Hoja de Referencia de Volatility¶
Descripción General¶
Volatility es un framework avanzado de forense de memoria escrito en Python que proporciona una plataforma integral para extraer artefactos digitales de muestras de memoria volátil (RAM). Desarrollado por la Fundación Volatility, esta potente herramienta permite a investigadores forenses digitales, respondedores de incidentes y analistas de malware analizar volcados de memoria de sistemas Windows, Linux, macOS y Android. Volatility puede extraer una amplia gama de información incluyendo procesos en ejecución, conexiones de red, módulos cargados, datos de registro, archivos en caché, claves de cifrado y evidencia de actividad de malware. Su arquitectura basada en plugins la hace altamente extensible, permitiendo a los investigadores desarrollar módulos de análisis personalizados para necesidades de investigación específicas.
⚠️ Aviso Legal: Volatility solo debe usarse para análisis forense legítimo, respuesta a incidentes e investigación de seguridad autorizada. Asegúrese de tener la autoridad legal adecuada antes de analizar volcados de memoria y siga las políticas de manejo de datos y privacidad de su organización.
Instalación¶
Instalación de Volatility 3 (Recomendado)¶
# Install via pip (Python 3.6+)
pip3 install volatility3
# Install from GitHub (latest development version)
git clone https://github.com/volatilityfoundation/volatility3.git
cd volatility3
pip3 install -r requirements.txt
python3 setup.py install
# Verify installation
vol -h
# Install additional dependencies
pip3 install yara-python pycryptodome capstone distorm3
Instalación de Volatility 2 (Legado)¶
# Install Volatility 2 (Python 2.7)
git clone https://github.com/volatilityfoundation/volatility.git
cd volatility
python2 setup.py install
# Install dependencies
pip2 install distorm3 yara-python pycrypto openpyxl ujson
# Verify installation
python2 vol.py -h
# Create alias for easier usage
echo 'alias vol2="python2 /path/to/volatility/vol.py"' >> ~/.bashrc
Instalación con Docker¶
# Pull Volatility Docker image
docker pull phocean/volatility
# Run Volatility in Docker
docker run --rm -v $(pwd):/dumps phocean/volatility -f /dumps/memory.dmp imageinfo
# Create alias for Docker usage
echo 'alias vol="docker run --rm -v $(pwd):/dumps phocean/volatility"' >> ~/.bashrc
source ~/.bashrc
# Run with specific memory dump
vol -f memory.dmp --profile=Win7SP1x64 pslist
Instalación en Ubuntu/Debian¶
# Install from package repository
sudo apt update
sudo apt install volatility3-tools
# Install additional tools
sudo apt install python3-pip python3-dev build-essential
pip3 install volatility3
# Install legacy Volatility 2
sudo apt install volatility-tools
# Verify installations
vol -h
volatility -h
Instalación en Windows¶
# Download standalone executable from GitHub releases
# https://github.com/volatilityfoundation/volatility3/releases
# Or install via Python
pip install volatility3
# Install Python dependencies
pip install yara-python pycryptodome capstone distorm3
# Verify installation
vol.exe -h
Uso Básico¶
Flujo de Trabajo de Análisis de Volcado de Memoria¶
# Step 1: Identify the operating system and version
vol -f memory.dmp windows.info
# Step 2: List running processes
vol -f memory.dmp windows.pslist
# Step 3: Analyze network connections
vol -f memory.dmp windows.netstat
# Step 4: Examine loaded modules
vol -f memory.dmp windows.modules
# Step 5: Check for malicious processes
vol -f memory.dmp windows.malfind
# Step 6: Extract suspicious files
vol -f memory.dmp windows.dumpfiles --pid 1234
Comandos Legados de Volatility 2¶
# Identify image information (Volatility 2)
vol2 -f memory.dmp imageinfo
# Use specific profile
vol2 -f memory.dmp --profile=Win7SP1x64 pslist
# List available plugins
vol2 --info
# Get plugin help
vol2 pslist -h
Información Básica del Sistema¶
# Get system information (Vol 3)
vol -f memory.dmp windows.info
# Get system information (Vol 2)
vol2 -f memory.dmp --profile=Win7SP1x64 imageinfo
# Check system uptime
vol -f memory.dmp windows.info|grep "System time"
# Get kernel information
vol -f memory.dmp windows.info|grep "Kernel"
# Check for hibernation file
vol -f memory.dmp windows.info|grep "hibernation"
Análisis de Procesos¶
Listado y Análisis de Procesos¶
# List all processes (Vol 3)
vol -f memory.dmp windows.pslist
# List processes with parent-child relationships
vol -f memory.dmp windows.pstree
# Show process command lines
vol -f memory.dmp windows.cmdline
# List processes with detailed information
vol -f memory.dmp windows.pslist --pid 1234
# Find hidden processes
vol -f memory.dmp windows.psxview
# Scan for process objects
vol -f memory.dmp windows.psscan
Análisis de Memoria de Procesos¶
# Dump process memory
vol -f memory.dmp windows.memmap --pid 1234 --dump
# Extract process executable
vol -f memory.dmp windows.procdump --pid 1234
# Analyze process handles
vol -f memory.dmp windows.handles --pid 1234
# Check process privileges
vol -f memory.dmp windows.privileges --pid 1234
# Examine process environment variables
vol -f memory.dmp windows.envars --pid 1234
# Analyze process VAD (Virtual Address Descriptor)
vol -f memory.dmp windows.vadinfo --pid 1234
Detección de Malware¶
# Detect code injection
vol -f memory.dmp windows.malfind
# Scan for YARA rules
vol -f memory.dmp yarascan --yara-rules malware_rules.yar
# Check for API hooks
vol -f memory.dmp windows.apihooks
# Detect rootkits
vol -f memory.dmp windows.ssdt
# Find suspicious processes
vol -f memory.dmp windows.psxview|grep False
# Check for process hollowing
vol -f memory.dmp windows.hollowfind
Análisis de Red¶
Conexiones de Red¶
# List network connections (Vol 3)
vol -f memory.dmp windows.netstat
# List network connections (Vol 2)
vol2 -f memory.dmp --profile=Win7SP1x64 netscan
# Show listening sockets
vol -f memory.dmp windows.netstat|grep LISTEN
# Find connections by process
vol -f memory.dmp windows.netstat --pid 1234
# Analyze network artifacts
vol -f memory.dmp windows.netscan
# Extract network configuration
vol -f memory.dmp windows.netstat -v
DNS y Artefactos de Red¶
# Extract DNS cache (Vol 2)
vol2 -f memory.dmp --profile=Win7SP1x64 dnscache
# Find network-related strings
vol -f memory.dmp windows.strings|grep -E "(http|ftp|smtp|dns)"
# Analyze browser artifacts
vol -f memory.dmp windows.iehistory
# Extract network configuration
vol -f memory.dmp windows.netstat --verbose
Análisis de Sistema de Archivos¶
Análisis de Archivos y Directorios¶
# List files (Vol 3)
vol -f memory.dmp windows.filescan
# List files (Vol 2)
vol2 -f memory.dmp --profile=Win7SP1x64 filescan
# Dump specific files
vol -f memory.dmp windows.dumpfiles --virtaddr 0x12345678
# Find files by name
vol -f memory.dmp windows.filescan|grep "malware.exe"
# Extract MFT records
vol -f memory.dmp windows.mftscan
# Analyze file handles
vol -f memory.dmp windows.handles --object-type File
Análisis de Registro¶
# List registry hives
vol -f memory.dmp windows.registry.hivelist
# Print registry keys
vol -f memory.dmp windows.registry.printkey --key "Software\\Microsoft\\Windows\\CurrentVersion\\Run"
# Dump registry hive
vol -f memory.dmp windows.registry.hivescan --dump
# Extract user assist data
vol -f memory.dmp windows.registry.userassist
# Analyze registry artifacts
vol -f memory.dmp windows.registry.printkey --key "SYSTEM\\CurrentControlSet\\Services"
# Find registry keys by pattern
vol -f memory.dmp windows.registry.printkey --key "Software" --recurse|grep -i malware
Análisis Avanzado¶
Análisis de Cadenas de Memoria¶
# Extract ASCII strings
vol -f memory.dmp windows.strings
# Extract Unicode strings
vol -f memory.dmp windows.strings --strings-file strings.txt
# Search for specific patterns
vol -f memory.dmp windows.strings|grep -i "password"
# Extract strings from specific process
vol -f memory.dmp windows.strings --pid 1234
# Find URLs and domains
vol -f memory.dmp windows.strings|grep -E "(http|https|ftp)://[^\s]+"
# Search for email addresses
vol -f memory.dmp windows.strings|grep -E "[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]\\\\{2,\\\\}"
Análisis Criptográfico¶
# Find encryption keys
vol -f memory.dmp windows.truecryptpassphrase
# Extract cached credentials
vol -f memory.dmp windows.cachedump
# Find LSA secrets
vol -f memory.dmp windows.lsadump
# Extract password hashes
vol -f memory.dmp windows.hashdump
# Find BitLocker keys
vol -f memory.dmp windows.bitlocker
# Analyze cryptographic artifacts
vol -f memory.dmp yarascan --yara-rules crypto_rules.yar
Análisis de Línea de Tiempo¶
# Create timeline (Vol 2)
vol2 -f memory.dmp --profile=Win7SP1x64 timeliner --output=body --output-file=timeline.body
# Convert to CSV format
vol2 -f memory.dmp --profile=Win7SP1x64 timeliner --output=csv --output-file=timeline.csv
# Analyze specific time range
vol2 -f memory.dmp --profile=Win7SP1x64 timeliner --output=body|grep "2023-12-01"
# Create Mactime timeline
mactime -b timeline.body -d > timeline.txt
# Filter timeline by activity type
grep "m.c" timeline.body > modified_files.txt
Scripts de Automatización¶
Análisis Comprehensivo de Memoria¶
Would you like me to continue with the remaining sections?```bash
!/bin/bash¶
Comprehensive memory analysis using Volatility¶
MEMORY_DUMP="\(1" OUTPUT_DIR="volatility_analysis_\)(date +%Y%m%d_%H%M%S)" VOLATILITY_CMD="vol"
if [ -z "$MEMORY_DUMP" ]; then
echo "Usage: $0
if [ ! -f "$MEMORY_DUMP" ]; then echo "Error: Memory dump file not found: $MEMORY_DUMP" exit 1 fi
mkdir -p "$OUTPUT_DIR"
Function to run Volatility command with error handling¶
run_vol_cmd() \\{ local plugin="\(1" local output_file="\)2" local additional_args="$3"
echo "[+] Running $plugin analysis..."
if [ -n "$additional_args" ]; then
$VOLATILITY_CMD -f "$MEMORY_DUMP" $plugin $additional_args > "$OUTPUT_DIR/$output_file" 2>&1
else
$VOLATILITY_CMD -f "$MEMORY_DUMP" $plugin > "$OUTPUT_DIR/$output_file" 2>&1
fi
if [ $? -eq 0 ]; then
echo " [+] $plugin analysis completed: $output_file"
return 0
else
echo " [-] $plugin analysis failed"
return 1
fi
\\}
Function to analyze system information¶
analyze_system_info() \\{ echo "[+] Analyzing system information"
run_vol_cmd "windows.info" "system_info.txt"
# Extract key system information
if [ -f "$OUTPUT_DIR/system_info.txt" ]; then
grep -E "(Kernel|System time|NTBuildLab)" "$OUTPUT_DIR/system_info.txt" > "$OUTPUT_DIR/system_summary.txt"
fi
\\}
Function to analyze processes¶
analyze_processes() \\{ echo "[+] Analyzing processes"
run_vol_cmd "windows.pslist" "process_list.txt"
run_vol_cmd "windows.pstree" "process_tree.txt"
run_vol_cmd "windows.cmdline" "command_lines.txt"
run_vol_cmd "windows.psxview" "hidden_processes.txt"
run_vol_cmd "windows.malfind" "malicious_code.txt"
# Extract suspicious processes
if [ -f "$OUTPUT_DIR/process_list.txt" ]; then
# Find processes with suspicious names
grep -iE "(cmd|powershell|wscript|cscript|rundll32|regsvr32)" "$OUTPUT_DIR/process_list.txt" > "$OUTPUT_DIR/suspicious_processes.txt"
# Find processes with no parent
awk '$3 == 0 && NR > 1 \\\\{print\\\\}' "$OUTPUT_DIR/process_list.txt" > "$OUTPUT_DIR/orphan_processes.txt"
fi
\\}
Function to analyze network activity¶
analyze_network() \\{ echo "[+] Analyzing network activity"
run_vol_cmd "windows.netstat" "network_connections.txt"
# Extract external connections
if [ -f "$OUTPUT_DIR/network_connections.txt" ]; then
grep -vE "(127\.0\.0\.1|0\.0\.0\.0|::1)" "$OUTPUT_DIR/network_connections.txt" > "$OUTPUT_DIR/external_connections.txt"
# Extract unique remote IPs
awk '\\\\{print $3\\\\}' "$OUTPUT_DIR/external_connections.txt"|cut -d: -f1|sort -u > "$OUTPUT_DIR/remote_ips.txt"
fi
\\}
Function to analyze files¶
analyze_files() \\{ echo "[+] Analyzing files"
run_vol_cmd "windows.filescan" "file_list.txt"
# Find executable files
if [ -f "$OUTPUT_DIR/file_list.txt" ]; then
grep -iE "\.(exe|dll|sys|bat|cmd|ps1|vbs|js)$" "$OUTPUT_DIR/file_list.txt" > "$OUTPUT_DIR/executable_files.txt"
# Find files in temp directories
grep -iE "(temp|tmp|appdata)" "$OUTPUT_DIR/file_list.txt" > "$OUTPUT_DIR/temp_files.txt"
fi
\\}
Function to analyze registry¶
analyze_registry() \\{ echo "[+] Analyzing registry"
run_vol_cmd "windows.registry.hivelist" "registry_hives.txt"
# Analyze common autostart locations
local autostart_keys=(
"Software\\Microsoft\\Windows\\CurrentVersion\\Run"
"Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce"
"Software\\Microsoft\\Windows\\CurrentVersion\\RunServices"
"Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce"
)
for key in "$\\\\{autostart_keys[@]\\\\}"; do
local safe_key=$(echo "$key"|tr '\\' '_')
run_vol_cmd "windows.registry.printkey" "registry_$\\\\{safe_key\\\\}.txt" "--key \"$key\""
done
\\}
Function to extract strings¶
extract_strings() \\{ echo "[+] Extracting strings"
run_vol_cmd "windows.strings" "all_strings.txt"
if [ -f "$OUTPUT_DIR/all_strings.txt" ]; then
# Extract URLs
grep -oE "(http|https|ftp)://[^\s]+" "$OUTPUT_DIR/all_strings.txt"|sort -u > "$OUTPUT_DIR/urls.txt"
# Extract email addresses
grep -oE "[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]\\\\{2,\\\\}" "$OUTPUT_DIR/all_strings.txt"|sort -u > "$OUTPUT_DIR/email_addresses.txt"
# Extract IP addresses
grep -oE "([0-9]\\\\{1,3\\\\}\.)\\\\{3\\\\}[0-9]\\\\{1,3\\\\}" "$OUTPUT_DIR/all_strings.txt"|sort -u > "$OUTPUT_DIR/ip_addresses.txt"
# Extract potential passwords
grep -iE "(password|passwd|pwd|pass)" "$OUTPUT_DIR/all_strings.txt" > "$OUTPUT_DIR/potential_passwords.txt"
fi
\\}
Function to perform YARA scanning¶
yara_scan() \\{ echo "[+] Performing YARA scanning"
# Create basic malware detection rules
cat > "$OUTPUT_DIR/basic_malware.yar" << 'EOF'
rule Suspicious_Strings \\{ strings: $s1 = "cmd.exe" nocase $s2 = "powershell" nocase $s3 = "rundll32" nocase $s4 = "regsvr32" nocase $s5 = "wscript" nocase $s6 = "cscript" nocase condition: any of them \\}
rule Network_Indicators \\{ strings: $n1 = "http://" nocase $n2 = "https://" nocase $n3 = "ftp://" nocase $n4 = "tcp://" nocase condition: any of them \\}
rule Crypto_Indicators \\{ strings: $c1 = "AES" nocase $c2 = "RSA" nocase $c3 = "encrypt" nocase $c4 = "decrypt" nocase $c5 = "cipher" nocase condition: any of them \\} EOF
run_vol_cmd "yarascan" "yara_scan_results.txt" "--yara-rules $OUTPUT_DIR/basic_malware.yar"
\\}
Function to generate analysis report¶
generate_report() \\{ echo "[+] Generating analysis report"
local report_file="$OUTPUT_DIR/analysis_report.html"
cat > "$report_file" << EOF
Volatility Memory Analysis Report
Memory Dump: $(basename "$MEMORY_DUMP")
Analysis Date: $(date)
Output Directory: $OUTPUT_DIR
System Information
$(cat "$OUTPUT_DIR/system_summary.txt")
⚠️ Suspicious Processes
$(cat "$OUTPUT_DIR/suspicious_processes.txt")
External Network Connections
$(head -20 "$OUTPUT_DIR/external_connections.txt")
URLs Found
$(head -20 "$OUTPUT_DIR/urls.txt")
Analysis Summary
| Category | Count | File |
|---|---|---|
| Total Processes | $(wc -l < "$OUTPUT_DIR/process_list.txt" 2>/dev/null||echo 0) | process_list.txt |
| Suspicious Processes | $(wc -l < "$OUTPUT_DIR/suspicious_processes.txt" 2>/dev/null||echo 0) | suspicious_processes.txt |
| Network Connections | $(wc -l < "$OUTPUT_DIR/network_connections.txt" 2>/dev/null||echo 0) | network_connections.txt |
| External Connections | $(wc -l < "$OUTPUT_DIR/external_connections.txt" 2>/dev/null||echo 0) | external_connections.txt |
| Files Found | $(wc -l < "$OUTPUT_DIR/file_list.txt" 2>/dev/null||echo 0) | file_list.txt |
| URLs Found | $(wc -l < "$OUTPUT_DIR/urls.txt" 2>/dev/null||echo 0) | urls.txt |
| Email Addresses | $(wc -l < "$OUTPUT_DIR/email_addresses.txt" 2>/dev/null||echo 0) | email_addresses.txt |
Generated Files
-
$(ls -1 "$OUTPUT_DIR"/*.txt "$OUTPUT_DIR"/*.yar 2>/dev/null|while read file; do echo "
- $(basename "$file") "; done)
EOF
echo " [+] Analysis report generated: $report_file"
\\}
Function to create investigation summary¶
create_summary() \\{ echo "[+] Creating investigation summary"
local summary_file="$OUTPUT_DIR/investigation_summary.txt"
cat > "$summary_file" << EOF
Volatility Memory Analysis Summary¶
Memory Dump: \((basename "\)MEMORY_DUMP") Analysis Date: $(date) Output Directory: $OUTPUT_DIR
Key Findings:¶
System Information: \((cat "\)OUTPUT_DIR/system_summary.txt" 2>/dev/null||echo "Not available")
Process Analysis: - Total processes: \((wc -l < "\)OUTPUT_DIR/process_list.txt" 2>/dev/null||echo 0) - Suspicious processes: \((wc -l < "\)OUTPUT_DIR/suspicious_processes.txt" 2>/dev/null||echo 0) - Orphan processes: \((wc -l < "\)OUTPUT_DIR/orphan_processes.txt" 2>/dev/null||echo 0)
Network Analysis: - Total connections: \((wc -l < "\)OUTPUT_DIR/network_connections.txt" 2>/dev/null||echo 0) - External connections: \((wc -l < "\)OUTPUT_DIR/external_connections.txt" 2>/dev/null||echo 0) - Unique remote IPs: \((wc -l < "\)OUTPUT_DIR/remote_ips.txt" 2>/dev/null||echo 0)
File Analysis: - Total files: \((wc -l < "\)OUTPUT_DIR/file_list.txt" 2>/dev/null||echo 0) - Executable files: \((wc -l < "\)OUTPUT_DIR/executable_files.txt" 2>/dev/null||echo 0) - Temp files: \((wc -l < "\)OUTPUT_DIR/temp_files.txt" 2>/dev/null||echo 0)
String Analysis: - URLs found: \((wc -l < "\)OUTPUT_DIR/urls.txt" 2>/dev/null||echo 0) - Email addresses: \((wc -l < "\)OUTPUT_DIR/email_addresses.txt" 2>/dev/null||echo 0) - IP addresses: \((wc -l < "\)OUTPUT_DIR/ip_addresses.txt" 2>/dev/null||echo 0)
Recommendations:¶
- Review suspicious processes for malicious activity
- Investigate external network connections
- Analyze files in temporary directories
- Check autostart registry entries
- Correlate findings with system logs and network traffic
Next Steps:¶
- Extract and analyze suspicious executables
- Perform deeper malware analysis if needed
- Check for persistence mechanisms
- Validate findings with additional tools
- Document findings for incident response
Files Generated:¶
\((ls -1 "\)OUTPUT_DIR"|grep -v ".html$"|sed 's/^/- /') EOF
echo " [+] Investigation summary created: $summary_file"
\\}
Main execution¶
echo "[+] Starting comprehensive memory analysis" echo "[+] Memory dump: $MEMORY_DUMP" echo "[+] Output directory: $OUTPUT_DIR"
Check if Volatility is available¶
if ! command -v $VOLATILITY_CMD &> /dev/null; then echo "[-] Volatility not found. Please install Volatility 3." exit 1 fi
Perform analysis¶
analyze_system_info analyze_processes analyze_network analyze_files analyze_registry extract_strings yara_scan
Generate reports¶
generate_report create_summary
echo "[+] Comprehensive memory analysis completed"
echo "[+] Results saved in: $OUTPUT_DIR"
echo "[+] Open $OUTPUT_DIR/analysis_report.html for detailed report"
echo "[+] Review $OUTPUT_DIR/investigation_summary.txt for key findings"
### Automatización de Análisis de Malwarebash
!/bin/bash¶
Automated malware analysis using Volatility¶
MEMORY_DUMP="\(1" MALWARE_DIR="malware_analysis_\)(date +%Y%m%d_%H%M%S)" YARA_RULES_DIR="/opt/yara-rules"
if [ -z "$MEMORY_DUMP" ]; then
echo "Usage: $0
mkdir -p "$MALWARE_DIR"
Function to detect process injection¶
detect_injection() \\{ echo "[+] Detecting process injection"
vol -f "$MEMORY_DUMP" windows.malfind > "$MALWARE_DIR/malfind_results.txt"
# Extract injected code
if [ -s "$MALWARE_DIR/malfind_results.txt" ]; then
echo " [+] Potential code injection detected"
# Extract unique PIDs with injected code
awk '/Process:/ \\\\{print $2\\\\}' "$MALWARE_DIR/malfind_results.txt"|sort -u > "$MALWARE_DIR/injected_pids.txt"
# Dump memory for each injected process
while read pid; do
echo " [+] Dumping memory for PID $pid"
vol -f "$MEMORY_DUMP" windows.memmap --pid "$pid" --dump --output-dir "$MALWARE_DIR/dumps/"
done < "$MALWARE_DIR/injected_pids.txt"
fi
\\}
Function to analyze suspicious processes¶
analyze_suspicious_processes() \\{ echo "[+] Analyzing suspicious processes"
# Get process list
vol -f "$MEMORY_DUMP" windows.pslist > "$MALWARE_DIR/process_list.txt"
# Find processes with suspicious characteristics
cat > "$MALWARE_DIR/suspicious_patterns.txt" << 'EOF'
Suspicious process patterns¶
cmd.exe powershell.exe wscript.exe cscript.exe rundll32.exe regsvr32.exe mshta.exe bitsadmin.exe certutil.exe schtasks.exe EOF
# Search for suspicious processes
while read pattern; do
if [[ ! "$pattern" =~ ^# ]]; then
grep -i "$pattern" "$MALWARE_DIR/process_list.txt" >> "$MALWARE_DIR/suspicious_processes.txt"
fi
done < "$MALWARE_DIR/suspicious_patterns.txt"
# Analyze command lines for suspicious processes
if [ -s "$MALWARE_DIR/suspicious_processes.txt" ]; then
echo " [+] Found suspicious processes, analyzing command lines"
awk '\\\\{print $2\\\\}' "$MALWARE_DIR/suspicious_processes.txt"|while read pid; do
vol -f "$MEMORY_DUMP" windows.cmdline --pid "$pid" >> "$MALWARE_DIR/suspicious_cmdlines.txt"
done
fi
\\}
Function to extract and analyze executables¶
extract_executables() \\{ echo "[+] Extracting suspicious executables"
# Get file list
vol -f "$MEMORY_DUMP" windows.filescan > "$MALWARE_DIR/file_list.txt"
# Find executable files in suspicious locations
grep -iE "(temp|tmp|appdata|programdata).*\.(exe|dll|sys)$" "$MALWARE_DIR/file_list.txt" > "$MALWARE_DIR/suspicious_files.txt"
# Extract suspicious files
if [ -s "$MALWARE_DIR/suspicious_files.txt" ]; then
echo " [+] Extracting suspicious files"
mkdir -p "$MALWARE_DIR/extracted_files"
while read line; do
local offset=$(echo "$line"|awk '\\\\{print $1\\\\}')
local filename=$(echo "$line"|awk '\\\\{print $NF\\\\}'|tr '\\' '_')
vol -f "$MEMORY_DUMP" windows.dumpfiles --virtaddr "$offset" --output-dir "$MALWARE_DIR/extracted_files/"
done < "$MALWARE_DIR/suspicious_files.txt"
fi
\\}
Function to perform YARA scanning¶
perform_yara_scan() \\{ echo "[+] Performing YARA scanning"
# Create comprehensive malware detection rules
cat > "$MALWARE_DIR/malware_detection.yar" << 'EOF'
rule Suspicious_API_Calls \\{ strings: $api1 = "VirtualAlloc" nocase $api2 = "VirtualProtect" nocase $api3 = "CreateRemoteThread" nocase $api4 = "WriteProcessMemory" nocase $api5 = "ReadProcessMemory" nocase $api6 = "SetWindowsHookEx" nocase $api7 = "GetProcAddress" nocase $api8 = "LoadLibrary" nocase condition: 3 of them \\}
rule Network_Communication \\{ strings: $net1 = "WinINet" nocase $net2 = "URLDownloadToFile" nocase $net3 = "InternetOpen" nocase $net4 = "InternetConnect" nocase $net5 = "HttpOpenRequest" nocase $net6 = "send" nocase $net7 = "recv" nocase $net8 = "WSAStartup" nocase condition: 2 of them \\}
rule Persistence_Mechanisms \\{ strings: $reg1 = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run" nocase $reg2 = "SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" nocase $svc1 = "CreateService" nocase $svc2 = "StartService" nocase $task1 = "schtasks" nocase $task2 = "at.exe" nocase condition: any of them \\}
rule Evasion_Techniques \\{ strings: $eva1 = "IsDebuggerPresent" nocase $eva2 = "CheckRemoteDebuggerPresent" nocase $eva3 = "OutputDebugString" nocase $eva4 = "GetTickCount" nocase $eva5 = "Sleep" nocase $eva6 = "VirtualQuery" nocase condition: 2 of them \\}
rule Encryption_Indicators \\{ strings: $cry1 = "CryptAcquireContext" nocase $cry2 = "CryptCreateHash" nocase $cry3 = "CryptEncrypt" nocase $cry4 = "CryptDecrypt" nocase $cry5 = "CryptGenKey" nocase $cry6 = "AES" nocase $cry7 = "RSA" nocase $cry8 = "MD5" nocase $cry9 = "SHA" nocase condition: 2 of them \\} EOF
# Perform YARA scan
vol -f "$MEMORY_DUMP" yarascan --yara-rules "$MALWARE_DIR/malware_detection.yar" > "$MALWARE_DIR/yara_results.txt"
# Use external YARA rules if available
if [ -d "$YARA_RULES_DIR" ]; then
echo " [+] Scanning with external YARA rules"
find "$YARA_RULES_DIR" -name "*.yar" -o -name "*.yara"|while read rule_file; do
local rule_name=$(basename "$rule_file" .yar)
vol -f "$MEMORY_DUMP" yarascan --yara-rules "$rule_file" > "$MALWARE_DIR/yara_$\\\\{rule_name\\\\}.txt"
done
fi
\\}
Function to analyze network artifacts¶
analyze_network_artifacts() \\{ echo "[+] Analyzing network artifacts"
# Get network connections
vol -f "$MEMORY_DUMP" windows.netstat > "$MALWARE_DIR/network_connections.txt"
# Extract external IPs
grep -vE "(127\.0\.0\.1|0\.0\.0\.0|::1|192\.168\.|10\.|172\.1[6-9]\.|172\.2[0-9]\.|172\.3[0-1]\.)" "$MALWARE_DIR/network_connections.txt" > "$MALWARE_DIR/external_connections.txt"
# Extract unique remote IPs
awk '\\\\{print $3\\\\}' "$MALWARE_DIR/external_connections.txt"|cut -d: -f1|sort -u > "$MALWARE_DIR/remote_ips.txt"
# Analyze remote IPs
if [ -s "$MALWARE_DIR/remote_ips.txt" ]; then
echo " [+] Analyzing remote IP addresses"
while read ip; do
echo "Analyzing IP: $ip" >> "$MALWARE_DIR/ip_analysis.txt"
# Perform reverse DNS lookup
local hostname=$(dig +short -x "$ip" 2>/dev/null|head -1)
echo " Hostname: $\\\\{hostname:-No PTR record\\\\}" >> "$MALWARE_DIR/ip_analysis.txt"
# Check if IP is in known malicious ranges (basic check)
if [[ "$ip" =~ ^(185\.159\.|91\.121\.|5\.196\.) ]]; then
echo " WARNING: IP in potentially suspicious range" >> "$MALWARE_DIR/ip_analysis.txt"
fi
echo "---" >> "$MALWARE_DIR/ip_analysis.txt"
done < "$MALWARE_DIR/remote_ips.txt"
fi
\\}
Function to check for rootkit indicators¶
check_rootkit_indicators() \\{ echo "[+] Checking for rootkit indicators"
# Check SSDT hooks
vol -f "$MEMORY_DUMP" windows.ssdt > "$MALWARE_DIR/ssdt_hooks.txt" 2>/dev/null||echo "SSDT analysis not available"
# Check for hidden processes
vol -f "$MEMORY_DUMP" windows.psxview > "$MALWARE_DIR/hidden_processes.txt"
# Find processes that are hidden from certain detection methods
grep "False" "$MALWARE_DIR/hidden_processes.txt" > "$MALWARE_DIR/potentially_hidden.txt"
# Check for API hooks
vol -f "$MEMORY_DUMP" windows.apihooks > "$MALWARE_DIR/api_hooks.txt" 2>/dev/null||echo "API hooks analysis not available"
\\}
Function to generate malware analysis report¶
generate_malware_report() \\{ echo "[+] Generating malware analysis report"
local report_file="$MALWARE_DIR/malware_analysis_report.html"
cat > "$report_file" << EOF
🔍 Malware Analysis Report
Memory Dump: $(basename "$MEMORY_DUMP")
Analysis Date: $(date)
Analyst: Volatility Automated Analysis
📋 Executive Summary
| Indicator | Count | Risk Level |
|---|---|---|
| Suspicious Processes | $(wc -l < "$MALWARE_DIR/suspicious_processes.txt" 2>/dev/null||echo 0) | $([ $(wc -l < "$MALWARE_DIR/suspicious_processes.txt" 2>/dev/null||echo 0) -gt 0 ] && echo "High"||echo "Low") |
| Code Injection Detected | $(grep -c "Process:" "$MALWARE_DIR/malfind_results.txt" 2>/dev/null||echo 0) | $([ $(grep -c "Process:" "$MALWARE_DIR/malfind_results.txt" 2>/dev/null||echo 0) -gt 0 ] && echo "Critical"||echo "Low") |
| External Connections | $(wc -l < "$MALWARE_DIR/external_connections.txt" 2>/dev/null||echo 0) | $([ $(wc -l < "$MALWARE_DIR/external_connections.txt" 2>/dev/null||echo 0) -gt 5 ] && echo "Medium"||echo "Low") |
| Hidden Processes | $(wc -l < "$MALWARE_DIR/potentially_hidden.txt" 2>/dev/null||echo 0) | $([ $(wc -l < "$MALWARE_DIR/potentially_hidden.txt" 2>/dev/null||echo 0) -gt 0 ] && echo "High"||echo "Low") |
🚨 Code Injection Detected
Potential code injection has been detected in the following processes:
$(head -50 "$MALWARE_DIR/malfind_results.txt")
⚠️ Suspicious Processes
$(cat "$MALWARE_DIR/suspicious_processes.txt")
🌐 External Network Connections
$(head -20 "$MALWARE_DIR/external_connections.txt")
🔍 YARA Detection Results
$(cat "$MALWARE_DIR/yara_results.txt")
📝 Recommendations
- Immediate Actions:
- Isolate affected systems from the network
- Preserve memory dumps and disk images for further analysis
- Check for lateral movement indicators
- Investigation:
- Analyze extracted executables with static analysis tools
- Correlate network connections with firewall logs
- Check for persistence mechanisms in registry and file system
- Remediation:
- Remove identified malicious processes and files
- Update antivirus signatures and endpoint protection
- Implement network monitoring for identified IOCs
📁 Generated Files
-
$(ls -1 "$MALWARE_DIR"|grep -v "\.html$"|while read file; do echo "
- $file "; done)
EOF
echo " [+] Malware analysis report generated: $report_file"
\\}
Main execution¶
echo "[+] Starting automated malware analysis" echo "[+] Memory dump: $MEMORY_DUMP" echo "[+] Output directory: $MALWARE_DIR"
Perform malware analysis¶
detect_injection analyze_suspicious_processes extract_executables perform_yara_scan analyze_network_artifacts check_rootkit_indicators
Generate report¶
generate_malware_report
echo "[+] Automated malware analysis completed" echo "[+] Results saved in: $MALWARE_DIR" echo "[+] Open $MALWARE_DIR/malware_analysis_report.html for detailed findings"
Display summary¶
echo ""
echo "=== ANALYSIS SUMMARY ==="
echo "Suspicious processes: \((wc -l < "\)MALWARE_DIR/suspicious_processes.txt" 2>/dev/null||echo 0)"
echo "Code injection detected: \((grep -c "Process:" "\)MALWARE_DIR/malfind_results.txt" 2>/dev/null||echo 0)"
echo "External connections: \((wc -l < "\)MALWARE_DIR/external_connections.txt" 2>/dev/null||echo 0)"
echo "Hidden processes: \((wc -l < "\)MALWARE_DIR/potentially_hidden.txt" 2>/dev/null||echo 0)"
echo "========================"
### Análisis de Línea de Tiempobash
!/bin/bash¶
Timeline analysis using Volatility¶
MEMORY_DUMP="\(1" TIMELINE_DIR="timeline_analysis_\)(date +%Y%m%d_%H%M%S)"
if [ -z "$MEMORY_DUMP" ]; then
echo "Usage: $0
mkdir -p "$TIMELINE_DIR"
Function to create comprehensive timeline¶
create_timeline() \\{ echo "[+] Creating comprehensive timeline"
# Note: Timeline functionality varies between Volatility versions
# This example shows both Vol2 and Vol3 approaches
# For Volatility 2 (if available)
if command -v vol2 &> /dev/null; then
echo " [+] Creating timeline with Volatility 2"
# Determine profile first
local profile=$(vol2 -f "$MEMORY_DUMP" imageinfo|grep "Suggested Profile"|head -1|awk '\\\\{print $4\\\\}'|tr -d ',')
if [ -n "$profile" ]; then
# Create body file
vol2 -f "$MEMORY_DUMP" --profile="$profile" timeliner --output=body --output-file="$TIMELINE_DIR/timeline.body"
# Convert to readable format
if [ -f "$TIMELINE_DIR/timeline.body" ]; then
mactime -b "$TIMELINE_DIR/timeline.body" -d > "$TIMELINE_DIR/timeline_readable.txt"
fi
fi
fi
# Alternative approach: Extract timestamps from various sources
echo " [+] Extracting timestamps from various sources"
# Process creation times
vol -f "$MEMORY_DUMP" windows.pslist > "$TIMELINE_DIR/process_times.txt"
# File modification times
vol -f "$MEMORY_DUMP" windows.filescan > "$TIMELINE_DIR/file_times.txt"
# Registry timestamps (if available)
vol -f "$MEMORY_DUMP" windows.registry.hivelist > "$TIMELINE_DIR/registry_times.txt"
\\}
Function to analyze process timeline¶
analyze_process_timeline() \\{ echo "[+] Analyzing process timeline"
# Extract process creation times and sort chronologically
awk 'NR>1 \\\\{print $6, $7, $2, $3, $4\\\\}' "$TIMELINE_DIR/process_times.txt"|sort > "$TIMELINE_DIR/process_chronology.txt"
# Find processes created in quick succession (potential malware)
cat > "$TIMELINE_DIR/rapid_process_creation.py" << 'EOF'
!/usr/bin/env python3¶
import sys from datetime import datetime
def parse_timestamp(ts_str): try: return datetime.strptime(ts_str, "%Y-%m-%d %H:%M:%S") except: return None
def analyze_rapid_creation(filename): processes = []
with open(filename, 'r') as f:
for line in f:
parts = line.strip().split()
if len(parts) >= 5:
date_str = parts[0]
time_str = parts[1]
pid = parts[2]
ppid = parts[3]
name = parts[4]
timestamp = parse_timestamp(f"\\\\{date_str\\\\} \\\\{time_str\\\\}")
if timestamp:
processes.append((timestamp, pid, ppid, name))
# Sort by timestamp
processes.sort(key=lambda x: x[0])
# Find rapid succession (within 10 seconds)
rapid_groups = []
current_group = []
for i, (ts, pid, ppid, name) in enumerate(processes):
if not current_group:
current_group = [(ts, pid, ppid, name)]
else:
time_diff = (ts - current_group[-1][0]).total_seconds()
if time_diff <= 10:
current_group.append((ts, pid, ppid, name))
else:
if len(current_group) >= 3:
rapid_groups.append(current_group)
current_group = [(ts, pid, ppid, name)]
# Check last group
if len(current_group) >= 3:
rapid_groups.append(current_group)
return rapid_groups
if name == "main":
if len(sys.argv) != 2:
print("Usage: python3 rapid_process_creation.py
rapid_groups = analyze_rapid_creation(sys.argv[1])
if rapid_groups:
print("Rapid Process Creation Detected:")
print("=" * 50)
for i, group in enumerate(rapid_groups):
print(f"\nGroup \\\\{i+1\\\\} (\\\\{len(group)\\\\} processes):")
for ts, pid, ppid, name in group:
print(f" \\\\{ts\\\\} - PID:\\\\{pid\\\\} PPID:\\\\{ppid\\\\} \\\\{name\\\\}")
else:
print("No rapid process creation patterns detected.")
EOF
python3 "$TIMELINE_DIR/rapid_process_creation.py" "$TIMELINE_DIR/process_chronology.txt" > "$TIMELINE_DIR/rapid_creation_analysis.txt"
\\}
Function to create visual timeline¶
create_visual_timeline() \\{ echo "[+] Creating visual timeline"
cat > "$TIMELINE_DIR/create_timeline_chart.py" << 'EOF'
!/usr/bin/env python3¶
import matplotlib.pyplot as plt import matplotlib.dates as mdates from datetime import datetime import sys
def create_timeline_chart(process_file, output_file): timestamps = [] processes = []
try:
with open(process_file, 'r') as f:
for line in f:
parts = line.strip().split()
if len(parts) >= 5:
try:
date_str = parts[0]
time_str = parts[1]
name = parts[4]
timestamp = datetime.strptime(f"\\\\{date_str\\\\} \\\\{time_str\\\\}", "%Y-%m-%d %H:%M:%S")
timestamps.append(timestamp)
processes.append(name)
except:
continue
if not timestamps:
print("No valid timestamps found")
return
# Create timeline chart
fig, ax = plt.subplots(figsize=(15, 8))
# Plot process creation events
y_positions = range(len(timestamps))
ax.scatter(timestamps, y_positions, alpha=0.6, s=50)
# Format x-axis
ax.xaxis.set_major_formatter(mdates.DateFormatter('%H:%M:%S'))
ax.xaxis.set_major_locator(mdates.HourLocator(interval=1))
plt.xticks(rotation=45)
# Add labels
ax.set_xlabel('Time')
ax.set_ylabel('Process Creation Events')
ax.set_title('Process Creation Timeline')
# Add grid
ax.grid(True, alpha=0.3)
plt.tight_layout()
plt.savefig(output_file, dpi=300, bbox_inches='tight')
print(f"Timeline chart saved: \\\\{output_file\\\\}")
except Exception as e:
print(f"Error creating timeline chart: \\\\{e\\\\}")
if name == "main":
if len(sys.argv) != 3:
print("Usage: python3 create_timeline_chart.py
create_timeline_chart(sys.argv[1], sys.argv[2])
EOF
# Install matplotlib if not available
pip3 install matplotlib &>/dev/null||echo "Warning: matplotlib not available for timeline visualization"
# Create timeline chart
python3 "$TIMELINE_DIR/create_timeline_chart.py" "$TIMELINE_DIR/process_chronology.txt" "$TIMELINE_DIR/process_timeline.png" 2>/dev/null||echo "Timeline visualization skipped"
\\}
Function to correlate events¶
correlate_events() \\{ echo "[+] Correlating timeline events"
cat > "$TIMELINE_DIR/event_correlation.txt" << EOF
Timeline Event Correlation Analysis¶
Analysis Date: $(date) Memory Dump: \((basename "\)MEMORY_DUMP")
Process Timeline Analysis: \((cat "\)TIMELINE_DIR/rapid_creation_analysis.txt" 2>/dev/null||echo "No rapid creation patterns detected")
Key Observations:¶
EOF
# Analyze process parent-child relationships
echo "Process Parent-Child Relationships:" >> "$TIMELINE_DIR/event_correlation.txt"
vol -f "$MEMORY_DUMP" windows.pstree >> "$TIMELINE_DIR/event_correlation.txt"
# Look for suspicious timing patterns
echo "" >> "$TIMELINE_DIR/event_correlation.txt"
echo "Timing Pattern Analysis:" >> "$TIMELINE_DIR/event_correlation.txt"
# Find processes created at unusual times (e.g., outside business hours)
awk 'NR>1 \\\\{
split($7, time_parts, ":");
hour = time_parts[1];
if (hour < 6||hour > 22) \\\\{
print "Unusual time: " $0;
\\\\}
\\\\}' "$TIMELINE_DIR/process_times.txt" >> "$TIMELINE_DIR/event_correlation.txt"
\\}
Function to generate timeline report¶
generate_timeline_report() \\{ echo "[+] Generating timeline analysis report"
local report_file="$TIMELINE_DIR/timeline_report.html"
cat > "$report_file" << EOF
⏰ Timeline Analysis Report
Memory Dump: $(basename "$MEMORY_DUMP")
Analysis Date: $(date)
Timeline Scope: Process creation and system events
📊 Process Creation Timeline
⚡ Rapid Process Creation Analysis
$(cat "$TIMELINE_DIR/rapid_creation_analysis.txt")
📋 Process Chronology
$(head -50 "$TIMELINE_DIR/process_chronology.txt" 2>/dev/null||echo "Process chronology not available")
🔗 Event Correlation Analysis
$(cat "$TIMELINE_DIR/event_correlation.txt")
📈 Timeline Statistics
| Metric | Value |
|---|---|
| Total Processes Analyzed | $(wc -l < "$TIMELINE_DIR/process_times.txt" 2>/dev/null||echo 0) |
| Chronological Events | $(wc -l < "$TIMELINE_DIR/process_chronology.txt" 2>/dev/null||echo 0) |
| Timeline Span | $(head -1 "$TIMELINE_DIR/process_chronology.txt" 2>/dev/null|awk '\\\\{print $1, $2\\\\}') to $(tail -1 "$TIMELINE_DIR/process_chronology.txt" 2>/dev/null|awk '\\\\{print $1, $2\\\\}') |
📁 Generated Files
-
$(ls -1 "$TIMELINE_DIR"|grep -v "\.html$"|while read file; do echo "
- $file "; done)
🎯 Key Findings & Recommendations
- Process Creation Patterns: Review rapid process creation events for potential malware activity
- Timing Analysis: Investigate processes created during unusual hours
- Parent-Child Relationships: Analyze process trees for suspicious spawning patterns
- Correlation: Cross-reference timeline events with network logs and file system changes
EOF
echo " [+] Timeline analysis report generated: $report_file"
\\}
Main execution¶
echo "[+] Starting timeline analysis" echo "[+] Memory dump: $MEMORY_DUMP" echo "[+] Output directory: $TIMELINE_DIR"
Perform timeline analysis¶
create_timeline analyze_process_timeline create_visual_timeline correlate_events
Generate report¶
generate_timeline_report
echo "[+] Timeline analysis completed"
echo "[+] Results saved in: $TIMELINE_DIR"
echo "[+] Open $TIMELINE_DIR/timeline_report.html for detailed timeline analysis"
## Integración con Otras Herramientasbash
Use Rekall for additional analysis¶
rekall -f memory.dmp pslist
Compare Volatility and Rekall results¶
vol -f memory.dmp windows.pslist > vol_pslist.txt
rekall -f memory.dmp pslist > rekall_pslist.txt
diff vol_pslist.txt rekall_pslist.txt
### Integración de Rekallbash
Create custom YARA rules¶
cat > custom_rules.yar << 'EOF' rule Suspicious_Process_Names \\{ strings: $s1 = "svchost.exe" nocase $s2 = "explorer.exe" nocase $s3 = "winlogon.exe" nocase condition: any of them \\} EOF
Scan memory with YARA rules¶
vol -f memory.dmp yarascan --yara-rules custom_rules.yar
### Integración de YARAbash
Extract strings and artifacts with bulk_extractor¶
bulk_extractor -o bulk_output memory.dmp
Compare with Volatility strings¶
vol -f memory.dmp windows.strings > vol_strings.txt
diff vol_strings.txt bulk_output/telephone.txt
### Integración de Bulk Extractorbash
Manual profile specification (Vol 2)¶
vol2 -f memory.dmp --profile=Win10x64_19041 pslist
List available profiles¶
vol2 --info|grep "Win"
Use kdbgscan for profile detection¶
vol2 -f memory.dmp kdbgscan
## Resolución de Problemasbash
Check for memory corruption¶
vol -f memory.dmp windows.info|grep -i corrupt
Use alternative scanning methods¶
vol -f memory.dmp windows.psscan
vol -f memory.dmp windows.filescan
### Problemas Comunesbash
Process large dumps efficiently¶
vol -f memory.dmp windows.pslist --output-file pslist.txt
Use specific address ranges¶
vol -f memory.dmp windows.vadinfo --pid 1234 --address 0x12345678
#### Problemas de Detección de Perfilbash
Check plugin availability¶
vol --list-plugins
Get plugin help¶
vol windows.pslist -h
Debug plugin execution¶
vol -f memory.dmp windows.pslist -vv
#### Corrupción de Memoriabash
Use output files to avoid re-processing¶
vol -f memory.dmp windows.pslist -o pslist.txt
Limit output for large datasets¶
vol -f memory.dmp windows.filescan|head -1000
Use specific PIDs for targeted analysis¶
vol -f memory.dmp windows.handles --pid 1234
Parallel processing for multiple dumps¶
for dump in *.dmp; do vol -f "\(dump" windows.pslist > "\)\\{dump%.dmp\\}_pslist.txt" & done wait ```#### Volcados de Memoria Grandes https://www.volatilityfoundation.org/#### Errores de Plugins https://volatility3.readthedocs.io/### Optimización de Rendimiento https://github.com/volatilityfoundation/volatility3## Recursos https://www.sans.org/white-papers/memory-forensics-volatility/- Fundación Volatilityhttps://github.com/Yara-Rules/rules- Documentación de Volatility 3