pwd | pass)" "\(OUTPUT_DIR/all_strings.txt" > "\)OUTPUT_DIR/potential_passwords.txt" | | fi \\}
Function to perform YARA scanning¶
yara_scan() \\{ echo "[+] Performing YARA scanning"
# Create basic malware detection rules
cat > "$OUTPUT_DIR/basic_malware.yar" << 'EOF'
rule Suspicious_Strings \\{ strings: $s1 = "cmd.exe" nocase $s2 = "powershell" nocase $s3 = "rundll32" nocase $s4 = "regsvr32" nocase $s5 = "wscript" nocase $s6 = "cscript" nocase condition: any of them \\}
rule Network_Indicators \\{ strings: $n1 = "http://" nocase $n2 = "https://" nocase $n3 = "ftp://" nocase $n4 = "tcp://" nocase condition: any of them \\}
rule Crypto_Indicators \\{ strings: $c1 = "AES" nocase $c2 = "RSA" nocase $c3 = "encrypt" nocase $c4 = "decrypt" nocase $c5 = "cipher" nocase condition: any of them \\} EOF
run_vol_cmd "yarascan" "yara_scan_results.txt" "--yara-rules $OUTPUT_DIR/basic_malware.yar"
\\}
Function to generate analysis report¶
generate_report() \\{ echo "[+] Generating analysis report"
local report_file="$OUTPUT_DIR/analysis_report.html"
cat > "$report_file" << EOF
Volatility Memory Analysis Report
Memory Dump: $(basename "$MEMORY_DUMP")
Analysis Date: $(date)
Output Directory: $OUTPUT_DIR
System Information
$(cat "$OUTPUT_DIR/system_summary.txt")
⚠️ Suspicious Processes
$(cat "$OUTPUT_DIR/suspicious_processes.txt")
External Network Connections
$(head -20 "$OUTPUT_DIR/external_connections.txt")
URLs Found
$(head -20 "$OUTPUT_DIR/urls.txt")
Analysis Summary
| Category | Count | File |
|---|---|---|
| Total Processes | $(wc -l < "$OUTPUT_DIR/process_list.txt" 2>/dev/null | | echo 0) | process_list.txt |
| Suspicious Processes | $(wc -l < "$OUTPUT_DIR/suspicious_processes.txt" 2>/dev/null | | echo 0) | suspicious_processes.txt |
| Network Connections | $(wc -l < "$OUTPUT_DIR/network_connections.txt" 2>/dev/null | | echo 0) | network_connections.txt |
| External Connections | $(wc -l < "$OUTPUT_DIR/external_connections.txt" 2>/dev/null | | echo 0) | external_connections.txt |
| Files Found | $(wc -l < "$OUTPUT_DIR/file_list.txt" 2>/dev/null | | echo 0) | file_list.txt |
| URLs Found | $(wc -l < "$OUTPUT_DIR/urls.txt" 2>/dev/null | | echo 0) | urls.txt |
| Email Addresses | $(wc -l < "$OUTPUT_DIR/email_addresses.txt" 2>/dev/null | | echo 0) | email_addresses.txt |
Generated Files
-
$(ls -1 "$OUTPUT_DIR"/*.txt "$OUTPUT_DIR"/*.yar 2>/dev/null|while read file; do echo "
- $(basename "$file") "; done)
EOF
echo " [+] Analysis report generated: $report_file"
\\}
Function to create investigation summary¶
create_summary() \\{ echo "[+] Creating investigation summary"
local summary_file="$OUTPUT_DIR/investigation_summary.txt"
cat > "$summary_file" << EOF
Volatility Memory Analysis Summary¶
Memory Dump: \((basename "\)MEMORY_DUMP") Analysis Date: $(date) Output Directory: $OUTPUT_DIR
Key Findings:¶
System Information: | | \((cat "\)OUTPUT_DIR/system_summary.txt" 2>/dev/null | | echo "Not available") | |
Process Analysis: | | - Total processes: \((wc -l < "\)OUTPUT_DIR/process_list.txt" 2>/dev/null | | echo 0) | | | | - Suspicious processes: \((wc -l < "\)OUTPUT_DIR/suspicious_processes.txt" 2>/dev/null | | echo 0) | | | | - Orphan processes: \((wc -l < "\)OUTPUT_DIR/orphan_processes.txt" 2>/dev/null | | echo 0) | |
Network Analysis: | | - Total connections: \((wc -l < "\)OUTPUT_DIR/network_connections.txt" 2>/dev/null | | echo 0) | | | | - External connections: \((wc -l < "\)OUTPUT_DIR/external_connections.txt" 2>/dev/null | | echo 0) | | | | - Unique remote IPs: \((wc -l < "\)OUTPUT_DIR/remote_ips.txt" 2>/dev/null | | echo 0) | |
File Analysis: | | - Total files: \((wc -l < "\)OUTPUT_DIR/file_list.txt" 2>/dev/null | | echo 0) | | | | - Executable files: \((wc -l < "\)OUTPUT_DIR/executable_files.txt" 2>/dev/null | | echo 0) | | | | - Temp files: \((wc -l < "\)OUTPUT_DIR/temp_files.txt" 2>/dev/null | | echo 0) | |
String Analysis: | | - URLs found: \((wc -l < "\)OUTPUT_DIR/urls.txt" 2>/dev/null | | echo 0) | | | | - Email addresses: \((wc -l < "\)OUTPUT_DIR/email_addresses.txt" 2>/dev/null | | echo 0) | | | | - IP addresses: \((wc -l < "\)OUTPUT_DIR/ip_addresses.txt" 2>/dev/null | | echo 0) | |
Recommendations:¶
- Review suspicious processes for malicious activity
- Investigate external network connections
- Analyze files in temporary directories
- Check autostart registry entries
- Correlate findings with system logs and network traffic
Next Steps:¶
- Extract and analyze suspicious executables
- Perform deeper malware analysis if needed
- Check for persistence mechanisms
- Validate findings with additional tools
- Document findings for incident response
Files Generated:¶
| | \((ls -1 "\)OUTPUT_DIR" | grep -v ".html$" | sed 's/^/- /') | | EOF
echo " [+] Investigation summary created: $summary_file"
\\}
Main execution¶
echo "[+] Starting comprehensive memory analysis" echo "[+] Memory dump: $MEMORY_DUMP" echo "[+] Output directory: $OUTPUT_DIR"
Check if Volatility is available¶
if ! command -v $VOLATILITY_CMD &> /dev/null; then echo "[-] Volatility not found. Please install Volatility 3." exit 1 fi
Perform analysis¶
analyze_system_info analyze_processes analyze_network analyze_files analyze_registry extract_strings yara_scan
Generate reports¶
generate_report create_summary
echo "[+] Comprehensive memory analysis completed" echo "[+] Results saved in: $OUTPUT_DIR" echo "[+] Open $OUTPUT_DIR/analysis_report.html for detailed report" echo "[+] Review $OUTPUT_DIR/investigation_summary.txt for key findings" ```_
Automatisierung der Analyse¶
```bash
!/bin/bash¶
Automated malware analysis using Volatility¶
MEMORY_DUMP="\(1" MALWARE_DIR="malware_analysis_\)(date +%Y%m%d_%H%M%S)" YARA_RULES_DIR="/opt/yara-rules"
if [ -z "$MEMORY_DUMP" ]; then
echo "Usage: $0
mkdir -p "$MALWARE_DIR"
Function to detect process injection¶
detect_injection() \\{ echo "[+] Detecting process injection"
vol -f "$MEMORY_DUMP" windows.malfind > "$MALWARE_DIR/malfind_results.txt"
# Extract injected code
if [ -s "$MALWARE_DIR/malfind_results.txt" ]; then
echo " [+] Potential code injection detected"
# Extract unique PIDs with injected code
awk '/Process:/ \\\\{print $2\\\\}' "$MALWARE_DIR/malfind_results.txt"|sort -u > "$MALWARE_DIR/injected_pids.txt"
# Dump memory for each injected process
while read pid; do
echo " [+] Dumping memory for PID $pid"
vol -f "$MEMORY_DUMP" windows.memmap --pid "$pid" --dump --output-dir "$MALWARE_DIR/dumps/"
done < "$MALWARE_DIR/injected_pids.txt"
fi
\\}
Function to analyze suspicious processes¶
analyze_suspicious_processes() \\{ echo "[+] Analyzing suspicious processes"
# Get process list
vol -f "$MEMORY_DUMP" windows.pslist > "$MALWARE_DIR/process_list.txt"
# Find processes with suspicious characteristics
cat > "$MALWARE_DIR/suspicious_patterns.txt" << 'EOF'
Suspicious process patterns¶
cmd.exe powershell.exe wscript.exe cscript.exe rundll32.exe regsvr32.exe mshta.exe bitsadmin.exe certutil.exe schtasks.exe EOF
# Search for suspicious processes
while read pattern; do
if [[ ! "$pattern" =~ ^# ]]; then
grep -i "$pattern" "$MALWARE_DIR/process_list.txt" >> "$MALWARE_DIR/suspicious_processes.txt"
fi
done < "$MALWARE_DIR/suspicious_patterns.txt"
# Analyze command lines for suspicious processes
if [ -s "$MALWARE_DIR/suspicious_processes.txt" ]; then
echo " [+] Found suspicious processes, analyzing command lines"
awk '\\\\{print $2\\\\}' "$MALWARE_DIR/suspicious_processes.txt"|while read pid; do
vol -f "$MEMORY_DUMP" windows.cmdline --pid "$pid" >> "$MALWARE_DIR/suspicious_cmdlines.txt"
done
fi
\\}
Function to extract and analyze executables¶
extract_executables() \\{ echo "[+] Extracting suspicious executables"
# Get file list
vol -f "$MEMORY_DUMP" windows.filescan > "$MALWARE_DIR/file_list.txt"
# Find executable files in suspicious locations
| | grep -iE "(temp | tmp | appdata | programdata).*.(exe | dll | sys)\(" "\)MALWARE_DIR/file_list.txt" > "$MALWARE_DIR/suspicious_files.txt" | |
# Extract suspicious files
if [ -s "$MALWARE_DIR/suspicious_files.txt" ]; then
echo " [+] Extracting suspicious files"
mkdir -p "$MALWARE_DIR/extracted_files"
while read line; do
local offset=$(echo "$line"|awk '\\\\{print $1\\\\}')
| | local filename=\((echo "\)line" | awk '\\{print $NF\\}' | tr '\' '_') | |
vol -f "$MEMORY_DUMP" windows.dumpfiles --virtaddr "$offset" --output-dir "$MALWARE_DIR/extracted_files/"
done < "$MALWARE_DIR/suspicious_files.txt"
fi
\\}
Function to perform YARA scanning¶
perform_yara_scan() \\{ echo "[+] Performing YARA scanning"
# Create comprehensive malware detection rules
cat > "$MALWARE_DIR/malware_detection.yar" << 'EOF'
rule Suspicious_API_Calls \\{ strings: $api1 = "VirtualAlloc" nocase $api2 = "VirtualProtect" nocase $api3 = "CreateRemoteThread" nocase $api4 = "WriteProcessMemory" nocase $api5 = "ReadProcessMemory" nocase $api6 = "SetWindowsHookEx" nocase $api7 = "GetProcAddress" nocase $api8 = "LoadLibrary" nocase condition: 3 of them \\}
rule Network_Communication \\{ strings: $net1 = "WinINet" nocase $net2 = "URLDownloadToFile" nocase $net3 = "InternetOpen" nocase $net4 = "InternetConnect" nocase $net5 = "HttpOpenRequest" nocase $net6 = "send" nocase $net7 = "recv" nocase $net8 = "WSAStartup" nocase condition: 2 of them \\}
rule Persistence_Mechanisms \\{ strings: $reg1 = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run" nocase $reg2 = "SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" nocase $svc1 = "CreateService" nocase $svc2 = "StartService" nocase $task1 = "schtasks" nocase $task2 = "at.exe" nocase condition: any of them \\}
rule Evasion_Techniques \\{ strings: $eva1 = "IsDebuggerPresent" nocase $eva2 = "CheckRemoteDebuggerPresent" nocase $eva3 = "OutputDebugString" nocase $eva4 = "GetTickCount" nocase $eva5 = "Sleep" nocase $eva6 = "VirtualQuery" nocase condition: 2 of them \\}
rule Encryption_Indicators \\{ strings: $cry1 = "CryptAcquireContext" nocase $cry2 = "CryptCreateHash" nocase $cry3 = "CryptEncrypt" nocase $cry4 = "CryptDecrypt" nocase $cry5 = "CryptGenKey" nocase $cry6 = "AES" nocase $cry7 = "RSA" nocase $cry8 = "MD5" nocase $cry9 = "SHA" nocase condition: 2 of them \\} EOF
# Perform YARA scan
vol -f "$MEMORY_DUMP" yarascan --yara-rules "$MALWARE_DIR/malware_detection.yar" > "$MALWARE_DIR/yara_results.txt"
# Use external YARA rules if available
if [ -d "$YARA_RULES_DIR" ]; then
echo " [+] Scanning with external YARA rules"
find "$YARA_RULES_DIR" -name "*.yar" -o -name "*.yara"|while read rule_file; do
local rule_name=$(basename "$rule_file" .yar)
vol -f "$MEMORY_DUMP" yarascan --yara-rules "$rule_file" > "$MALWARE_DIR/yara_$\\\\{rule_name\\\\}.txt"
done
fi
\\}
Function to analyze network artifacts¶
analyze_network_artifacts() \\{ echo "[+] Analyzing network artifacts"
# Get network connections
vol -f "$MEMORY_DUMP" windows.netstat > "$MALWARE_DIR/network_connections.txt"
# Extract external IPs
| | grep -vE "(127.0.0.1 | 0.0.0.0 | ::1 | 192.168. | 10. | 172.1[6-9]. | 172.2[0-9]. | 172.3[0-1].)" "\(MALWARE_DIR/network_connections.txt" > "\)MALWARE_DIR/external_connections.txt" | |
# Extract unique remote IPs
| | awk '\\{print \(3\\\\}' "\)MALWARE_DIR/external_connections.txt" | cut -d: -f1 | sort -u > "$MALWARE_DIR/remote_ips.txt" | |
# Analyze remote IPs
if [ -s "$MALWARE_DIR/remote_ips.txt" ]; then
echo " [+] Analyzing remote IP addresses"
while read ip; do
echo "Analyzing IP: $ip" >> "$MALWARE_DIR/ip_analysis.txt"
# Perform reverse DNS lookup
local hostname=$(dig +short -x "$ip" 2>/dev/null|head -1)
echo " Hostname: $\\\\{hostname:-No PTR record\\\\}" >> "$MALWARE_DIR/ip_analysis.txt"
# Check if IP is in known malicious ranges (basic check)
| | if [[ "\(ip" =~ ^(185\.159\. | 91\.121\. | 5\.196\.) ]]; then | | echo " WARNING: IP in potentially suspicious range" >> "\)MALWARE_DIR/ip_analysis.txt" fi
echo "---" >> "$MALWARE_DIR/ip_analysis.txt"
done < "$MALWARE_DIR/remote_ips.txt"
fi
\\}
Function to check for rootkit indicators¶
check_rootkit_indicators() \\{ echo "[+] Checking for rootkit indicators"
# Check SSDT hooks
| | vol -f "\(MEMORY_DUMP" windows.ssdt > "\)MALWARE_DIR/ssdt_hooks.txt" 2>/dev/null | | echo "SSDT analysis not available" | |
# Check for hidden processes
vol -f "$MEMORY_DUMP" windows.psxview > "$MALWARE_DIR/hidden_processes.txt"
# Find processes that are hidden from certain detection methods
grep "False" "$MALWARE_DIR/hidden_processes.txt" > "$MALWARE_DIR/potentially_hidden.txt"
# Check for API hooks
| | vol -f "\(MEMORY_DUMP" windows.apihooks > "\)MALWARE_DIR/api_hooks.txt" 2>/dev/null | | echo "API hooks analysis not available" | | \\}
Function to generate malware analysis report¶
generate_malware_report() \\{ echo "[+] Generating malware analysis report"
local report_file="$MALWARE_DIR/malware_analysis_report.html"
cat > "$report_file" << EOF
🔍 Malware Analysis Report
Memory Dump: $(basename "$MEMORY_DUMP")
Analysis Date: $(date)
Analyst: Volatility Automated Analysis
📋 Executive Summary
| Indicator | Count | Risk Level |
|---|---|---|
| Suspicious Processes | $(wc -l < "$MALWARE_DIR/suspicious_processes.txt" 2>/dev/null | | echo 0) | $([ $(wc -l < "$MALWARE_DIR/suspicious_processes.txt" 2>/dev/null | | echo 0) -gt 0 ] && echo "High" | | echo "Low") |
| Code Injection Detected | $(grep -c "Process:" "$MALWARE_DIR/malfind_results.txt" 2>/dev/null | | echo 0) | $([ $(grep -c "Process:" "$MALWARE_DIR/malfind_results.txt" 2>/dev/null | | echo 0) -gt 0 ] && echo "Critical" | | echo "Low") |
| External Connections | $(wc -l < "$MALWARE_DIR/external_connections.txt" 2>/dev/null | | echo 0) | $([ $(wc -l < "$MALWARE_DIR/external_connections.txt" 2>/dev/null | | echo 0) -gt 5 ] && echo "Medium" | | echo "Low") |
| Hidden Processes | $(wc -l < "$MALWARE_DIR/potentially_hidden.txt" 2>/dev/null | | echo 0) | $([ $(wc -l < "$MALWARE_DIR/potentially_hidden.txt" 2>/dev/null | | echo 0) -gt 0 ] && echo "High" | | echo "Low") |
🚨 Code Injection Detected
Potential code injection has been detected in the following processes:
$(head -50 "$MALWARE_DIR/malfind_results.txt")
⚠️ Suspicious Processes
$(cat "$MALWARE_DIR/suspicious_processes.txt")
🌐 External Network Connections
$(head -20 "$MALWARE_DIR/external_connections.txt")
🔍 YARA Detection Results
$(cat "$MALWARE_DIR/yara_results.txt")
📝 Recommendations
- Immediate Actions:
- Isolate affected systems from the network
- Preserve memory dumps and disk images for further analysis
- Check for lateral movement indicators
- Investigation:
- Analyze extracted executables with static analysis tools
- Correlate network connections with firewall logs
- Check for persistence mechanisms in registry and file system
- Remediation:
- Remove identified malicious processes and files
- Update antivirus signatures and endpoint protection
- Implement network monitoring for identified IOCs
📁 Generated Files
-
| | $(ls -1 "$MALWARE_DIR" | grep -v "\.html$" | while read file; do echo "
- $file "; done) | |
EOF
echo " [+] Malware analysis report generated: $report_file"
\\}
Main execution¶
echo "[+] Starting automated malware analysis" echo "[+] Memory dump: $MEMORY_DUMP" echo "[+] Output directory: $MALWARE_DIR"
Perform malware analysis¶
detect_injection analyze_suspicious_processes extract_executables perform_yara_scan analyze_network_artifacts check_rootkit_indicators
Generate report¶
generate_malware_report
echo "[+] Automated malware analysis completed" echo "[+] Results saved in: $MALWARE_DIR" echo "[+] Open $MALWARE_DIR/malware_analysis_report.html for detailed findings"
Display summary¶
echo "" echo "=== ANALYSIS SUMMARY ===" | | echo "Suspicious processes: \((wc -l < "\)MALWARE_DIR/suspicious_processes.txt" 2>/dev/null | | echo 0)" | | | | echo "Code injection detected: \((grep -c "Process:" "\)MALWARE_DIR/malfind_results.txt" 2>/dev/null | | echo 0)" | | | | echo "External connections: \((wc -l < "\)MALWARE_DIR/external_connections.txt" 2>/dev/null | | echo 0)" | | | | echo "Hidden processes: \((wc -l < "\)MALWARE_DIR/potentially_hidden.txt" 2>/dev/null | | echo 0)" | | echo "========================" ```_
Zeitanalyse¶
```bash
!/bin/bash¶
Timeline analysis using Volatility¶
MEMORY_DUMP="\(1" TIMELINE_DIR="timeline_analysis_\)(date +%Y%m%d_%H%M%S)"
if [ -z "$MEMORY_DUMP" ]; then
echo "Usage: $0
mkdir -p "$TIMELINE_DIR"
Function to create comprehensive timeline¶
create_timeline() \\{ echo "[+] Creating comprehensive timeline"
# Note: Timeline functionality varies between Volatility versions
# This example shows both Vol2 and Vol3 approaches
# For Volatility 2 (if available)
if command -v vol2 &> /dev/null; then
echo " [+] Creating timeline with Volatility 2"
# Determine profile first
| | local profile=\((vol2 -f "\)MEMORY_DUMP" imageinfo | grep "Suggested Profile" | head -1 | awk '\\{print $4\\}' | tr -d ',') | |
if [ -n "$profile" ]; then
# Create body file
vol2 -f "$MEMORY_DUMP" --profile="$profile" timeliner --output=body --output-file="$TIMELINE_DIR/timeline.body"
# Convert to readable format
if [ -f "$TIMELINE_DIR/timeline.body" ]; then
mactime -b "$TIMELINE_DIR/timeline.body" -d > "$TIMELINE_DIR/timeline_readable.txt"
fi
fi
fi
# Alternative approach: Extract timestamps from various sources
echo " [+] Extracting timestamps from various sources"
# Process creation times
vol -f "$MEMORY_DUMP" windows.pslist > "$TIMELINE_DIR/process_times.txt"
# File modification times
vol -f "$MEMORY_DUMP" windows.filescan > "$TIMELINE_DIR/file_times.txt"
# Registry timestamps (if available)
vol -f "$MEMORY_DUMP" windows.registry.hivelist > "$TIMELINE_DIR/registry_times.txt"
\\}
Function to analyze process timeline¶
analyze_process_timeline() \\{ echo "[+] Analyzing process timeline"
# Extract process creation times and sort chronologically
awk 'NR>1 \\\\{print $6, $7, $2, $3, $4\\\\}' "$TIMELINE_DIR/process_times.txt"|sort > "$TIMELINE_DIR/process_chronology.txt"
# Find processes created in quick succession (potential malware)
cat > "$TIMELINE_DIR/rapid_process_creation.py" << 'EOF'
!/usr/bin/env python3¶
import sys from datetime import datetime
def parse_timestamp(ts_str): try: return datetime.strptime(ts_str, "%Y-%m-%d %H:%M:%S") except: return None
def analyze_rapid_creation(filename): processes = []
with open(filename, 'r') as f:
for line in f:
parts = line.strip().split()
if len(parts) >= 5:
date_str = parts[0]
time_str = parts[1]
pid = parts[2]
ppid = parts[3]
name = parts[4]
timestamp = parse_timestamp(f"\\\\{date_str\\\\} \\\\{time_str\\\\}")
if timestamp:
processes.append((timestamp, pid, ppid, name))
# Sort by timestamp
processes.sort(key=lambda x: x[0])
# Find rapid succession (within 10 seconds)
rapid_groups = []
current_group = []
for i, (ts, pid, ppid, name) in enumerate(processes):
if not current_group:
current_group = [(ts, pid, ppid, name)]
else:
time_diff = (ts - current_group[-1][0]).total_seconds()
if time_diff <= 10:
current_group.append((ts, pid, ppid, name))
else:
if len(current_group) >= 3:
rapid_groups.append(current_group)
current_group = [(ts, pid, ppid, name)]
# Check last group
if len(current_group) >= 3:
rapid_groups.append(current_group)
return rapid_groups
if name == "main":
if len(sys.argv) != 2:
print("Usage: python3 rapid_process_creation.py
rapid_groups = analyze_rapid_creation(sys.argv[1])
if rapid_groups:
print("Rapid Process Creation Detected:")
print("=" * 50)
for i, group in enumerate(rapid_groups):
print(f"\nGroup \\\\{i+1\\\\} (\\\\{len(group)\\\\} processes):")
for ts, pid, ppid, name in group:
print(f" \\\\{ts\\\\} - PID:\\\\{pid\\\\} PPID:\\\\{ppid\\\\} \\\\{name\\\\}")
else:
print("No rapid process creation patterns detected.")
EOF
python3 "$TIMELINE_DIR/rapid_process_creation.py" "$TIMELINE_DIR/process_chronology.txt" > "$TIMELINE_DIR/rapid_creation_analysis.txt"
\\}
Function to create visual timeline¶
create_visual_timeline() \\{ echo "[+] Creating visual timeline"
cat > "$TIMELINE_DIR/create_timeline_chart.py" << 'EOF'
!/usr/bin/env python3¶
import matplotlib.pyplot as plt import matplotlib.dates as mdates from datetime import datetime import sys
def create_timeline_chart(process_file, output_file): timestamps = [] processes = []
try:
with open(process_file, 'r') as f:
for line in f:
parts = line.strip().split()
if len(parts) >= 5:
try:
date_str = parts[0]
time_str = parts[1]
name = parts[4]
timestamp = datetime.strptime(f"\\\\{date_str\\\\} \\\\{time_str\\\\}", "%Y-%m-%d %H:%M:%S")
timestamps.append(timestamp)
processes.append(name)
except:
continue
if not timestamps:
print("No valid timestamps found")
return
# Create timeline chart
fig, ax = plt.subplots(figsize=(15, 8))
# Plot process creation events
y_positions = range(len(timestamps))
ax.scatter(timestamps, y_positions, alpha=0.6, s=50)
# Format x-axis
ax.xaxis.set_major_formatter(mdates.DateFormatter('%H:%M:%S'))
ax.xaxis.set_major_locator(mdates.HourLocator(interval=1))
plt.xticks(rotation=45)
# Add labels
ax.set_xlabel('Time')
ax.set_ylabel('Process Creation Events')
ax.set_title('Process Creation Timeline')
# Add grid
ax.grid(True, alpha=0.3)
plt.tight_layout()
plt.savefig(output_file, dpi=300, bbox_inches='tight')
print(f"Timeline chart saved: \\\\{output_file\\\\}")
except Exception as e:
print(f"Error creating timeline chart: \\\\{e\\\\}")
if name == "main":
if len(sys.argv) != 3:
print("Usage: python3 create_timeline_chart.py
create_timeline_chart(sys.argv[1], sys.argv[2])
EOF
# Install matplotlib if not available
| | pip3 install matplotlib &>/dev/null | | echo "Warning: matplotlib not available for timeline visualization" | |
# Create timeline chart
| | python3 "\(TIMELINE_DIR/create_timeline_chart.py" "\)TIMELINE_DIR/process_chronology.txt" "$TIMELINE_DIR/process_timeline.png" 2>/dev/null | | echo "Timeline visualization skipped" | | \\}
Function to correlate events¶
correlate_events() \\{ echo "[+] Correlating timeline events"
cat > "$TIMELINE_DIR/event_correlation.txt" << EOF
Timeline Event Correlation Analysis¶
Analysis Date: $(date) Memory Dump: \((basename "\)MEMORY_DUMP")
Process Timeline Analysis: | | \((cat "\)TIMELINE_DIR/rapid_creation_analysis.txt" 2>/dev/null | | echo "No rapid creation patterns detected") | |
Key Observations:¶
EOF
# Analyze process parent-child relationships
echo "Process Parent-Child Relationships:" >> "$TIMELINE_DIR/event_correlation.txt"
vol -f "$MEMORY_DUMP" windows.pstree >> "$TIMELINE_DIR/event_correlation.txt"
# Look for suspicious timing patterns
echo "" >> "$TIMELINE_DIR/event_correlation.txt"
echo "Timing Pattern Analysis:" >> "$TIMELINE_DIR/event_correlation.txt"
# Find processes created at unusual times (e.g., outside business hours)
awk 'NR>1 \\\\{
split($7, time_parts, ":");
hour = time_parts[1];
| | if (hour < 6 | | hour > 22) \\{ | | print "Unusual time: " \(0; \\\\} \\\\}' "\)TIMELINE_DIR/process_times.txt" >> "$TIMELINE_DIR/event_correlation.txt" \\}
Function to generate timeline report¶
generate_timeline_report() \\{ echo "[+] Generating timeline analysis report"
local report_file="$TIMELINE_DIR/timeline_report.html"
cat > "$report_file" << EOF
⏰ Timeline Analysis Report
Memory Dump: $(basename "$MEMORY_DUMP")
Analysis Date: $(date)
Timeline Scope: Process creation and system events
📊 Process Creation Timeline
⚡ Rapid Process Creation Analysis
$(cat "$TIMELINE_DIR/rapid_creation_analysis.txt")
📋 Process Chronology
$(head -50 "$TIMELINE_DIR/process_chronology.txt" 2>/dev/null | | echo "Process chronology not available")| |
🔗 Event Correlation Analysis
$(cat "$TIMELINE_DIR/event_correlation.txt")
📈 Timeline Statistics
| Metric | Value |
|---|---|
| Total Processes Analyzed | $(wc -l < "$TIMELINE_DIR/process_times.txt" 2>/dev/null | | echo 0) |
| Chronological Events | $(wc -l < "$TIMELINE_DIR/process_chronology.txt" 2>/dev/null | | echo 0) |
| Timeline Span | $(head -1 "$TIMELINE_DIR/process_chronology.txt" 2>/dev/null | awk '\\\\{print $1, $2\\\\}') to $(tail -1 "$TIMELINE_DIR/process_chronology.txt" 2>/dev/null | awk '\\\\{print $1, $2\\\\}') |
📁 Generated Files
-
| | $(ls -1 "$TIMELINE_DIR" | grep -v "\.html$" | while read file; do echo "
- $file "; done) | |
🎯 Key Findings & Recommendations
- Process Creation Patterns: Review rapid process creation events for potential malware activity
- Timing Analysis: Investigate processes created during unusual hours
- Parent-Child Relationships: Analyze process trees for suspicious spawning patterns
- Correlation: Cross-reference timeline events with network logs and file system changes
EOF
echo " [+] Timeline analysis report generated: $report_file"
\\}
Main execution¶
echo "[+] Starting timeline analysis" echo "[+] Memory dump: $MEMORY_DUMP" echo "[+] Output directory: $TIMELINE_DIR"
Perform timeline analysis¶
create_timeline analyze_process_timeline create_visual_timeline correlate_events
Generate report¶
generate_timeline_report
echo "[+] Timeline analysis completed" echo "[+] Results saved in: $TIMELINE_DIR" echo "[+] Open $TIMELINE_DIR/timeline_report.html for detailed timeline analysis" ```_
Integration mit anderen Tools¶
Rekall Integration¶
```bash
Use Rekall for additional analysis¶
rekall -f memory.dmp pslist
Compare Volatility and Rekall results¶
vol -f memory.dmp windows.pslist > vol_pslist.txt rekall -f memory.dmp pslist > rekall_pslist.txt diff vol_pslist.txt rekall_pslist.txt ```_
YARA Integration¶
```bash
Create custom YARA rules¶
cat > custom_rules.yar << 'EOF' rule Suspicious_Process_Names \\{ strings: $s1 = "svchost.exe" nocase $s2 = "explorer.exe" nocase $s3 = "winlogon.exe" nocase condition: any of them \\} EOF
Scan memory with YARA rules¶
vol -f memory.dmp yarascan --yara-rules custom_rules.yar ```_
Bulk Extractor Integration¶
```bash
Extract strings and artifacts with bulk_extractor¶
bulk_extractor -o bulk_output memory.dmp
Compare with Volatility strings¶
vol -f memory.dmp windows.strings > vol_strings.txt diff vol_strings.txt bulk_output/telephone.txt ```_
Fehlerbehebung¶
Gemeinsame Themen¶
Probleme der Profilerkennung¶
```bash
Manual profile specification (Vol 2)¶
vol2 -f memory.dmp --profile=Win10x64_19041 pslist
List available profiles¶
vol2 --info|grep "Win"
Use kdbgscan for profile detection¶
vol2 -f memory.dmp kdbgscan ```_
Gedächtnis Korruption¶
```bash
Check for memory corruption¶
vol -f memory.dmp windows.info|grep -i corrupt
Use alternative scanning methods¶
vol -f memory.dmp windows.psscan vol -f memory.dmp windows.filescan ```_
Große Memory Dumps¶
```bash
Process large dumps efficiently¶
vol -f memory.dmp windows.pslist --output-file pslist.txt
Use specific address ranges¶
vol -f memory.dmp windows.vadinfo --pid 1234 --address 0x12345678 ```_
Plugin Fehler¶
```bash
Check plugin availability¶
vol --list-plugins
Get plugin help¶
vol windows.pslist -h
Debug plugin execution¶
vol -f memory.dmp windows.pslist -vv ```_
Leistungsoptimierung¶
```bash
Use output files to avoid re-processing¶
vol -f memory.dmp windows.pslist -o pslist.txt
Limit output for large datasets¶
vol -f memory.dmp windows.filescan|head -1000
Use specific PIDs for targeted analysis¶
vol -f memory.dmp windows.handles --pid 1234
Parallel processing for multiple dumps¶
for dump in *.dmp; do vol -f "\(dump" windows.pslist > "\)\\{dump%.dmp\\}pslist.txt" & done wait ```
Ressourcen¶
- [Volatilitätsstiftung](LINK_7__ -%20Volatilität%203%20Dokumentation
- [Volatility GitHub Repository](LINK_7 -%20Memory%20Forensics%20with%20Volatility
- [Digital Forensics Framework](LINK_7 -%20(YARA%20Rules%20Repository)(LINK_7_)
- Memory Analysis Techniques
--
*Dieses Betrugsblatt bietet einen umfassenden Bezug zur Verwendung von Volatility für die Analyse von Speicherforensiken. Stellen Sie immer eine ordnungsgemäße rechtliche Autorisierung vor der Analyse von Speicherdeponien und folgen Sie den forensischen Verfahren Ihrer Organisation und der Kette der Sorgeanforderungen. *