Volatility hoja de trucos
Overview
Volatility is an advanced memory forensics framework written in Python that provides a comprehensive platform for extracting digital artifacts from volatile memory (RAM) samples. Developed by the Volatility Foundation, this powerful tool enables forense digital investigators, incident responders, and malware analysts to analyze memory dumps from Windows, Linux, macOS, and Android systems. Volatility can extract a wide range of information including running procesoes, network conexións, loaded modules, registry data, cached files, cifrado claves, and evidence of malware activity. Its plugin-based architecture makes it highly extensible, allowing researchers to develop custom analysis modules for specific investigation needs.
⚠️ Legal Notice: Volatility should only be used for legitimate forensic analysis, respuesta a incidentes, and authorized security research. Ensure you have proper legal authority before analyzing memory dumps, and follow your organization's data handling and privacy policies.
instalación
Volatility 3 instalación (Recommended)
# Install via pip (Python 3.6+)
pip3 install volatility3
# Install from GitHub (latest development version)
git clone https://github.com/volatilityfoundation/volatility3.git
cd volatility3
pip3 install -r requirements.txt
python3 setup.py install
# Verify instalación
vol -h
# Install additional dependencies
pip3 install yara-python pycryptodome capstone distorm3
Volatility 2 instalación (Legacy)
# Install Volatility 2 (Python 2.7)
git clone https://github.com/volatilityfoundation/volatility.git
cd volatility
python2 setup.py install
# Install dependencies
pip2 install distorm3 yara-python pycrypto openpyxl ujson
# Verify instalación
python2 vol.py -h
# Create alias for easier uso
echo 'alias vol2="python2 /path/to/volatility/vol.py"' >> ~/.bashrc
Docker instalación
# Pull Volatility Docker image
docker pull phocean/volatility
# Run Volatility in Docker
docker run --rm -v $(pwd):/dumps phocean/volatility -f /dumps/memory.dmp imageinfo
# Create alias for Docker uso
echo 'alias vol="docker run --rm -v $(pwd):/dumps phocean/volatility"' >> ~/.bashrc
source ~/.bashrc
# Run with specific memory dump
vol -f memory.dmp --profile=Win7SP1x64 pslist
Ubuntu/Debian instalación
# Install from package repository
sudo apt update
sudo apt install volatility3-tools
# Install additional tools
sudo apt install python3-pip python3-dev build-essential
pip3 install volatility3
# Install legacy Volatility 2
sudo apt install volatility-tools
# Verify instalacións
vol -h
volatility -h
Windows instalación
# Download standalone executable from GitHub releases
# https://github.com/volatilityfoundation/volatility3/releases
# Or install via Python
pip install volatility3
# Install Python dependencies
pip install yara-python pycryptodome capstone distorm3
# Verify instalación
vol.exe -h
Basic uso
Memory Dump Analysis Workflow
# Step 1: Identify the operating system and version
vol -f memory.dmp windows.info
# Step 2: List running procesoes
vol -f memory.dmp windows.pslist
# Step 3: Analyze network conexións
vol -f memory.dmp windows.netstat
# Step 4: Examine loaded modules
vol -f memory.dmp windows.modules
# Step 5: Check for malicious procesoes
vol -f memory.dmp windows.malfind
# Step 6: Extract suspicious files
vol -f memory.dmp windows.dumpfiles --pid 1234
Volatility 2 Legacy comandos
# Identify image information (Volatility 2)
vol2 -f memory.dmp imageinfo
# Use specific profile
vol2 -f memory.dmp --profile=Win7SP1x64 pslist
# List available plugins
vol2 --info
# Get plugin help
vol2 pslist -h
Basic System Information
# Get system information (Vol 3)
vol -f memory.dmp windows.info
# Get system information (Vol 2)
vol2 -f memory.dmp --profile=Win7SP1x64 imageinfo
# Check system uptime
vol -f memory.dmp windows.info|grep "System time"
# Get kernel information
vol -f memory.dmp windows.info|grep "Kernel"
# Check for hibernation file
vol -f memory.dmp windows.info|grep "hibernation"
proceso Analysis
proceso Listing and Analysis
# List all procesoes (Vol 3)
vol -f memory.dmp windows.pslist
# List procesoes with parent-child relationships
vol -f memory.dmp windows.pstree
# Show proceso comando lines
vol -f memory.dmp windows.cmdline
# List procesoes with detailed information
vol -f memory.dmp windows.pslist --pid 1234
# Find hidden procesoes
vol -f memory.dmp windows.psxview
# Scan for proceso objects
vol -f memory.dmp windows.psscan
proceso Análisis de Memoria
# Dump proceso memory
vol -f memory.dmp windows.memmap --pid 1234 --dump
# Extract proceso executable
vol -f memory.dmp windows.procdump --pid 1234
# Analyze proceso handles
vol -f memory.dmp windows.handles --pid 1234
# Check proceso privileges
vol -f memory.dmp windows.privileges --pid 1234
# Examine proceso environment variables
vol -f memory.dmp windows.envars --pid 1234
# Analyze proceso VAD (Virtual Address Descriptor)
vol -f memory.dmp windows.vadinfo --pid 1234
malware Detection
# Detect code injection
vol -f memory.dmp windows.malfind
# Scan for YARA rules
vol -f memory.dmp yarascan --yara-rules malware_rules.yar
# Check for API hooks
vol -f memory.dmp windows.apihooks
# Detect rootkits
vol -f memory.dmp windows.ssdt
# Find suspicious procesoes
vol -f memory.dmp windows.psxview|grep False
# Check for proceso hollowing
vol -f memory.dmp windows.hollowfind
Análisis de Red
Network conexións
# List network conexións (Vol 3)
vol -f memory.dmp windows.netstat
# List network conexións (Vol 2)
vol2 -f memory.dmp --profile=Win7SP1x64 netscan
# Show listening sockets
vol -f memory.dmp windows.netstat|grep LISTEN
# Find conexións by proceso
vol -f memory.dmp windows.netstat --pid 1234
# Analyze network artifacts
vol -f memory.dmp windows.netscan
# Extract network configuración
vol -f memory.dmp windows.netstat -v
DNS and Network Artifacts
# Extract DNS cache (Vol 2)
vol2 -f memory.dmp --profile=Win7SP1x64 dnscache
# Find network-related strings
| vol -f memory.dmp windows.strings | grep -E "(http | ftp | smtp | dns)" |
# Analyze browser artifacts
vol -f memory.dmp windows.iehistory
# Extract network configuración
vol -f memory.dmp windows.netstat --verbose
File System Analysis
File and Directory Analysis
# List files (Vol 3)
vol -f memory.dmp windows.filescan
# List files (Vol 2)
vol2 -f memory.dmp --profile=Win7SP1x64 filescan
# Dump specific files
vol -f memory.dmp windows.dumpfiles --virtaddr 0x12345678
# Find files by name
vol -f memory.dmp windows.filescan|grep "malware.exe"
# Extract MFT records
vol -f memory.dmp windows.mftscan
# Analyze file handles
vol -f memory.dmp windows.handles --object-type File
Registry Analysis
# List registry hives
vol -f memory.dmp windows.registry.hivelist
# Print registry claves
vol -f memory.dmp windows.registry.printclave --clave "Software\\Microsoft\\Windows\\CurrentVersion\\Run"
# Dump registry hive
vol -f memory.dmp windows.registry.hivescan --dump
# Extract user assist data
vol -f memory.dmp windows.registry.userassist
# Analyze registry artifacts
vol -f memory.dmp windows.registry.printclave --clave "SYSTEM\\CurrentControlSet\\servicios"
# Find registry claves by pattern
vol -f memory.dmp windows.registry.printclave --clave "Software" --recurse|grep -i malware
Advanced Analysis
Memory Strings Analysis
# Extract ASCII strings
vol -f memory.dmp windows.strings
# Extract Unicode strings
vol -f memory.dmp windows.strings --strings-file strings.txt
# Search for specific patterns
vol -f memory.dmp windows.strings|grep -i "contraseña"
# Extract strings from specific proceso
vol -f memory.dmp windows.strings --pid 1234
# Find URLs and domains
| vol -f memory.dmp windows.strings | grep -E "(http | https | ftp)://[^\s]+" |
# Search for email addresses
vol -f memory.dmp windows.strings|grep -E "[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]\\\\{2,\\\\}"
Cryptographic Analysis
# Find cifrado claves
vol -f memory.dmp windows.truecryptpassphrase
# Extract cached credenciales
vol -f memory.dmp windows.cachedump
# Find LSA secrets
vol -f memory.dmp windows.lsadump
# Extract contraseña hashes
vol -f memory.dmp windows.hashdump
# Find BitLocker claves
vol -f memory.dmp windows.bitlocker
# Analyze cryptographic artifacts
vol -f memory.dmp yarascan --yara-rules crypto_rules.yar
Timeline Analysis
# Create timeline (Vol 2)
vol2 -f memory.dmp --profile=Win7SP1x64 timeliner --output=body --output-file=timeline.body
# Convert to CSV format
vol2 -f memory.dmp --profile=Win7SP1x64 timeliner --output=csv --output-file=timeline.csv
# Analyze specific time range
vol2 -f memory.dmp --profile=Win7SP1x64 timeliner --output=body|grep "2023-12-01"
# Create Mactime timeline
mactime -b timeline.body -d > timeline.txt
# Filter timeline by activity type
grep "m.c" timeline.body > modified_files.txt
Automation Scripts
Comprehensive Análisis de Memoria
#!/bin/bash
# Comprehensive Análisis de Memoria using Volatility
MEMORY_DUMP="$1"
OUTPUT_DIR="volatility_analysis_$(date +%Y%m%d_%H%M%S)"
VOLATILITY_CMD="vol"
if [ -z "$MEMORY_DUMP" ]; then
echo "uso: $0 <memory_dump_file>"
echo "ejemplo: $0 memory.dmp"
exit 1
fi
if [ ! -f "$MEMORY_DUMP" ]; then
echo "Error: Memory dump file not found: $MEMORY_DUMP"
exit 1
fi
mkdir -p "$OUTPUT_DIR"
# Function to run Volatility comando with error handling
run_vol_cmd() \\\\{
local plugin="$1"
local output_file="$2"
local additional_args="$3"
echo "[+] Running $plugin analysis..."
if [ -n "$additional_args" ]; then
$VOLATILITY_CMD -f "$MEMORY_DUMP" $plugin $additional_args > "$OUTPUT_DIR/$output_file" 2>&1
else
$VOLATILITY_CMD -f "$MEMORY_DUMP" $plugin > "$OUTPUT_DIR/$output_file" 2>&1
fi
if [ $? -eq 0 ]; then
echo " [+] $plugin analysis completed: $output_file"
return 0
else
echo " [-] $plugin analysis failed"
return 1
fi
\\\\}
# Function to analyze system information
analyze_system_info() \\\\{
echo "[+] Analyzing system information"
run_vol_cmd "windows.info" "system_info.txt"
# Extract clave system information
if [ -f "$OUTPUT_DIR/system_info.txt" ]; then
| grep -E "(Kernel | System time | NTBuildLab)" "$OUTPUT_DIR/system_info.txt" > "$OUTPUT_DIR/system_summary.txt" |
fi
\\\\}
# Function to analyze procesoes
analyze_procesoes() \\\\{
echo "[+] Analyzing procesoes"
run_vol_cmd "windows.pslist" "proceso_list.txt"
run_vol_cmd "windows.pstree" "proceso_tree.txt"
run_vol_cmd "windows.cmdline" "comando_lines.txt"
run_vol_cmd "windows.psxview" "hidden_procesoes.txt"
run_vol_cmd "windows.malfind" "malicious_code.txt"
# Extract suspicious procesoes
if [ -f "$OUTPUT_DIR/proceso_list.txt" ]; then
# Find procesoes with suspicious names
| grep -iE "(cmd | powershell | wscript | cscript | rundll32 | regsvr32)" "$OUTPUT_DIR/proceso_list.txt" > "$OUTPUT_DIR/suspicious_procesoes.txt" |
# Find procesoes with no parent
awk '$3 == 0 && NR > 1 \\\\{print\\\\}' "$OUTPUT_DIR/proceso_list.txt" > "$OUTPUT_DIR/orphan_procesoes.txt"
fi
\\\\}
# Function to analyze network activity
analyze_network() \\\\{
echo "[+] Analyzing network activity"
run_vol_cmd "windows.netstat" "network_conexións.txt"
# Extract external conexións
if [ -f "$OUTPUT_DIR/network_conexións.txt" ]; then
| grep -vE "(127\.0\.0\.1 | 0\.0\.0\.0 | ::1)" "$OUTPUT_DIR/network_conexións.txt" > "$OUTPUT_DIR/external_conexións.txt" |
# Extract unique remote IPs
| awk '\\\\{print $3\\\\}' "$OUTPUT_DIR/external_conexións.txt" | cut -d: -f1 | sort -u > "$OUTPUT_DIR/remote_ips.txt" |
fi
\\\\}
# Function to analyze files
analyze_files() \\\\{
echo "[+] Analyzing files"
run_vol_cmd "windows.filescan" "file_list.txt"
# Find executable files
if [ -f "$OUTPUT_DIR/file_list.txt" ]; then
| grep -iE "\.(exe | dll | sys | bat | cmd | ps1 | vbs | js)$" "$OUTPUT_DIR/file_list.txt" > "$OUTPUT_DIR/executable_files.txt" |
# Find files in temp directories
| grep -iE "(temp | tmp | appdata)" "$OUTPUT_DIR/file_list.txt" > "$OUTPUT_DIR/temp_files.txt" |
fi
\\\\}
# Function to analyze registry
analyze_registry() \\\\{
echo "[+] Analyzing registry"
run_vol_cmd "windows.registry.hivelist" "registry_hives.txt"
# Analyze common autostart locations
local autostart_claves=(
"Software\\Microsoft\\Windows\\CurrentVersion\\Run"
"Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce"
"Software\\Microsoft\\Windows\\CurrentVersion\\Runservicios"
"Software\\Microsoft\\Windows\\CurrentVersion\\RunserviciosOnce"
)
for clave in "$\\\\{autostart_claves[@]\\\\}"; do
local safe_clave=$(echo "$clave"|tr '\\' '_')
run_vol_cmd "windows.registry.printclave" "registry_$\\\\{safe_clave\\\\}.txt" "--clave \"$clave\""
done
\\\\}
# Function to extract strings
extract_strings() \\\\{
echo "[+] Extracting strings"
run_vol_cmd "windows.strings" "all_strings.txt"
if [ -f "$OUTPUT_DIR/all_strings.txt" ]; then
# Extract URLs
| grep -oE "(http | https | ftp)://[^\s]+" "$OUTPUT_DIR/all_strings.txt" | sort -u > "$OUTPUT_DIR/urls.txt" |
# Extract email addresses
grep -oE "[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]\\\\{2,\\\\}" "$OUTPUT_DIR/all_strings.txt"|sort -u > "$OUTPUT_DIR/email_addresses.txt"
# Extract IP addresses
grep -oE "([0-9]\\\\{1,3\\\\}\.)\\\\{3\\\\}[0-9]\\\\{1,3\\\\}" "$OUTPUT_DIR/all_strings.txt"|sort -u > "$OUTPUT_DIR/ip_addresses.txt"
# Extract potential contraseñas
| grep -iE "(contraseña | passwd | pwd | pass)" "$OUTPUT_DIR/all_strings.txt" > "$OUTPUT_DIR/potential_contraseñas.txt" |
fi
\\\\}
# Function to perform YARA scanning
yara_scan() \\\\{
echo "[+] Performing YARA scanning"
# Create basic malware detection rules
cat > "$OUTPUT_DIR/basic_malware.yar" << 'EOF'
rule Suspicious_Strings \\\\{
strings:
$s1 = "cmd.exe" nocase
$s2 = "powershell" nocase
$s3 = "rundll32" nocase
$s4 = "regsvr32" nocase
$s5 = "wscript" nocase
$s6 = "cscript" nocase
condition:
any of them
\\\\}
rule Network_Indicators \\\\{
strings:
$n1 = "http://" nocase
$n2 = "https://" nocase
$n3 = "ftp://" nocase
$n4 = "tcp://" nocase
condition:
any of them
\\\\}
rule Crypto_Indicators \\\\{
strings:
$c1 = "AES" nocase
$c2 = "RSA" nocase
$c3 = "encrypt" nocase
$c4 = "decrypt" nocase
$c5 = "cipher" nocase
condition:
any of them
\\\\}
EOF
run_vol_cmd "yarascan" "yara_scan_results.txt" "--yara-rules $OUTPUT_DIR/basic_malware.yar"
\\\\}
# Function to generate analysis repuerto
generate_repuerto() \\\\{
echo "[+] Generating analysis repuerto"
local repuerto_file="$OUTPUT_DIR/analysis_repuerto.html"
cat > "$repuerto_file" << EOF
<!DOCTYPE html>
<html>
<head>
<title>Volatility Análisis de Memoria Repuerto</title>
<style>
body \\\\{ font-family: Arial, sans-serif; margin: 20px; \\\\}
.header \\\\{ background-color: #f0f0f0; padding: 20px; border-radius: 5px; \\\\}
.section \\\\{ margin: 20px 0; padding: 15px; border: 1px solid #ddd; border-radius: 5px; \\\\}
.warning \\\\{ background-color: #fff3cd; border-color: #ffeaa7; \\\\}
.critical \\\\{ background-color: #ffebee; border-color: #f44336; \\\\}
table \\\\{ border-collapse: collapse; width: 100%; \\\\}
th, td \\\\{ border: 1px solid #ddd; padding: 8px; text-align: left; \\\\}
th \\\\{ background-color: #f2f2f2; \\\\}
pre \\\\{ background-color: #f5f5f5; padding: 10px; border-radius: 3px; overflow-x: auto; \\\\}
.file-list \\\\{ max-height: 300px; overflow-y: auto; \\\\}
</style>
</head>
<body>
<div class="header">
<h1>Volatility Análisis de Memoria Repuerto</h1>
<p><strong>Memory Dump:</strong> $(basename "$MEMORY_DUMP")</p>
<p><strong>Analysis Date:</strong> $(date)</p>
<p><strong>Output Directory:</strong> $OUTPUT_DIR</p>
</div>
EOF
# Add system information
if [ -f "$OUTPUT_DIR/system_summary.txt" ]; then
cat >> "$repuerto_file" << EOF
<div class="section">
<h2>System Information</h2>
<pre>$(cat "$OUTPUT_DIR/system_summary.txt")</pre>
</div>
EOF
fi
# Add suspicious procesoes
if [ -f "$OUTPUT_DIR/suspicious_procesoes.txt" ] && [ -s "$OUTPUT_DIR/suspicious_procesoes.txt" ]; then
cat >> "$repuerto_file" << EOF
<div class="section warning">
<h2>⚠️ Suspicious procesoes</h2>
<div class="file-list">
<pre>$(cat "$OUTPUT_DIR/suspicious_procesoes.txt")</pre>
</div>
</div>
EOF
fi
# Add network conexións
if [ -f "$OUTPUT_DIR/external_conexións.txt" ] && [ -s "$OUTPUT_DIR/external_conexións.txt" ]; then
cat >> "$repuerto_file" << EOF
<div class="section">
<h2>External Network conexións</h2>
<div class="file-list">
<pre>$(head -20 "$OUTPUT_DIR/external_conexións.txt")</pre>
</div>
</div>
EOF
fi
# Add URLs found
if [ -f "$OUTPUT_DIR/urls.txt" ] && [ -s "$OUTPUT_DIR/urls.txt" ]; then
cat >> "$repuerto_file" << EOF
<div class="section">
<h2>URLs Found</h2>
<div class="file-list">
<pre>$(head -20 "$OUTPUT_DIR/urls.txt")</pre>
</div>
</div>
EOF
fi
# Add file summary
cat >> "$repuerto_file" << EOF
<div class="section">
<h2>Analysis Summary</h2>
<table>
<tr><th>Category</th><th>Count</th><th>File</th></tr>
| <tr><td>Total procesoes</td><td>$(wc -l < "$OUTPUT_DIR/proceso_list.txt" 2>/dev/null | | echo 0)</td><td>proceso_list.txt</td></tr> |
| <tr><td>Suspicious procesoes</td><td>$(wc -l < "$OUTPUT_DIR/suspicious_procesoes.txt" 2>/dev/null | | echo 0)</td><td>suspicious_procesoes.txt</td></tr> |
| <tr><td>Network conexións</td><td>$(wc -l < "$OUTPUT_DIR/network_conexións.txt" 2>/dev/null | | echo 0)</td><td>network_conexións.txt</td></tr> |
| <tr><td>External conexións</td><td>$(wc -l < "$OUTPUT_DIR/external_conexións.txt" 2>/dev/null | | echo 0)</td><td>external_conexións.txt</td></tr> |
| <tr><td>Files Found</td><td>$(wc -l < "$OUTPUT_DIR/file_list.txt" 2>/dev/null | | echo 0)</td><td>file_list.txt</td></tr> |
| <tr><td>URLs Found</td><td>$(wc -l < "$OUTPUT_DIR/urls.txt" 2>/dev/null | | echo 0)</td><td>urls.txt</td></tr> |
| <tr><td>Email Addresses</td><td>$(wc -l < "$OUTPUT_DIR/email_addresses.txt" 2>/dev/null | | echo 0)</td><td>email_addresses.txt</td></tr> |
</table>
</div>
<div class="section">
<h2>Generated Files</h2>
<ul>
$(ls -1 "$OUTPUT_DIR"/*.txt "$OUTPUT_DIR"/*.yar 2>/dev/null|while read file; do echo " <li>$(basename "$file")</li>"; done)
</ul>
</div>
</body>
</html>
EOF
echo " [+] Analysis repuerto generated: $repuerto_file"
\\\\}
# Function to create investigation summary
create_summary() \\\\{
echo "[+] Creating investigation summary"
local summary_file="$OUTPUT_DIR/investigation_summary.txt"
cat > "$summary_file" << EOF
Volatility Análisis de Memoria Summary
=================================
Memory Dump: $(basename "$MEMORY_DUMP")
Analysis Date: $(date)
Output Directory: $OUTPUT_DIR
clave Findings:
============
System Information:
| $(cat "$OUTPUT_DIR/system_summary.txt" 2>/dev/null | | echo "Not available") |
proceso Analysis:
| - Total procesoes: $(wc -l < "$OUTPUT_DIR/proceso_list.txt" 2>/dev/null | | echo 0) |
| - Suspicious procesoes: $(wc -l < "$OUTPUT_DIR/suspicious_procesoes.txt" 2>/dev/null | | echo 0) |
| - Orphan procesoes: $(wc -l < "$OUTPUT_DIR/orphan_procesoes.txt" 2>/dev/null | | echo 0) |
Análisis de Red:
| - Total conexións: $(wc -l < "$OUTPUT_DIR/network_conexións.txt" 2>/dev/null | | echo 0) |
| - External conexións: $(wc -l < "$OUTPUT_DIR/external_conexións.txt" 2>/dev/null | | echo 0) |
| - Unique remote IPs: $(wc -l < "$OUTPUT_DIR/remote_ips.txt" 2>/dev/null | | echo 0) |
File Analysis:
| - Total files: $(wc -l < "$OUTPUT_DIR/file_list.txt" 2>/dev/null | | echo 0) |
| - Executable files: $(wc -l < "$OUTPUT_DIR/executable_files.txt" 2>/dev/null | | echo 0) |
| - Temp files: $(wc -l < "$OUTPUT_DIR/temp_files.txt" 2>/dev/null | | echo 0) |
String Analysis:
| - URLs found: $(wc -l < "$OUTPUT_DIR/urls.txt" 2>/dev/null | | echo 0) |
| - Email addresses: $(wc -l < "$OUTPUT_DIR/email_addresses.txt" 2>/dev/null | | echo 0) |
| - IP addresses: $(wc -l < "$OUTPUT_DIR/ip_addresses.txt" 2>/dev/null | | echo 0) |
Recommendations:
===============
1. Review suspicious procesoes for malicious activity
2. Investigate external network conexións
3. Analyze files in temporary directories
4. Check autostart registry entries
5. Correlate findings with system logs and network traffic
Next Steps:
==========
1. Extract and analyze suspicious executables
2. Perform deeper Análisis de Malware if needed
3. Check for persistencia mechanisms
4. Validate findings with additional tools
5. Document findings for respuesta a incidentes
Files Generated:
===============
| $(ls -1 "$OUTPUT_DIR" | grep -v "\.html$" | sed 's/^/- /') |
EOF
echo " [+] Investigation summary created: $summary_file"
\\\\}
# Main execution
echo "[+] Starting comprehensive Análisis de Memoria"
echo "[+] Memory dump: $MEMORY_DUMP"
echo "[+] Output directory: $OUTPUT_DIR"
# Check if Volatility is available
if ! comando -v $VOLATILITY_CMD &> /dev/null; then
echo "[-] Volatility not found. Please install Volatility 3."
exit 1
fi
# Perform analysis
analyze_system_info
analyze_procesoes
analyze_network
analyze_files
analyze_registry
extract_strings
yara_scan
# Generate repuertos
generate_repuerto
create_summary
echo "[+] Comprehensive Análisis de Memoria completed"
echo "[+] Results saved in: $OUTPUT_DIR"
echo "[+] Open $OUTPUT_DIR/analysis_repuerto.html for detailed repuerto"
echo "[+] Review $OUTPUT_DIR/investigation_summary.txt for clave findings"
Análisis de Malware Automation
#!/bin/bash
# Automated Análisis de Malware using Volatility
MEMORY_DUMP="$1"
malware_DIR="malware_analysis_$(date +%Y%m%d_%H%M%S)"
YARA_RULES_DIR="/opt/yara-rules"
if [ -z "$MEMORY_DUMP" ]; then
echo "uso: $0 <memory_dump_file>"
exit 1
fi
mkdir -p "$malware_DIR"
# Function to detect proceso injection
detect_injection() \\\\{
echo "[+] Detecting proceso injection"
vol -f "$MEMORY_DUMP" windows.malfind > "$malware_DIR/malfind_results.txt"
# Extract injected code
if [ -s "$malware_DIR/malfind_results.txt" ]; then
echo " [+] Potential code injection detected"
# Extract unique PIDs with injected code
awk '/proceso:/ \\\\{print $2\\\\}' "$malware_DIR/malfind_results.txt"|sort -u > "$malware_DIR/injected_pids.txt"
# Dump memory for each injected proceso
while read pid; do
echo " [+] Dumping memory for PID $pid"
vol -f "$MEMORY_DUMP" windows.memmap --pid "$pid" --dump --output-dir "$malware_DIR/dumps/"
done < "$malware_DIR/injected_pids.txt"
fi
\\\\}
# Function to analyze suspicious procesoes
analyze_suspicious_procesoes() \\\\{
echo "[+] Analyzing suspicious procesoes"
# Get proceso list
vol -f "$MEMORY_DUMP" windows.pslist > "$malware_DIR/proceso_list.txt"
# Find procesoes with suspicious characteristics
cat > "$malware_DIR/suspicious_patterns.txt" << 'EOF'
# Suspicious proceso patterns
cmd.exe
powershell.exe
wscript.exe
cscript.exe
rundll32.exe
regsvr32.exe
mshta.exe
bitsadmin.exe
certutil.exe
schtasks.exe
EOF
# Search for suspicious procesoes
while read pattern; do
if [[ ! "$pattern" =~ ^# ]]; then
grep -i "$pattern" "$malware_DIR/proceso_list.txt" >> "$malware_DIR/suspicious_procesoes.txt"
fi
done < "$malware_DIR/suspicious_patterns.txt"
# Analyze comando lines for suspicious procesoes
if [ -s "$malware_DIR/suspicious_procesoes.txt" ]; then
echo " [+] Found suspicious procesoes, analyzing comando lines"
awk '\\\\{print $2\\\\}' "$malware_DIR/suspicious_procesoes.txt"|while read pid; do
vol -f "$MEMORY_DUMP" windows.cmdline --pid "$pid" >> "$malware_DIR/suspicious_cmdlines.txt"
done
fi
\\\\}
# Function to extract and analyze executables
extract_executables() \\\\{
echo "[+] Extracting suspicious executables"
# Get file list
vol -f "$MEMORY_DUMP" windows.filescan > "$malware_DIR/file_list.txt"
# Find executable files in suspicious locations
| grep -iE "(temp | tmp | appdata | programdata).*\.(exe | dll | sys)$" "$malware_DIR/file_list.txt" > "$malware_DIR/suspicious_files.txt" |
# Extract suspicious files
if [ -s "$malware_DIR/suspicious_files.txt" ]; then
echo " [+] Extracting suspicious files"
mkdir -p "$malware_DIR/extracted_files"
while read line; do
local offset=$(echo "$line"|awk '\\\\{print $1\\\\}')
| local filename=$(echo "$line" | awk '\\\\{print $NF\\\\}' | tr '\\' '_') |
vol -f "$MEMORY_DUMP" windows.dumpfiles --virtaddr "$offset" --output-dir "$malware_DIR/extracted_files/"
done < "$malware_DIR/suspicious_files.txt"
fi
\\\\}
# Function to perform YARA scanning
perform_yara_scan() \\\\{
echo "[+] Performing YARA scanning"
# Create comprehensive malware detection rules
cat > "$malware_DIR/malware_detection.yar" << 'EOF'
rule Suspicious_API_Calls \\\\{
strings:
$api1 = "VirtualAlloc" nocase
$api2 = "VirtualProtect" nocase
$api3 = "CreateRemotehilo" nocase
$api4 = "WriteprocesoMemory" nocase
$api5 = "ReadprocesoMemory" nocase
$api6 = "SetWindowsHookEx" nocase
$api7 = "GetProcAddress" nocase
$api8 = "LoadLibrary" nocase
condition:
3 of them
\\\\}
rule Network_Communication \\\\{
strings:
$net1 = "WinINet" nocase
$net2 = "URLDownloadToFile" nocase
$net3 = "InternetOpen" nocase
$net4 = "InternetConnect" nocase
$net5 = "HttpOpenRequest" nocase
$net6 = "send" nocase
$net7 = "recv" nocase
$net8 = "WSAStartup" nocase
condition:
2 of them
\\\\}
rule persistencia_Mechanisms \\\\{
strings:
$reg1 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" nocase
$reg2 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce" nocase
$svc1 = "Createservicio" nocase
$svc2 = "Startservicio" nocase
$task1 = "schtasks" nocase
$task2 = "at.exe" nocase
condition:
any of them
\\\\}
rule Evasion_Techniques \\\\{
strings:
$eva1 = "IsDebuggerPresent" nocase
$eva2 = "CheckRemoteDebuggerPresent" nocase
$eva3 = "OutputDebugString" nocase
$eva4 = "GetTickCount" nocase
$eva5 = "Sleep" nocase
$eva6 = "VirtualQuery" nocase
condition:
2 of them
\\\\}
rule cifrado_Indicators \\\\{
strings:
$cry1 = "CryptAcquireContext" nocase
$cry2 = "CryptCreatehash" nocase
$cry3 = "CryptEncrypt" nocase
$cry4 = "CryptDecrypt" nocase
$cry5 = "CryptGenclave" nocase
$cry6 = "AES" nocase
$cry7 = "RSA" nocase
$cry8 = "MD5" nocase
$cry9 = "SHA" nocase
condition:
2 of them
\\\\}
EOF
# Perform YARA scan
vol -f "$MEMORY_DUMP" yarascan --yara-rules "$malware_DIR/malware_detection.yar" > "$malware_DIR/yara_results.txt"
# Use external YARA rules if available
if [ -d "$YARA_RULES_DIR" ]; then
echo " [+] Scanning with external YARA rules"
find "$YARA_RULES_DIR" -name "*.yar" -o -name "*.yara"|while read rule_file; do
local rule_name=$(basename "$rule_file" .yar)
vol -f "$MEMORY_DUMP" yarascan --yara-rules "$rule_file" > "$malware_DIR/yara_$\\\\{rule_name\\\\}.txt"
done
fi
\\\\}
# Function to analyze network artifacts
analyze_network_artifacts() \\\\{
echo "[+] Analyzing network artifacts"
# Get network conexións
vol -f "$MEMORY_DUMP" windows.netstat > "$malware_DIR/network_conexións.txt"
# Extract external IPs
| grep -vE "(127\.0\.0\.1 | 0\.0\.0\.0 | ::1 | 192\.168\. | 10\. | 172\.1[6-9]\. | 172\.2[0-9]\. | 172\.3[0-1]\.)" "$malware_DIR/network_conexións.txt" > "$malware_DIR/external_conexións.txt" |
# Extract unique remote IPs
| awk '\\\\{print $3\\\\}' "$malware_DIR/external_conexións.txt" | cut -d: -f1 | sort -u > "$malware_DIR/remote_ips.txt" |
# Analyze remote IPs
if [ -s "$malware_DIR/remote_ips.txt" ]; then
echo " [+] Analyzing remote IP addresses"
while read ip; do
echo "Analyzing IP: $ip" >> "$malware_DIR/ip_analysis.txt"
# Perform reverse DNS lookup
local hostname=$(dig +short -x "$ip" 2>/dev/null|head -1)
echo " hostname: $\\\\{hostname:-No PTR record\\\\}" >> "$malware_DIR/ip_analysis.txt"
# Check if IP is in known malicious ranges (basic check)
| if [[ "$ip" =~ ^(185\.159\. | 91\.121\. | 5\.196\.) ]]; then |
echo " WARNING: IP in potentially suspicious range" >> "$malware_DIR/ip_analysis.txt"
fi
echo "---" >> "$malware_DIR/ip_analysis.txt"
done < "$malware_DIR/remote_ips.txt"
fi
\\\\}
# Function to check for rootkit indicators
check_rootkit_indicators() \\\\{
echo "[+] Checking for rootkit indicators"
# Check SSDT hooks
| vol -f "$MEMORY_DUMP" windows.ssdt > "$malware_DIR/ssdt_hooks.txt" 2>/dev/null | | echo "SSDT analysis not available" |
# Check for hidden procesoes
vol -f "$MEMORY_DUMP" windows.psxview > "$malware_DIR/hidden_procesoes.txt"
# Find procesoes that are hidden from certain detection methods
grep "False" "$malware_DIR/hidden_procesoes.txt" > "$malware_DIR/potentially_hidden.txt"
# Check for API hooks
| vol -f "$MEMORY_DUMP" windows.apihooks > "$malware_DIR/api_hooks.txt" 2>/dev/null | | echo "API hooks analysis not available" |
\\\\}
# Function to generate Análisis de Malware repuerto
generate_malware_repuerto() \\\\{
echo "[+] Generating Análisis de Malware repuerto"
local repuerto_file="$malware_DIR/malware_analysis_repuerto.html"
cat > "$repuerto_file" << EOF
<!DOCTYPE html>
<html>
<head>
<title>Análisis de Malware Repuerto</title>
<style>
body \\\\{ font-family: Arial, sans-serif; margin: 20px; \\\\}
.header \\\\{ background-color: #f0f0f0; padding: 20px; border-radius: 5px; \\\\}
.section \\\\{ margin: 20px 0; padding: 15px; border: 1px solid #ddd; border-radius: 5px; \\\\}
.critical \\\\{ background-color: #ffebee; border-color: #f44336; \\\\}
.warning \\\\{ background-color: #fff3cd; border-color: #ffeaa7; \\\\}
.info \\\\{ background-color: #e3f2fd; border-color: #2196f3; \\\\}
table \\\\{ border-collapse: collapse; width: 100%; \\\\}
th, td \\\\{ border: 1px solid #ddd; padding: 8px; text-align: left; \\\\}
th \\\\{ background-color: #f2f2f2; \\\\}
pre \\\\{ background-color: #f5f5f5; padding: 10px; border-radius: 3px; overflow-x: auto; \\\\}
.file-list \\\\{ max-height: 300px; overflow-y: auto; \\\\}
</style>
</head>
<body>
<div class="header">
<h1>🔍 Análisis de Malware Repuerto</h1>
<p><strong>Memory Dump:</strong> $(basename "$MEMORY_DUMP")</p>
<p><strong>Analysis Date:</strong> $(date)</p>
<p><strong>Analyst:</strong> Volatility Automated Analysis</p>
</div>
EOF
# Add executive summary
cat >> "$repuerto_file" << EOF
<div class="section info">
<h2>📋 Executive Summary</h2>
<table>
<tr><th>Indicator</th><th>Count</th><th>Risk Level</th></tr>
| <tr><td>Suspicious procesoes</td><td>$(wc -l < "$malware_DIR/suspicious_procesoes.txt" 2>/dev/null | | echo 0)</td><td>$([ $(wc -l < "$malware_DIR/suspicious_procesoes.txt" 2>/dev/null | | echo 0) -gt 0 ] && echo "High" | | echo "Low")</td></tr> |
| <tr><td>Code Injection Detected</td><td>$(grep -c "proceso:" "$malware_DIR/malfind_results.txt" 2>/dev/null | | echo 0)</td><td>$([ $(grep -c "proceso:" "$malware_DIR/malfind_results.txt" 2>/dev/null | | echo 0) -gt 0 ] && echo "Critical" | | echo "Low")</td></tr> |
| <tr><td>External conexións</td><td>$(wc -l < "$malware_DIR/external_conexións.txt" 2>/dev/null | | echo 0)</td><td>$([ $(wc -l < "$malware_DIR/external_conexións.txt" 2>/dev/null | | echo 0) -gt 5 ] && echo "Medium" | | echo "Low")</td></tr> |
| <tr><td>Hidden procesoes</td><td>$(wc -l < "$malware_DIR/potentially_hidden.txt" 2>/dev/null | | echo 0)</td><td>$([ $(wc -l < "$malware_DIR/potentially_hidden.txt" 2>/dev/null | | echo 0) -gt 0 ] && echo "High" | | echo "Low")</td></tr> |
</table>
</div>
EOF
# Add code injection findings
if [ -s "$malware_DIR/malfind_results.txt" ]; then
cat >> "$repuerto_file" << EOF
<div class="section critical">
<h2>🚨 Code Injection Detected</h2>
<p>Potential code injection has been detected in the following procesoes:</p>
<div class="file-list">
<pre>$(head -50 "$malware_DIR/malfind_results.txt")</pre>
</div>
</div>
EOF
fi
# Add suspicious procesoes
if [ -s "$malware_DIR/suspicious_procesoes.txt" ]; then
cat >> "$repuerto_file" << EOF
<div class="section warning">
<h2>⚠️ Suspicious procesoes</h2>
<div class="file-list">
<pre>$(cat "$malware_DIR/suspicious_procesoes.txt")</pre>
</div>
</div>
EOF
fi
# Add Análisis de Red
if [ -s "$malware_DIR/external_conexións.txt" ]; then
cat >> "$repuerto_file" << EOF
<div class="section warning">
<h2>🌐 External Network conexións</h2>
<div class="file-list">
<pre>$(head -20 "$malware_DIR/external_conexións.txt")</pre>
</div>
</div>
EOF
fi
# Add YARA results
if [ -s "$malware_DIR/yara_results.txt" ]; then
cat >> "$repuerto_file" << EOF
<div class="section info">
<h2>🔍 YARA Detection Results</h2>
<div class="file-list">
<pre>$(cat "$malware_DIR/yara_results.txt")</pre>
</div>
</div>
EOF
fi
# Add recommendations
cat >> "$repuerto_file" << EOF
<div class="section">
<h2>📝 Recommendations</h2>
<ol>
<li><strong>Immediate Actions:</strong>
<ul>
<li>Isolate affected systems from the network</li>
<li>Preserve memory dumps and disk images for further analysis</li>
<li>Check for movimiento lateral indicators</li>
</ul>
</li>
<li><strong>Investigation:</strong>
<ul>
<li>Analyze extracted executables with static analysis tools</li>
<li>Correlate network conexións with firewall logs</li>
<li>Check for persistencia mechanisms in registry and file system</li>
</ul>
</li>
<li><strong>Remediation:</strong>
<ul>
<li>Remove identified malicious procesoes and files</li>
<li>Update antivirus firmas and endpoint protection</li>
<li>Implement network monitoring for identified IOCs</li>
</ul>
</li>
</ol>
</div>
<div class="section">
<h2>📁 Generated Files</h2>
<ul>
| $(ls -1 "$malware_DIR" | grep -v "\.html$" | while read file; do echo " <li>$file</li>"; done) |
</ul>
</div>
</body>
</html>
EOF
echo " [+] Análisis de Malware repuerto generated: $repuerto_file"
\\\\}
# Main execution
echo "[+] Starting automated Análisis de Malware"
echo "[+] Memory dump: $MEMORY_DUMP"
echo "[+] Output directory: $malware_DIR"
# Perform Análisis de Malware
detect_injection
analyze_suspicious_procesoes
extract_executables
perform_yara_scan
analyze_network_artifacts
check_rootkit_indicators
# Generate repuerto
generate_malware_repuerto
echo "[+] Automated Análisis de Malware completed"
echo "[+] Results saved in: $malware_DIR"
echo "[+] Open $malware_DIR/malware_analysis_repuerto.html for detailed findings"
# Display summary
echo ""
echo "=== ANALYSIS SUMMARY ==="
| echo "Suspicious procesoes: $(wc -l < "$malware_DIR/suspicious_procesoes.txt" 2>/dev/null | | echo 0)" |
| echo "Code injection detected: $(grep -c "proceso:" "$malware_DIR/malfind_results.txt" 2>/dev/null | | echo 0)" |
| echo "External conexións: $(wc -l < "$malware_DIR/external_conexións.txt" 2>/dev/null | | echo 0)" |
| echo "Hidden procesoes: $(wc -l < "$malware_DIR/potentially_hidden.txt" 2>/dev/null | | echo 0)" |
echo "========================"
Timeline Analysis
#!/bin/bash
# Timeline analysis using Volatility
MEMORY_DUMP="$1"
TIMELINE_DIR="timeline_analysis_$(date +%Y%m%d_%H%M%S)"
if [ -z "$MEMORY_DUMP" ]; then
echo "uso: $0 <memory_dump_file>"
exit 1
fi
mkdir -p "$TIMELINE_DIR"
# Function to create comprehensive timeline
create_timeline() \\\\{
echo "[+] Creating comprehensive timeline"
# Note: Timeline functionality varies between Volatility versions
# This ejemplo shows both Vol2 and Vol3 approaches
# For Volatility 2 (if available)
if comando -v vol2 &> /dev/null; then
echo " [+] Creating timeline with Volatility 2"
# Determine profile first
| local profile=$(vol2 -f "$MEMORY_DUMP" imageinfo | grep "Suggested Profile" | head -1 | awk '\\\\{print $4\\\\}' | tr -d ',') |
if [ -n "$profile" ]; then
# Create body file
vol2 -f "$MEMORY_DUMP" --profile="$profile" timeliner --output=body --output-file="$TIMELINE_DIR/timeline.body"
# Convert to readable format
if [ -f "$TIMELINE_DIR/timeline.body" ]; then
mactime -b "$TIMELINE_DIR/timeline.body" -d > "$TIMELINE_DIR/timeline_readable.txt"
fi
fi
fi
# Alternative approach: Extract timestamps from various sources
echo " [+] Extracting timestamps from various sources"
# proceso creation times
vol -f "$MEMORY_DUMP" windows.pslist > "$TIMELINE_DIR/proceso_times.txt"
# File modification times
vol -f "$MEMORY_DUMP" windows.filescan > "$TIMELINE_DIR/file_times.txt"
# Registry timestamps (if available)
vol -f "$MEMORY_DUMP" windows.registry.hivelist > "$TIMELINE_DIR/registry_times.txt"
\\\\}
# Function to analyze proceso timeline
analyze_proceso_timeline() \\\\{
echo "[+] Analyzing proceso timeline"
# Extract proceso creation times and sort chronologically
awk 'NR>1 \\\\{print $6, $7, $2, $3, $4\\\\}' "$TIMELINE_DIR/proceso_times.txt"|sort > "$TIMELINE_DIR/proceso_chronology.txt"
# Find procesoes created in quick succession (potential malware)
cat > "$TIMELINE_DIR/rapid_proceso_creation.py" << 'EOF'
#!/usr/bin/env python3
impuerto sys
from datetime impuerto datetime
def parse_timestamp(ts_str):
try:
return datetime.strptime(ts_str, "%Y-%m-%d %H:%M:%S")
except:
return None
def analyze_rapid_creation(filename):
procesoes = []
with open(filename, 'r') as f:
for line in f:
parts = line.strip().split()
if len(parts) >= 5:
date_str = parts[0]
time_str = parts[1]
pid = parts[2]
ppid = parts[3]
name = parts[4]
timestamp = parse_timestamp(f"\\\\{date_str\\\\} \\\\{time_str\\\\}")
if timestamp:
procesoes.append((timestamp, pid, ppid, name))
# Sort by timestamp
procesoes.sort(clave=lambda x: x[0])
# Find rapid succession (within 10 seconds)
rapid_groups = []
current_group = []
for i, (ts, pid, ppid, name) in enumerate(procesoes):
if not current_group:
current_group = [(ts, pid, ppid, name)]
else:
time_diff = (ts - current_group[-1][0]).total_seconds()
if time_diff <= 10:
current_group.append((ts, pid, ppid, name))
else:
if len(current_group) >= 3:
rapid_groups.append(current_group)
current_group = [(ts, pid, ppid, name)]
# Check last group
if len(current_group) >= 3:
rapid_groups.append(current_group)
return rapid_groups
if __name__ == "__main__":
if len(sys.argv) != 2:
print("uso: python3 rapid_proceso_creation.py <proceso_chronology_file>")
sys.exit(1)
rapid_groups = analyze_rapid_creation(sys.argv[1])
if rapid_groups:
print("Rapid proceso Creation Detected:")
print("=" * 50)
for i, group in enumerate(rapid_groups):
print(f"\nGroup \\\\{i+1\\\\} (\\\\{len(group)\\\\} procesoes):")
for ts, pid, ppid, name in group:
print(f" \\\\{ts\\\\} - PID:\\\\{pid\\\\} PPID:\\\\{ppid\\\\} \\\\{name\\\\}")
else:
print("No rapid proceso creation patterns detected.")
EOF
python3 "$TIMELINE_DIR/rapid_proceso_creation.py" "$TIMELINE_DIR/proceso_chronology.txt" > "$TIMELINE_DIR/rapid_creation_analysis.txt"
\\\\}
# Function to create visual timeline
create_visual_timeline() \\\\{
echo "[+] Creating visual timeline"
cat > "$TIMELINE_DIR/create_timeline_chart.py" << 'EOF'
#!/usr/bin/env python3
impuerto matplotlib.pyplot as plt
impuerto matplotlib.dates as mdates
from datetime impuerto datetime
impuerto sys
def create_timeline_chart(proceso_file, output_file):
timestamps = []
procesoes = []
try:
with open(proceso_file, 'r') as f:
for line in f:
parts = line.strip().split()
if len(parts) >= 5:
try:
date_str = parts[0]
time_str = parts[1]
name = parts[4]
timestamp = datetime.strptime(f"\\\\{date_str\\\\} \\\\{time_str\\\\}", "%Y-%m-%d %H:%M:%S")
timestamps.append(timestamp)
procesoes.append(name)
except:
continue
if not timestamps:
print("No valid timestamps found")
return
# Create timeline chart
fig, ax = plt.subplots(figsize=(15, 8))
# Plot proceso creation events
y_positions = range(len(timestamps))
ax.scatter(timestamps, y_positions, alpha=0.6, s=50)
# Format x-axis
ax.xaxis.set_major_formatter(mdates.DateFormatter('%H:%M:%S'))
ax.xaxis.set_major_locator(mdates.HourLocator(interval=1))
plt.xticks(rotation=45)
# Add labels
ax.set_xlabel('Time')
ax.set_ylabel('proceso Creation Events')
ax.set_title('proceso Creation Timeline')
# Add grid
ax.grid(True, alpha=0.3)
plt.tight_layout()
plt.savefig(output_file, dpi=300, bbox_inches='tight')
print(f"Timeline chart saved: \\\\{output_file\\\\}")
except Exception as e:
print(f"Error creating timeline chart: \\\\{e\\\\}")
if __name__ == "__main__":
if len(sys.argv) != 3:
print("uso: python3 create_timeline_chart.py <proceso_file> <output_file>")
sys.exit(1)
create_timeline_chart(sys.argv[1], sys.argv[2])
EOF
# Install matplotlib if not available
| pip3 install matplotlib &>/dev/null | | echo "Warning: matplotlib not available for timeline visualization" |
# Create timeline chart
| python3 "$TIMELINE_DIR/create_timeline_chart.py" "$TIMELINE_DIR/proceso_chronology.txt" "$TIMELINE_DIR/proceso_timeline.png" 2>/dev/null | | echo "Timeline visualization skipped" |
\\\\}
# Function to correlate events
correlate_events() \\\\{
echo "[+] Correlating timeline events"
cat > "$TIMELINE_DIR/event_correlation.txt" << EOF
Timeline Event Correlation Analysis
==================================
Analysis Date: $(date)
Memory Dump: $(basename "$MEMORY_DUMP")
proceso Timeline Analysis:
| $(cat "$TIMELINE_DIR/rapid_creation_analysis.txt" 2>/dev/null | | echo "No rapid creation patterns detected") |
clave Observations:
================
EOF
# Analyze proceso parent-child relationships
echo "proceso Parent-Child Relationships:" >> "$TIMELINE_DIR/event_correlation.txt"
vol -f "$MEMORY_DUMP" windows.pstree >> "$TIMELINE_DIR/event_correlation.txt"
# Look for suspicious timing patterns
echo "" >> "$TIMELINE_DIR/event_correlation.txt"
echo "Timing Pattern Analysis:" >> "$TIMELINE_DIR/event_correlation.txt"
# Find procesoes created at unusual times (e.g., outside business hours)
awk 'NR>1 \\\\{
split($7, time_parts, ":");
hour = time_parts[1];
| if (hour < 6 | | hour > 22) \\\\{ |
print "Unusual time: " $0;
\\\\}
\\\\}' "$TIMELINE_DIR/proceso_times.txt" >> "$TIMELINE_DIR/event_correlation.txt"
\\\\}
# Function to generate timeline repuerto
generate_timeline_repuerto() \\\\{
echo "[+] Generating timeline analysis repuerto"
local repuerto_file="$TIMELINE_DIR/timeline_repuerto.html"
cat > "$repuerto_file" << EOF
<!DOCTYPE html>
<html>
<head>
<title>Timeline Analysis Repuerto</title>
<style>
body \\\\{ font-family: Arial, sans-serif; margin: 20px; \\\\}
.header \\\\{ background-color: #f0f0f0; padding: 20px; border-radius: 5px; \\\\}
.section \\\\{ margin: 20px 0; padding: 15px; border: 1px solid #ddd; border-radius: 5px; \\\\}
.timeline \\\\{ background-color: #e8f5e9; border-color: #4caf50; \\\\}
.warning \\\\{ background-color: #fff3cd; border-color: #ffeaa7; \\\\}
table \\\\{ border-collapse: collapse; width: 100%; \\\\}
th, td \\\\{ border: 1px solid #ddd; padding: 8px; text-align: left; \\\\}
th \\\\{ background-color: #f2f2f2; \\\\}
pre \\\\{ background-color: #f5f5f5; padding: 10px; border-radius: 3px; overflow-x: auto; \\\\}
.file-list \\\\{ max-height: 400px; overflow-y: auto; \\\\}
.chart \\\\{ text-align: center; margin: 20px 0; \\\\}
</style>
</head>
<body>
<div class="header">
<h1>⏰ Timeline Analysis Repuerto</h1>
<p><strong>Memory Dump:</strong> $(basename "$MEMORY_DUMP")</p>
<p><strong>Analysis Date:</strong> $(date)</p>
<p><strong>Timeline Scope:</strong> proceso creation and system events</p>
</div>
EOF
# Add timeline visualization if available
if [ -f "$TIMELINE_DIR/proceso_timeline.png" ]; then
cat >> "$repuerto_file" << EOF
<div class="section timeline">
<h2>📊 proceso Creation Timeline</h2>
<div class="chart">
<img src="proceso_timeline.png" alt="proceso Timeline Chart" style="max-width: 100%; height: auto;">
</div>
</div>
EOF
fi
# Add rapid creation analysis
if [ -s "$TIMELINE_DIR/rapid_creation_analysis.txt" ]; then
cat >> "$repuerto_file" << EOF
<div class="section warning">
<h2>⚡ Rapid proceso Creation Analysis</h2>
<div class="file-list">
<pre>$(cat "$TIMELINE_DIR/rapid_creation_analysis.txt")</pre>
</div>
</div>
EOF
fi
# Add proceso chronology
cat >> "$repuerto_file" << EOF
<div class="section">
<h2>📋 proceso Chronology</h2>
<div class="file-list">
| <pre>$(head -50 "$TIMELINE_DIR/proceso_chronology.txt" 2>/dev/null | | echo "proceso chronology not available")</pre> |
</div>
</div>
EOF
# Add event correlation
if [ -f "$TIMELINE_DIR/event_correlation.txt" ]; then
cat >> "$repuerto_file" << EOF
<div class="section">
<h2>🔗 Event Correlation Analysis</h2>
<div class="file-list">
<pre>$(cat "$TIMELINE_DIR/event_correlation.txt")</pre>
</div>
</div>
EOF
fi
# Add summary statistics
cat >> "$repuerto_file" << EOF
<div class="section">
<h2>📈 Timeline Statistics</h2>
<table>
<tr><th>Metric</th><th>Value</th></tr>
| <tr><td>Total procesoes Analyzed</td><td>$(wc -l < "$TIMELINE_DIR/proceso_times.txt" 2>/dev/null | | echo 0)</td></tr> |
| <tr><td>Chronological Events</td><td>$(wc -l < "$TIMELINE_DIR/proceso_chronology.txt" 2>/dev/null | | echo 0)</td></tr> |
| <tr><td>Timeline Span</td><td>$(head -1 "$TIMELINE_DIR/proceso_chronology.txt" 2>/dev/null | awk '\\\\{print $1, $2\\\\}') to $(tail -1 "$TIMELINE_DIR/proceso_chronology.txt" 2>/dev/null | awk '\\\\{print $1, $2\\\\}')</td></tr> |
</table>
</div>
<div class="section">
<h2>📁 Generated Files</h2>
<ul>
| $(ls -1 "$TIMELINE_DIR" | grep -v "\.html$" | while read file; do echo " <li>$file</li>"; done) |
</ul>
</div>
<div class="section">
<h2>🎯 clave Findings & Recommendations</h2>
<ul>
<li><strong>proceso Creation Patterns:</strong> Review rapid proceso creation events for potential malware activity</li>
<li><strong>Timing Analysis:</strong> Investigate procesoes created during unusual hours</li>
<li><strong>Parent-Child Relationships:</strong> Analyze proceso trees for suspicious spawning patterns</li>
<li><strong>Correlation:</strong> Cross-reference timeline events with network logs and file system changes</li>
</ul>
</div>
</body>
</html>
EOF
echo " [+] Timeline analysis repuerto generated: $repuerto_file"
\\\\}
# Main execution
echo "[+] Starting timeline analysis"
echo "[+] Memory dump: $MEMORY_DUMP"
echo "[+] Output directory: $TIMELINE_DIR"
# Perform timeline analysis
create_timeline
analyze_proceso_timeline
create_visual_timeline
correlate_events
# Generate repuerto
generate_timeline_repuerto
echo "[+] Timeline analysis completed"
echo "[+] Results saved in: $TIMELINE_DIR"
echo "[+] Open $TIMELINE_DIR/timeline_repuerto.html for detailed timeline analysis"
Integration with Other Tools
Rekall Integration
# Use Rekall for additional analysis
rekall -f memory.dmp pslist
# Compare Volatility and Rekall results
vol -f memory.dmp windows.pslist > vol_pslist.txt
rekall -f memory.dmp pslist > rekall_pslist.txt
diff vol_pslist.txt rekall_pslist.txt
YARA Integration
# Create custom YARA rules
cat > custom_rules.yar << 'EOF'
rule Suspicious_proceso_Names \\\\{
strings:
$s1 = "svchost.exe" nocase
$s2 = "explorer.exe" nocase
$s3 = "winlogon.exe" nocase
condition:
any of them
\\\\}
EOF
# Scan memory with YARA rules
vol -f memory.dmp yarascan --yara-rules custom_rules.yar
Bulk Extractor Integration
# Extract strings and artifacts with bulk_extractor
bulk_extractor -o bulk_output memory.dmp
# Compare with Volatility strings
vol -f memory.dmp windows.strings > vol_strings.txt
diff vol_strings.txt bulk_output/telephone.txt
solución de problemas
Common Issues
Profile Detection Problems
# Manual profile specification (Vol 2)
vol2 -f memory.dmp --profile=Win10x64_19041 pslist
# List available profiles
vol2 --info|grep "Win"
# Use kdbgscan for profile detection
vol2 -f memory.dmp kdbgscan
Memory Corruption
# Check for memory corruption
vol -f memory.dmp windows.info|grep -i corrupt
# Use alternative scanning methods
vol -f memory.dmp windows.psscan
vol -f memory.dmp windows.filescan
Large Memory Dumps
# proceso large dumps efficiently
vol -f memory.dmp windows.pslist --output-file pslist.txt
# Use specific address ranges
vol -f memory.dmp windows.vadinfo --pid 1234 --address 0x12345678
Plugin Errors
# Check plugin availability
vol --list-plugins
# Get plugin help
vol windows.pslist -h
# Debug plugin execution
vol -f memory.dmp windows.pslist -vv
Performance Optimization
# Use output files to avoid re-procesoing
vol -f memory.dmp windows.pslist -o pslist.txt
# Limit output for large datasets
vol -f memory.dmp windows.filescan|head -1000
# Use specific PIDs for objetivoed analysis
vol -f memory.dmp windows.handles --pid 1234
# Parallel procesoing for multiple dumps
for dump in *.dmp; do
vol -f "$dump" windows.pslist > "$\\\\{dump%.dmp\\\\}_pslist.txt" &
done
wait
Resources
- Volatility Foundation
- Volatility 3 documentación
- Volatility GitHub Repository
- Memory Forensics with Volatility
- forense digital Framework
- YARA Rules Repository
- Análisis de Memoria Techniques
This hoja de trucos provides a comprehensive reference for using Volatility for memory forensics analysis. Always ensure proper legal autorización before analyzing memory dumps and follow your organization's forensic procedures and chain of custody requirements.