Volatility aide-mémoire
Overview
Volatility is an advanced memory forensics framework written in Python that provides a comprehensive platform for extracting digital artifacts from volatile memory (RAM) samples. Developed by the Volatility Foundation, this powerful tool enables criminalistique numérique investigators, incident responders, and logiciel malveillant analysts to analyze memory dumps from Windows, Linux, macOS, and Android systems. Volatility can extract a wide range of information including running processuses, network connexions, loaded modules, registry data, cached files, chiffrement clés, and evidence of logiciel malveillant activity. Its plugin-based architecture makes it highly extensible, allowing researchers to develop custom analysis modules for specific investigation needs.
⚠️ Legal Notice: Volatility should only be used for legitimate forensic analysis, réponse aux incidents, and authorized security research. Ensure you have proper legal authority before analyzing memory dumps, and follow your organization's data handling and privacy policies.
Installation
Volatility 3 Installation (Recommended)
# Install via pip (Python 3.6+)
pip3 install volatility3
# Install from GitHub (latest development version)
git clone https://github.com/volatilityfoundation/volatility3.git
cd volatility3
pip3 install -r requirements.txt
python3 setup.py install
# Verify Installation
vol -h
# Install additional dependencies
pip3 install yara-python pycryptodome capstone distorm3
Volatility 2 Installation (Legacy)
# Install Volatility 2 (Python 2.7)
git clone https://github.com/volatilityfoundation/volatility.git
cd volatility
python2 setup.py install
# Install dependencies
pip2 install distorm3 yara-python pycrypto openpyxl ujson
# Verify Installation
python2 vol.py -h
# Create alias for easier utilisation
echo 'alias vol2="python2 /path/to/volatility/vol.py"' >> ~/.bashrc
Docker Installation
# Pull Volatility Docker image
docker pull phocean/volatility
# Run Volatility in Docker
docker run --rm -v $(pwd):/dumps phocean/volatility -f /dumps/memory.dmp imageinfo
# Create alias for Docker utilisation
echo 'alias vol="docker run --rm -v $(pwd):/dumps phocean/volatility"' >> ~/.bashrc
source ~/.bashrc
# Run with specific memory dump
vol -f memory.dmp --profile=Win7SP1x64 pslist
Ubuntu/Debian Installation
# Install from package repository
sudo apt update
sudo apt install volatility3-tools
# Install additional tools
sudo apt install python3-pip python3-dev build-essential
pip3 install volatility3
# Install legacy Volatility 2
sudo apt install volatility-tools
# Verify Installations
vol -h
volatility -h
Windows Installation
# Download standalone executable from GitHub releases
# https://github.com/volatilityfoundation/volatility3/releases
# Or install via Python
pip install volatility3
# Install Python dependencies
pip install yara-python pycryptodome capstone distorm3
# Verify Installation
vol.exe -h
Basic utilisation
Memory Dump Analysis Workflow
# Step 1: Identify the operating system and version
vol -f memory.dmp windows.info
# Step 2: List running processuses
vol -f memory.dmp windows.pslist
# Step 3: Analyze network connexions
vol -f memory.dmp windows.netstat
# Step 4: Examine loaded modules
vol -f memory.dmp windows.modules
# Step 5: Check for malicious processuses
vol -f memory.dmp windows.malfind
# Step 6: Extract suspicious files
vol -f memory.dmp windows.dumpfiles --pid 1234
Volatility 2 Legacy commandes
# Identify image information (Volatility 2)
vol2 -f memory.dmp imageinfo
# Use specific profile
vol2 -f memory.dmp --profile=Win7SP1x64 pslist
# List available plugins
vol2 --info
# Get plugin help
vol2 pslist -h
Basic System Information
# Get system information (Vol 3)
vol -f memory.dmp windows.info
# Get system information (Vol 2)
vol2 -f memory.dmp --profile=Win7SP1x64 imageinfo
# Check system uptime
vol -f memory.dmp windows.info|grep "System time"
# Get kernel information
vol -f memory.dmp windows.info|grep "Kernel"
# Check for hibernation file
vol -f memory.dmp windows.info|grep "hibernation"
processus Analysis
processus Listing and Analysis
# List all processuses (Vol 3)
vol -f memory.dmp windows.pslist
# List processuses with parent-child relationships
vol -f memory.dmp windows.pstree
# Show processus commande lines
vol -f memory.dmp windows.cmdline
# List processuses with detailed information
vol -f memory.dmp windows.pslist --pid 1234
# Find hidden processuses
vol -f memory.dmp windows.psxview
# Scan for processus objects
vol -f memory.dmp windows.psscan
processus Analyse Mémoire
# Dump processus memory
vol -f memory.dmp windows.memmap --pid 1234 --dump
# Extract processus executable
vol -f memory.dmp windows.procdump --pid 1234
# Analyze processus handles
vol -f memory.dmp windows.handles --pid 1234
# Check processus privileges
vol -f memory.dmp windows.privileges --pid 1234
# Examine processus environment variables
vol -f memory.dmp windows.envars --pid 1234
# Analyze processus VAD (Virtual Address Descriptor)
vol -f memory.dmp windows.vadinfo --pid 1234
logiciel malveillant Detection
# Detect code injection
vol -f memory.dmp windows.malfind
# Scan for YARA rules
vol -f memory.dmp yarascan --yara-rules logiciel malveillant_rules.yar
# Check for API hooks
vol -f memory.dmp windows.apihooks
# Detect rootkits
vol -f memory.dmp windows.ssdt
# Find suspicious processuses
vol -f memory.dmp windows.psxview|grep False
# Check for processus hollowing
vol -f memory.dmp windows.hollowfind
Analyse Réseau
Network connexions
# List network connexions (Vol 3)
vol -f memory.dmp windows.netstat
# List network connexions (Vol 2)
vol2 -f memory.dmp --profile=Win7SP1x64 netscan
# Show listening sockets
vol -f memory.dmp windows.netstat|grep LISTEN
# Find connexions by processus
vol -f memory.dmp windows.netstat --pid 1234
# Analyze network artifacts
vol -f memory.dmp windows.netscan
# Extract network configuration
vol -f memory.dmp windows.netstat -v
DNS and Network Artifacts
# Extract DNS cache (Vol 2)
vol2 -f memory.dmp --profile=Win7SP1x64 dnscache
# Find network-related strings
| vol -f memory.dmp windows.strings | grep -E "(http | ftp | smtp | dns)" |
# Analyze browser artifacts
vol -f memory.dmp windows.iehistory
# Extract network configuration
vol -f memory.dmp windows.netstat --verbose
File System Analysis
File and Directory Analysis
# List files (Vol 3)
vol -f memory.dmp windows.filescan
# List files (Vol 2)
vol2 -f memory.dmp --profile=Win7SP1x64 filescan
# Dump specific files
vol -f memory.dmp windows.dumpfiles --virtaddr 0x12345678
# Find files by name
vol -f memory.dmp windows.filescan|grep "logiciel malveillant.exe"
# Extract MFT records
vol -f memory.dmp windows.mftscan
# Analyze file handles
vol -f memory.dmp windows.handles --object-type File
Registry Analysis
# List registry hives
vol -f memory.dmp windows.registry.hivelist
# Print registry clés
vol -f memory.dmp windows.registry.printclé --clé "Software\\Microsoft\\Windows\\CurrentVersion\\Run"
# Dump registry hive
vol -f memory.dmp windows.registry.hivescan --dump
# Extract user assist data
vol -f memory.dmp windows.registry.userassist
# Analyze registry artifacts
vol -f memory.dmp windows.registry.printclé --clé "SYSTEM\\CurrentControlSet\\services"
# Find registry clés by pattern
vol -f memory.dmp windows.registry.printclé --clé "Software" --recurse|grep -i logiciel malveillant
Advanced Analysis
Memory Strings Analysis
# Extract ASCII strings
vol -f memory.dmp windows.strings
# Extract Unicode strings
vol -f memory.dmp windows.strings --strings-file strings.txt
# Search for specific patterns
vol -f memory.dmp windows.strings|grep -i "mot de passe"
# Extract strings from specific processus
vol -f memory.dmp windows.strings --pid 1234
# Find URLs and domains
| vol -f memory.dmp windows.strings | grep -E "(http | https | ftp)://[^\s]+" |
# Search for email addresses
vol -f memory.dmp windows.strings|grep -E "[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]\\\\{2,\\\\}"
Cryptographic Analysis
# Find chiffrement clés
vol -f memory.dmp windows.truecryptpassphrase
# Extract cached identifiants
vol -f memory.dmp windows.cachedump
# Find LSA secrets
vol -f memory.dmp windows.lsadump
# Extract mot de passe hashes
vol -f memory.dmp windows.hashdump
# Find BitLocker clés
vol -f memory.dmp windows.bitlocker
# Analyze cryptographic artifacts
vol -f memory.dmp yarascan --yara-rules crypto_rules.yar
Timeline Analysis
# Create timeline (Vol 2)
vol2 -f memory.dmp --profile=Win7SP1x64 timeliner --output=body --output-file=timeline.body
# Convert to CSV format
vol2 -f memory.dmp --profile=Win7SP1x64 timeliner --output=csv --output-file=timeline.csv
# Analyze specific time range
vol2 -f memory.dmp --profile=Win7SP1x64 timeliner --output=body|grep "2023-12-01"
# Create Mactime timeline
mactime -b timeline.body -d > timeline.txt
# Filter timeline by activity type
grep "m.c" timeline.body > modified_files.txt
Automation Scripts
Comprehensive Analyse Mémoire
#!/bin/bash
# Comprehensive Analyse Mémoire using Volatility
MEMORY_DUMP="$1"
OUTPUT_DIR="volatility_analysis_$(date +%Y%m%d_%H%M%S)"
VOLATILITY_CMD="vol"
if [ -z "$MEMORY_DUMP" ]; then
echo "utilisation: $0 <memory_dump_file>"
echo "exemple: $0 memory.dmp"
exit 1
fi
if [ ! -f "$MEMORY_DUMP" ]; then
echo "Error: Memory dump file not found: $MEMORY_DUMP"
exit 1
fi
mkdir -p "$OUTPUT_DIR"
# Function to run Volatility commande with error handling
run_vol_cmd() \\\\{
local plugin="$1"
local output_file="$2"
local additional_args="$3"
echo "[+] Running $plugin analysis..."
if [ -n "$additional_args" ]; then
$VOLATILITY_CMD -f "$MEMORY_DUMP" $plugin $additional_args > "$OUTPUT_DIR/$output_file" 2>&1
else
$VOLATILITY_CMD -f "$MEMORY_DUMP" $plugin > "$OUTPUT_DIR/$output_file" 2>&1
fi
if [ $? -eq 0 ]; then
echo " [+] $plugin analysis completed: $output_file"
return 0
else
echo " [-] $plugin analysis failed"
return 1
fi
\\\\}
# Function to analyze system information
analyze_system_info() \\\\{
echo "[+] Analyzing system information"
run_vol_cmd "windows.info" "system_info.txt"
# Extract clé system information
if [ -f "$OUTPUT_DIR/system_info.txt" ]; then
| grep -E "(Kernel | System time | NTBuildLab)" "$OUTPUT_DIR/system_info.txt" > "$OUTPUT_DIR/system_summary.txt" |
fi
\\\\}
# Function to analyze processuses
analyze_processuses() \\\\{
echo "[+] Analyzing processuses"
run_vol_cmd "windows.pslist" "processus_list.txt"
run_vol_cmd "windows.pstree" "processus_tree.txt"
run_vol_cmd "windows.cmdline" "commande_lines.txt"
run_vol_cmd "windows.psxview" "hidden_processuses.txt"
run_vol_cmd "windows.malfind" "malicious_code.txt"
# Extract suspicious processuses
if [ -f "$OUTPUT_DIR/processus_list.txt" ]; then
# Find processuses with suspicious names
| grep -iE "(cmd | powershell | wscript | cscript | rundll32 | regsvr32)" "$OUTPUT_DIR/processus_list.txt" > "$OUTPUT_DIR/suspicious_processuses.txt" |
# Find processuses with no parent
awk '$3 == 0 && NR > 1 \\\\{print\\\\}' "$OUTPUT_DIR/processus_list.txt" > "$OUTPUT_DIR/orphan_processuses.txt"
fi
\\\\}
# Function to analyze network activity
analyze_network() \\\\{
echo "[+] Analyzing network activity"
run_vol_cmd "windows.netstat" "network_connexions.txt"
# Extract external connexions
if [ -f "$OUTPUT_DIR/network_connexions.txt" ]; then
| grep -vE "(127\.0\.0\.1 | 0\.0\.0\.0 | ::1)" "$OUTPUT_DIR/network_connexions.txt" > "$OUTPUT_DIR/external_connexions.txt" |
# Extract unique remote IPs
| awk '\\\\{print $3\\\\}' "$OUTPUT_DIR/external_connexions.txt" | cut -d: -f1 | sort -u > "$OUTPUT_DIR/remote_ips.txt" |
fi
\\\\}
# Function to analyze files
analyze_files() \\\\{
echo "[+] Analyzing files"
run_vol_cmd "windows.filescan" "file_list.txt"
# Find executable files
if [ -f "$OUTPUT_DIR/file_list.txt" ]; then
| grep -iE "\.(exe | dll | sys | bat | cmd | ps1 | vbs | js)$" "$OUTPUT_DIR/file_list.txt" > "$OUTPUT_DIR/executable_files.txt" |
# Find files in temp directories
| grep -iE "(temp | tmp | appdata)" "$OUTPUT_DIR/file_list.txt" > "$OUTPUT_DIR/temp_files.txt" |
fi
\\\\}
# Function to analyze registry
analyze_registry() \\\\{
echo "[+] Analyzing registry"
run_vol_cmd "windows.registry.hivelist" "registry_hives.txt"
# Analyze common autostart locations
local autostart_clés=(
"Software\\Microsoft\\Windows\\CurrentVersion\\Run"
"Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce"
"Software\\Microsoft\\Windows\\CurrentVersion\\Runservices"
"Software\\Microsoft\\Windows\\CurrentVersion\\RunservicesOnce"
)
for clé in "$\\\\{autostart_clés[@]\\\\}"; do
local safe_clé=$(echo "$clé"|tr '\\' '_')
run_vol_cmd "windows.registry.printclé" "registry_$\\\\{safe_clé\\\\}.txt" "--clé \"$clé\""
done
\\\\}
# Function to extract strings
extract_strings() \\\\{
echo "[+] Extracting strings"
run_vol_cmd "windows.strings" "all_strings.txt"
if [ -f "$OUTPUT_DIR/all_strings.txt" ]; then
# Extract URLs
| grep -oE "(http | https | ftp)://[^\s]+" "$OUTPUT_DIR/all_strings.txt" | sort -u > "$OUTPUT_DIR/urls.txt" |
# Extract email addresses
grep -oE "[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]\\\\{2,\\\\}" "$OUTPUT_DIR/all_strings.txt"|sort -u > "$OUTPUT_DIR/email_addresses.txt"
# Extract IP addresses
grep -oE "([0-9]\\\\{1,3\\\\}\.)\\\\{3\\\\}[0-9]\\\\{1,3\\\\}" "$OUTPUT_DIR/all_strings.txt"|sort -u > "$OUTPUT_DIR/ip_addresses.txt"
# Extract potential mot de passes
| grep -iE "(mot de passe | passwd | pwd | pass)" "$OUTPUT_DIR/all_strings.txt" > "$OUTPUT_DIR/potential_mot de passes.txt" |
fi
\\\\}
# Function to perform YARA scanning
yara_scan() \\\\{
echo "[+] Performing YARA scanning"
# Create basic logiciel malveillant detection rules
cat > "$OUTPUT_DIR/basic_logiciel malveillant.yar" << 'EOF'
rule Suspicious_Strings \\\\{
strings:
$s1 = "cmd.exe" nocase
$s2 = "powershell" nocase
$s3 = "rundll32" nocase
$s4 = "regsvr32" nocase
$s5 = "wscript" nocase
$s6 = "cscript" nocase
condition:
any of them
\\\\}
rule Network_Indicators \\\\{
strings:
$n1 = "http://" nocase
$n2 = "https://" nocase
$n3 = "ftp://" nocase
$n4 = "tcp://" nocase
condition:
any of them
\\\\}
rule Crypto_Indicators \\\\{
strings:
$c1 = "AES" nocase
$c2 = "RSA" nocase
$c3 = "encrypt" nocase
$c4 = "decrypt" nocase
$c5 = "cipher" nocase
condition:
any of them
\\\\}
EOF
run_vol_cmd "yarascan" "yara_scan_results.txt" "--yara-rules $OUTPUT_DIR/basic_logiciel malveillant.yar"
\\\\}
# Function to generate analysis report
generate_report() \\\\{
echo "[+] Generating analysis report"
local report_file="$OUTPUT_DIR/analysis_report.html"
cat > "$report_file" << EOF
<!DOCTYPE html>
<html>
<head>
<title>Volatility Analyse Mémoire Report</title>
<style>
body \\\\{ font-family: Arial, sans-serif; margin: 20px; \\\\}
.header \\\\{ background-color: #f0f0f0; padding: 20px; border-radius: 5px; \\\\}
.section \\\\{ margin: 20px 0; padding: 15px; border: 1px solid #ddd; border-radius: 5px; \\\\}
.warning \\\\{ background-color: #fff3cd; border-color: #ffeaa7; \\\\}
.critical \\\\{ background-color: #ffebee; border-color: #f44336; \\\\}
table \\\\{ border-collapse: collapse; width: 100%; \\\\}
th, td \\\\{ border: 1px solid #ddd; padding: 8px; text-align: left; \\\\}
th \\\\{ background-color: #f2f2f2; \\\\}
pre \\\\{ background-color: #f5f5f5; padding: 10px; border-radius: 3px; overflow-x: auto; \\\\}
.file-list \\\\{ max-height: 300px; overflow-y: auto; \\\\}
</style>
</head>
<body>
<div class="header">
<h1>Volatility Analyse Mémoire Report</h1>
<p><strong>Memory Dump:</strong> $(basename "$MEMORY_DUMP")</p>
<p><strong>Analysis Date:</strong> $(date)</p>
<p><strong>Output Directory:</strong> $OUTPUT_DIR</p>
</div>
EOF
# Add system information
if [ -f "$OUTPUT_DIR/system_summary.txt" ]; then
cat >> "$report_file" << EOF
<div class="section">
<h2>System Information</h2>
<pre>$(cat "$OUTPUT_DIR/system_summary.txt")</pre>
</div>
EOF
fi
# Add suspicious processuses
if [ -f "$OUTPUT_DIR/suspicious_processuses.txt" ] && [ -s "$OUTPUT_DIR/suspicious_processuses.txt" ]; then
cat >> "$report_file" << EOF
<div class="section warning">
<h2>⚠️ Suspicious processuses</h2>
<div class="file-list">
<pre>$(cat "$OUTPUT_DIR/suspicious_processuses.txt")</pre>
</div>
</div>
EOF
fi
# Add network connexions
if [ -f "$OUTPUT_DIR/external_connexions.txt" ] && [ -s "$OUTPUT_DIR/external_connexions.txt" ]; then
cat >> "$report_file" << EOF
<div class="section">
<h2>External Network connexions</h2>
<div class="file-list">
<pre>$(head -20 "$OUTPUT_DIR/external_connexions.txt")</pre>
</div>
</div>
EOF
fi
# Add URLs found
if [ -f "$OUTPUT_DIR/urls.txt" ] && [ -s "$OUTPUT_DIR/urls.txt" ]; then
cat >> "$report_file" << EOF
<div class="section">
<h2>URLs Found</h2>
<div class="file-list">
<pre>$(head -20 "$OUTPUT_DIR/urls.txt")</pre>
</div>
</div>
EOF
fi
# Add file summary
cat >> "$report_file" << EOF
<div class="section">
<h2>Analysis Summary</h2>
<table>
<tr><th>Category</th><th>Count</th><th>File</th></tr>
| <tr><td>Total processuses</td><td>$(wc -l < "$OUTPUT_DIR/processus_list.txt" 2>/dev/null | | echo 0)</td><td>processus_list.txt</td></tr> |
| <tr><td>Suspicious processuses</td><td>$(wc -l < "$OUTPUT_DIR/suspicious_processuses.txt" 2>/dev/null | | echo 0)</td><td>suspicious_processuses.txt</td></tr> |
| <tr><td>Network connexions</td><td>$(wc -l < "$OUTPUT_DIR/network_connexions.txt" 2>/dev/null | | echo 0)</td><td>network_connexions.txt</td></tr> |
| <tr><td>External connexions</td><td>$(wc -l < "$OUTPUT_DIR/external_connexions.txt" 2>/dev/null | | echo 0)</td><td>external_connexions.txt</td></tr> |
| <tr><td>Files Found</td><td>$(wc -l < "$OUTPUT_DIR/file_list.txt" 2>/dev/null | | echo 0)</td><td>file_list.txt</td></tr> |
| <tr><td>URLs Found</td><td>$(wc -l < "$OUTPUT_DIR/urls.txt" 2>/dev/null | | echo 0)</td><td>urls.txt</td></tr> |
| <tr><td>Email Addresses</td><td>$(wc -l < "$OUTPUT_DIR/email_addresses.txt" 2>/dev/null | | echo 0)</td><td>email_addresses.txt</td></tr> |
</table>
</div>
<div class="section">
<h2>Generated Files</h2>
<ul>
$(ls -1 "$OUTPUT_DIR"/*.txt "$OUTPUT_DIR"/*.yar 2>/dev/null|while read file; do echo " <li>$(basename "$file")</li>"; done)
</ul>
</div>
</body>
</html>
EOF
echo " [+] Analysis report generated: $report_file"
\\\\}
# Function to create investigation summary
create_summary() \\\\{
echo "[+] Creating investigation summary"
local summary_file="$OUTPUT_DIR/investigation_summary.txt"
cat > "$summary_file" << EOF
Volatility Analyse Mémoire Summary
=================================
Memory Dump: $(basename "$MEMORY_DUMP")
Analysis Date: $(date)
Output Directory: $OUTPUT_DIR
clé Findings:
============
System Information:
| $(cat "$OUTPUT_DIR/system_summary.txt" 2>/dev/null | | echo "Not available") |
processus Analysis:
| - Total processuses: $(wc -l < "$OUTPUT_DIR/processus_list.txt" 2>/dev/null | | echo 0) |
| - Suspicious processuses: $(wc -l < "$OUTPUT_DIR/suspicious_processuses.txt" 2>/dev/null | | echo 0) |
| - Orphan processuses: $(wc -l < "$OUTPUT_DIR/orphan_processuses.txt" 2>/dev/null | | echo 0) |
Analyse Réseau:
| - Total connexions: $(wc -l < "$OUTPUT_DIR/network_connexions.txt" 2>/dev/null | | echo 0) |
| - External connexions: $(wc -l < "$OUTPUT_DIR/external_connexions.txt" 2>/dev/null | | echo 0) |
| - Unique remote IPs: $(wc -l < "$OUTPUT_DIR/remote_ips.txt" 2>/dev/null | | echo 0) |
File Analysis:
| - Total files: $(wc -l < "$OUTPUT_DIR/file_list.txt" 2>/dev/null | | echo 0) |
| - Executable files: $(wc -l < "$OUTPUT_DIR/executable_files.txt" 2>/dev/null | | echo 0) |
| - Temp files: $(wc -l < "$OUTPUT_DIR/temp_files.txt" 2>/dev/null | | echo 0) |
String Analysis:
| - URLs found: $(wc -l < "$OUTPUT_DIR/urls.txt" 2>/dev/null | | echo 0) |
| - Email addresses: $(wc -l < "$OUTPUT_DIR/email_addresses.txt" 2>/dev/null | | echo 0) |
| - IP addresses: $(wc -l < "$OUTPUT_DIR/ip_addresses.txt" 2>/dev/null | | echo 0) |
Recommendations:
===============
1. Review suspicious processuses for malicious activity
2. Investigate external network connexions
3. Analyze files in temporary directories
4. Check autostart registry entries
5. Correlate findings with system logs and network traffic
Next Steps:
==========
1. Extract and analyze suspicious executables
2. Perform deeper logiciel malveillant analysis if needed
3. Check for persistance mechanisms
4. Validate findings with additional tools
5. Document findings for réponse aux incidents
Files Generated:
===============
| $(ls -1 "$OUTPUT_DIR" | grep -v "\.html$" | sed 's/^/- /') |
EOF
echo " [+] Investigation summary created: $summary_file"
\\\\}
# Main execution
echo "[+] Starting comprehensive Analyse Mémoire"
echo "[+] Memory dump: $MEMORY_DUMP"
echo "[+] Output directory: $OUTPUT_DIR"
# Check if Volatility is available
if ! commande -v $VOLATILITY_CMD &> /dev/null; then
echo "[-] Volatility not found. Please install Volatility 3."
exit 1
fi
# Perform analysis
analyze_system_info
analyze_processuses
analyze_network
analyze_files
analyze_registry
extract_strings
yara_scan
# Generate reports
generate_report
create_summary
echo "[+] Comprehensive Analyse Mémoire completed"
echo "[+] Results saved in: $OUTPUT_DIR"
echo "[+] Open $OUTPUT_DIR/analysis_report.html for detailed report"
echo "[+] Review $OUTPUT_DIR/investigation_summary.txt for clé findings"
logiciel malveillant Analysis Automation
#!/bin/bash
# Automated logiciel malveillant analysis using Volatility
MEMORY_DUMP="$1"
logiciel malveillant_DIR="logiciel malveillant_analysis_$(date +%Y%m%d_%H%M%S)"
YARA_RULES_DIR="/opt/yara-rules"
if [ -z "$MEMORY_DUMP" ]; then
echo "utilisation: $0 <memory_dump_file>"
exit 1
fi
mkdir -p "$logiciel malveillant_DIR"
# Function to detect processus injection
detect_injection() \\\\{
echo "[+] Detecting processus injection"
vol -f "$MEMORY_DUMP" windows.malfind > "$logiciel malveillant_DIR/malfind_results.txt"
# Extract injected code
if [ -s "$logiciel malveillant_DIR/malfind_results.txt" ]; then
echo " [+] Potential code injection detected"
# Extract unique PIDs with injected code
awk '/processus:/ \\\\{print $2\\\\}' "$logiciel malveillant_DIR/malfind_results.txt"|sort -u > "$logiciel malveillant_DIR/injected_pids.txt"
# Dump memory for each injected processus
while read pid; do
echo " [+] Dumping memory for PID $pid"
vol -f "$MEMORY_DUMP" windows.memmap --pid "$pid" --dump --output-dir "$logiciel malveillant_DIR/dumps/"
done < "$logiciel malveillant_DIR/injected_pids.txt"
fi
\\\\}
# Function to analyze suspicious processuses
analyze_suspicious_processuses() \\\\{
echo "[+] Analyzing suspicious processuses"
# Get processus list
vol -f "$MEMORY_DUMP" windows.pslist > "$logiciel malveillant_DIR/processus_list.txt"
# Find processuses with suspicious characteristics
cat > "$logiciel malveillant_DIR/suspicious_patterns.txt" << 'EOF'
# Suspicious processus patterns
cmd.exe
powershell.exe
wscript.exe
cscript.exe
rundll32.exe
regsvr32.exe
mshta.exe
bitsadmin.exe
certutil.exe
schtasks.exe
EOF
# Search for suspicious processuses
while read pattern; do
if [[ ! "$pattern" =~ ^# ]]; then
grep -i "$pattern" "$logiciel malveillant_DIR/processus_list.txt" >> "$logiciel malveillant_DIR/suspicious_processuses.txt"
fi
done < "$logiciel malveillant_DIR/suspicious_patterns.txt"
# Analyze commande lines for suspicious processuses
if [ -s "$logiciel malveillant_DIR/suspicious_processuses.txt" ]; then
echo " [+] Found suspicious processuses, analyzing commande lines"
awk '\\\\{print $2\\\\}' "$logiciel malveillant_DIR/suspicious_processuses.txt"|while read pid; do
vol -f "$MEMORY_DUMP" windows.cmdline --pid "$pid" >> "$logiciel malveillant_DIR/suspicious_cmdlines.txt"
done
fi
\\\\}
# Function to extract and analyze executables
extract_executables() \\\\{
echo "[+] Extracting suspicious executables"
# Get file list
vol -f "$MEMORY_DUMP" windows.filescan > "$logiciel malveillant_DIR/file_list.txt"
# Find executable files in suspicious locations
| grep -iE "(temp | tmp | appdata | programdata).*\.(exe | dll | sys)$" "$logiciel malveillant_DIR/file_list.txt" > "$logiciel malveillant_DIR/suspicious_files.txt" |
# Extract suspicious files
if [ -s "$logiciel malveillant_DIR/suspicious_files.txt" ]; then
echo " [+] Extracting suspicious files"
mkdir -p "$logiciel malveillant_DIR/extracted_files"
while read line; do
local offset=$(echo "$line"|awk '\\\\{print $1\\\\}')
| local filename=$(echo "$line" | awk '\\\\{print $NF\\\\}' | tr '\\' '_') |
vol -f "$MEMORY_DUMP" windows.dumpfiles --virtaddr "$offset" --output-dir "$logiciel malveillant_DIR/extracted_files/"
done < "$logiciel malveillant_DIR/suspicious_files.txt"
fi
\\\\}
# Function to perform YARA scanning
perform_yara_scan() \\\\{
echo "[+] Performing YARA scanning"
# Create comprehensive logiciel malveillant detection rules
cat > "$logiciel malveillant_DIR/logiciel malveillant_detection.yar" << 'EOF'
rule Suspicious_API_Calls \\\\{
strings:
$api1 = "VirtualAlloc" nocase
$api2 = "VirtualProtect" nocase
$api3 = "CreateRemotethread" nocase
$api4 = "WriteprocessusMemory" nocase
$api5 = "ReadprocessusMemory" nocase
$api6 = "SetWindowsHookEx" nocase
$api7 = "GetProcAddress" nocase
$api8 = "LoadLibrary" nocase
condition:
3 of them
\\\\}
rule Network_Communication \\\\{
strings:
$net1 = "WinINet" nocase
$net2 = "URLDownloadToFile" nocase
$net3 = "InternetOpen" nocase
$net4 = "InternetConnect" nocase
$net5 = "HttpOpenRequest" nocase
$net6 = "send" nocase
$net7 = "recv" nocase
$net8 = "WSAStartup" nocase
condition:
2 of them
\\\\}
rule persistance_Mechanisms \\\\{
strings:
$reg1 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" nocase
$reg2 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce" nocase
$svc1 = "Createservice" nocase
$svc2 = "Startservice" nocase
$task1 = "schtasks" nocase
$task2 = "at.exe" nocase
condition:
any of them
\\\\}
rule Evasion_Techniques \\\\{
strings:
$eva1 = "IsDebuggerPresent" nocase
$eva2 = "CheckRemoteDebuggerPresent" nocase
$eva3 = "OutputDebugString" nocase
$eva4 = "GetTickCount" nocase
$eva5 = "Sleep" nocase
$eva6 = "VirtualQuery" nocase
condition:
2 of them
\\\\}
rule chiffrement_Indicators \\\\{
strings:
$cry1 = "CryptAcquireContext" nocase
$cry2 = "CryptCreatehash" nocase
$cry3 = "CryptEncrypt" nocase
$cry4 = "CryptDecrypt" nocase
$cry5 = "CryptGenclé" nocase
$cry6 = "AES" nocase
$cry7 = "RSA" nocase
$cry8 = "MD5" nocase
$cry9 = "SHA" nocase
condition:
2 of them
\\\\}
EOF
# Perform YARA scan
vol -f "$MEMORY_DUMP" yarascan --yara-rules "$logiciel malveillant_DIR/logiciel malveillant_detection.yar" > "$logiciel malveillant_DIR/yara_results.txt"
# Use external YARA rules if available
if [ -d "$YARA_RULES_DIR" ]; then
echo " [+] Scanning with external YARA rules"
find "$YARA_RULES_DIR" -name "*.yar" -o -name "*.yara"|while read rule_file; do
local rule_name=$(basename "$rule_file" .yar)
vol -f "$MEMORY_DUMP" yarascan --yara-rules "$rule_file" > "$logiciel malveillant_DIR/yara_$\\\\{rule_name\\\\}.txt"
done
fi
\\\\}
# Function to analyze network artifacts
analyze_network_artifacts() \\\\{
echo "[+] Analyzing network artifacts"
# Get network connexions
vol -f "$MEMORY_DUMP" windows.netstat > "$logiciel malveillant_DIR/network_connexions.txt"
# Extract external IPs
| grep -vE "(127\.0\.0\.1 | 0\.0\.0\.0 | ::1 | 192\.168\. | 10\. | 172\.1[6-9]\. | 172\.2[0-9]\. | 172\.3[0-1]\.)" "$logiciel malveillant_DIR/network_connexions.txt" > "$logiciel malveillant_DIR/external_connexions.txt" |
# Extract unique remote IPs
| awk '\\\\{print $3\\\\}' "$logiciel malveillant_DIR/external_connexions.txt" | cut -d: -f1 | sort -u > "$logiciel malveillant_DIR/remote_ips.txt" |
# Analyze remote IPs
if [ -s "$logiciel malveillant_DIR/remote_ips.txt" ]; then
echo " [+] Analyzing remote IP addresses"
while read ip; do
echo "Analyzing IP: $ip" >> "$logiciel malveillant_DIR/ip_analysis.txt"
# Perform reverse DNS lookup
local hôtename=$(dig +short -x "$ip" 2>/dev/null|head -1)
echo " hôtename: $\\\\{hôtename:-No PTR record\\\\}" >> "$logiciel malveillant_DIR/ip_analysis.txt"
# Check if IP is in known malicious ranges (basic check)
| if [[ "$ip" =~ ^(185\.159\. | 91\.121\. | 5\.196\.) ]]; then |
echo " WARNING: IP in potentially suspicious range" >> "$logiciel malveillant_DIR/ip_analysis.txt"
fi
echo "---" >> "$logiciel malveillant_DIR/ip_analysis.txt"
done < "$logiciel malveillant_DIR/remote_ips.txt"
fi
\\\\}
# Function to check for rootkit indicators
check_rootkit_indicators() \\\\{
echo "[+] Checking for rootkit indicators"
# Check SSDT hooks
| vol -f "$MEMORY_DUMP" windows.ssdt > "$logiciel malveillant_DIR/ssdt_hooks.txt" 2>/dev/null | | echo "SSDT analysis not available" |
# Check for hidden processuses
vol -f "$MEMORY_DUMP" windows.psxview > "$logiciel malveillant_DIR/hidden_processuses.txt"
# Find processuses that are hidden from certain detection methods
grep "False" "$logiciel malveillant_DIR/hidden_processuses.txt" > "$logiciel malveillant_DIR/potentially_hidden.txt"
# Check for API hooks
| vol -f "$MEMORY_DUMP" windows.apihooks > "$logiciel malveillant_DIR/api_hooks.txt" 2>/dev/null | | echo "API hooks analysis not available" |
\\\\}
# Function to generate logiciel malveillant analysis report
generate_logiciel malveillant_report() \\\\{
echo "[+] Generating logiciel malveillant analysis report"
local report_file="$logiciel malveillant_DIR/logiciel malveillant_analysis_report.html"
cat > "$report_file" << EOF
<!DOCTYPE html>
<html>
<head>
<title>logiciel malveillant Analysis Report</title>
<style>
body \\\\{ font-family: Arial, sans-serif; margin: 20px; \\\\}
.header \\\\{ background-color: #f0f0f0; padding: 20px; border-radius: 5px; \\\\}
.section \\\\{ margin: 20px 0; padding: 15px; border: 1px solid #ddd; border-radius: 5px; \\\\}
.critical \\\\{ background-color: #ffebee; border-color: #f44336; \\\\}
.warning \\\\{ background-color: #fff3cd; border-color: #ffeaa7; \\\\}
.info \\\\{ background-color: #e3f2fd; border-color: #2196f3; \\\\}
table \\\\{ border-collapse: collapse; width: 100%; \\\\}
th, td \\\\{ border: 1px solid #ddd; padding: 8px; text-align: left; \\\\}
th \\\\{ background-color: #f2f2f2; \\\\}
pre \\\\{ background-color: #f5f5f5; padding: 10px; border-radius: 3px; overflow-x: auto; \\\\}
.file-list \\\\{ max-height: 300px; overflow-y: auto; \\\\}
</style>
</head>
<body>
<div class="header">
<h1>🔍 logiciel malveillant Analysis Report</h1>
<p><strong>Memory Dump:</strong> $(basename "$MEMORY_DUMP")</p>
<p><strong>Analysis Date:</strong> $(date)</p>
<p><strong>Analyst:</strong> Volatility Automated Analysis</p>
</div>
EOF
# Add executive summary
cat >> "$report_file" << EOF
<div class="section info">
<h2>📋 Executive Summary</h2>
<table>
<tr><th>Indicator</th><th>Count</th><th>Risk Level</th></tr>
| <tr><td>Suspicious processuses</td><td>$(wc -l < "$logiciel malveillant_DIR/suspicious_processuses.txt" 2>/dev/null | | echo 0)</td><td>$([ $(wc -l < "$logiciel malveillant_DIR/suspicious_processuses.txt" 2>/dev/null | | echo 0) -gt 0 ] && echo "High" | | echo "Low")</td></tr> |
| <tr><td>Code Injection Detected</td><td>$(grep -c "processus:" "$logiciel malveillant_DIR/malfind_results.txt" 2>/dev/null | | echo 0)</td><td>$([ $(grep -c "processus:" "$logiciel malveillant_DIR/malfind_results.txt" 2>/dev/null | | echo 0) -gt 0 ] && echo "Critical" | | echo "Low")</td></tr> |
| <tr><td>External connexions</td><td>$(wc -l < "$logiciel malveillant_DIR/external_connexions.txt" 2>/dev/null | | echo 0)</td><td>$([ $(wc -l < "$logiciel malveillant_DIR/external_connexions.txt" 2>/dev/null | | echo 0) -gt 5 ] && echo "Medium" | | echo "Low")</td></tr> |
| <tr><td>Hidden processuses</td><td>$(wc -l < "$logiciel malveillant_DIR/potentially_hidden.txt" 2>/dev/null | | echo 0)</td><td>$([ $(wc -l < "$logiciel malveillant_DIR/potentially_hidden.txt" 2>/dev/null | | echo 0) -gt 0 ] && echo "High" | | echo "Low")</td></tr> |
</table>
</div>
EOF
# Add code injection findings
if [ -s "$logiciel malveillant_DIR/malfind_results.txt" ]; then
cat >> "$report_file" << EOF
<div class="section critical">
<h2>🚨 Code Injection Detected</h2>
<p>Potential code injection has been detected in the following processuses:</p>
<div class="file-list">
<pre>$(head -50 "$logiciel malveillant_DIR/malfind_results.txt")</pre>
</div>
</div>
EOF
fi
# Add suspicious processuses
if [ -s "$logiciel malveillant_DIR/suspicious_processuses.txt" ]; then
cat >> "$report_file" << EOF
<div class="section warning">
<h2>⚠️ Suspicious processuses</h2>
<div class="file-list">
<pre>$(cat "$logiciel malveillant_DIR/suspicious_processuses.txt")</pre>
</div>
</div>
EOF
fi
# Add Analyse Réseau
if [ -s "$logiciel malveillant_DIR/external_connexions.txt" ]; then
cat >> "$report_file" << EOF
<div class="section warning">
<h2>🌐 External Network connexions</h2>
<div class="file-list">
<pre>$(head -20 "$logiciel malveillant_DIR/external_connexions.txt")</pre>
</div>
</div>
EOF
fi
# Add YARA results
if [ -s "$logiciel malveillant_DIR/yara_results.txt" ]; then
cat >> "$report_file" << EOF
<div class="section info">
<h2>🔍 YARA Detection Results</h2>
<div class="file-list">
<pre>$(cat "$logiciel malveillant_DIR/yara_results.txt")</pre>
</div>
</div>
EOF
fi
# Add recommendations
cat >> "$report_file" << EOF
<div class="section">
<h2>📝 Recommendations</h2>
<ol>
<li><strong>Immediate Actions:</strong>
<ul>
<li>Isolate affected systems from the network</li>
<li>Preserve memory dumps and disk images for further analysis</li>
<li>Check for mouvement latéral indicators</li>
</ul>
</li>
<li><strong>Investigation:</strong>
<ul>
<li>Analyze extracted executables with static analysis tools</li>
<li>Correlate network connexions with firewall logs</li>
<li>Check for persistance mechanisms in registry and file system</li>
</ul>
</li>
<li><strong>Remediation:</strong>
<ul>
<li>Remove identified malicious processuses and files</li>
<li>Update antivirus signatures and endpoint protection</li>
<li>Implement network monitoring for identified IOCs</li>
</ul>
</li>
</ol>
</div>
<div class="section">
<h2>📁 Generated Files</h2>
<ul>
| $(ls -1 "$logiciel malveillant_DIR" | grep -v "\.html$" | while read file; do echo " <li>$file</li>"; done) |
</ul>
</div>
</body>
</html>
EOF
echo " [+] logiciel malveillant analysis report generated: $report_file"
\\\\}
# Main execution
echo "[+] Starting automated logiciel malveillant analysis"
echo "[+] Memory dump: $MEMORY_DUMP"
echo "[+] Output directory: $logiciel malveillant_DIR"
# Perform logiciel malveillant analysis
detect_injection
analyze_suspicious_processuses
extract_executables
perform_yara_scan
analyze_network_artifacts
check_rootkit_indicators
# Generate report
generate_logiciel malveillant_report
echo "[+] Automated logiciel malveillant analysis completed"
echo "[+] Results saved in: $logiciel malveillant_DIR"
echo "[+] Open $logiciel malveillant_DIR/logiciel malveillant_analysis_report.html for detailed findings"
# Display summary
echo ""
echo "=== ANALYSIS SUMMARY ==="
| echo "Suspicious processuses: $(wc -l < "$logiciel malveillant_DIR/suspicious_processuses.txt" 2>/dev/null | | echo 0)" |
| echo "Code injection detected: $(grep -c "processus:" "$logiciel malveillant_DIR/malfind_results.txt" 2>/dev/null | | echo 0)" |
| echo "External connexions: $(wc -l < "$logiciel malveillant_DIR/external_connexions.txt" 2>/dev/null | | echo 0)" |
| echo "Hidden processuses: $(wc -l < "$logiciel malveillant_DIR/potentially_hidden.txt" 2>/dev/null | | echo 0)" |
echo "========================"
Timeline Analysis
#!/bin/bash
# Timeline analysis using Volatility
MEMORY_DUMP="$1"
TIMELINE_DIR="timeline_analysis_$(date +%Y%m%d_%H%M%S)"
if [ -z "$MEMORY_DUMP" ]; then
echo "utilisation: $0 <memory_dump_file>"
exit 1
fi
mkdir -p "$TIMELINE_DIR"
# Function to create comprehensive timeline
create_timeline() \\\\{
echo "[+] Creating comprehensive timeline"
# Note: Timeline functionality varies between Volatility versions
# This exemple shows both Vol2 and Vol3 approaches
# For Volatility 2 (if available)
if commande -v vol2 &> /dev/null; then
echo " [+] Creating timeline with Volatility 2"
# Determine profile first
| local profile=$(vol2 -f "$MEMORY_DUMP" imageinfo | grep "Suggested Profile" | head -1 | awk '\\\\{print $4\\\\}' | tr -d ',') |
if [ -n "$profile" ]; then
# Create body file
vol2 -f "$MEMORY_DUMP" --profile="$profile" timeliner --output=body --output-file="$TIMELINE_DIR/timeline.body"
# Convert to readable format
if [ -f "$TIMELINE_DIR/timeline.body" ]; then
mactime -b "$TIMELINE_DIR/timeline.body" -d > "$TIMELINE_DIR/timeline_readable.txt"
fi
fi
fi
# Alternative approach: Extract timestamps from various sources
echo " [+] Extracting timestamps from various sources"
# processus creation times
vol -f "$MEMORY_DUMP" windows.pslist > "$TIMELINE_DIR/processus_times.txt"
# File modification times
vol -f "$MEMORY_DUMP" windows.filescan > "$TIMELINE_DIR/file_times.txt"
# Registry timestamps (if available)
vol -f "$MEMORY_DUMP" windows.registry.hivelist > "$TIMELINE_DIR/registry_times.txt"
\\\\}
# Function to analyze processus timeline
analyze_processus_timeline() \\\\{
echo "[+] Analyzing processus timeline"
# Extract processus creation times and sort chronologically
awk 'NR>1 \\\\{print $6, $7, $2, $3, $4\\\\}' "$TIMELINE_DIR/processus_times.txt"|sort > "$TIMELINE_DIR/processus_chronology.txt"
# Find processuses created in quick succession (potential logiciel malveillant)
cat > "$TIMELINE_DIR/rapid_processus_creation.py" << 'EOF'
#!/usr/bin/env python3
import sys
from datetime import datetime
def parse_timestamp(ts_str):
try:
return datetime.strptime(ts_str, "%Y-%m-%d %H:%M:%S")
except:
return None
def analyze_rapid_creation(filename):
processuses = []
with open(filename, 'r') as f:
for line in f:
parts = line.strip().split()
if len(parts) >= 5:
date_str = parts[0]
time_str = parts[1]
pid = parts[2]
ppid = parts[3]
name = parts[4]
timestamp = parse_timestamp(f"\\\\{date_str\\\\} \\\\{time_str\\\\}")
if timestamp:
processuses.append((timestamp, pid, ppid, name))
# Sort by timestamp
processuses.sort(clé=lambda x: x[0])
# Find rapid succession (within 10 seconds)
rapid_groups = []
current_group = []
for i, (ts, pid, ppid, name) in enumerate(processuses):
if not current_group:
current_group = [(ts, pid, ppid, name)]
else:
time_diff = (ts - current_group[-1][0]).total_seconds()
if time_diff <= 10:
current_group.append((ts, pid, ppid, name))
else:
if len(current_group) >= 3:
rapid_groups.append(current_group)
current_group = [(ts, pid, ppid, name)]
# Check last group
if len(current_group) >= 3:
rapid_groups.append(current_group)
return rapid_groups
if __name__ == "__main__":
if len(sys.argv) != 2:
print("utilisation: python3 rapid_processus_creation.py <processus_chronology_file>")
sys.exit(1)
rapid_groups = analyze_rapid_creation(sys.argv[1])
if rapid_groups:
print("Rapid processus Creation Detected:")
print("=" * 50)
for i, group in enumerate(rapid_groups):
print(f"\nGroup \\\\{i+1\\\\} (\\\\{len(group)\\\\} processuses):")
for ts, pid, ppid, name in group:
print(f" \\\\{ts\\\\} - PID:\\\\{pid\\\\} PPID:\\\\{ppid\\\\} \\\\{name\\\\}")
else:
print("No rapid processus creation patterns detected.")
EOF
python3 "$TIMELINE_DIR/rapid_processus_creation.py" "$TIMELINE_DIR/processus_chronology.txt" > "$TIMELINE_DIR/rapid_creation_analysis.txt"
\\\\}
# Function to create visual timeline
create_visual_timeline() \\\\{
echo "[+] Creating visual timeline"
cat > "$TIMELINE_DIR/create_timeline_chart.py" << 'EOF'
#!/usr/bin/env python3
import matplotlib.pyplot as plt
import matplotlib.dates as mdates
from datetime import datetime
import sys
def create_timeline_chart(processus_file, output_file):
timestamps = []
processuses = []
try:
with open(processus_file, 'r') as f:
for line in f:
parts = line.strip().split()
if len(parts) >= 5:
try:
date_str = parts[0]
time_str = parts[1]
name = parts[4]
timestamp = datetime.strptime(f"\\\\{date_str\\\\} \\\\{time_str\\\\}", "%Y-%m-%d %H:%M:%S")
timestamps.append(timestamp)
processuses.append(name)
except:
continue
if not timestamps:
print("No valid timestamps found")
return
# Create timeline chart
fig, ax = plt.subplots(figsize=(15, 8))
# Plot processus creation events
y_positions = range(len(timestamps))
ax.scatter(timestamps, y_positions, alpha=0.6, s=50)
# Format x-axis
ax.xaxis.set_major_formatter(mdates.DateFormatter('%H:%M:%S'))
ax.xaxis.set_major_locator(mdates.HourLocator(interval=1))
plt.xticks(rotation=45)
# Add labels
ax.set_xlabel('Time')
ax.set_ylabel('processus Creation Events')
ax.set_title('processus Creation Timeline')
# Add grid
ax.grid(True, alpha=0.3)
plt.tight_layout()
plt.savefig(output_file, dpi=300, bbox_inches='tight')
print(f"Timeline chart saved: \\\\{output_file\\\\}")
except Exception as e:
print(f"Error creating timeline chart: \\\\{e\\\\}")
if __name__ == "__main__":
if len(sys.argv) != 3:
print("utilisation: python3 create_timeline_chart.py <processus_file> <output_file>")
sys.exit(1)
create_timeline_chart(sys.argv[1], sys.argv[2])
EOF
# Install matplotlib if not available
| pip3 install matplotlib &>/dev/null | | echo "Warning: matplotlib not available for timeline visualization" |
# Create timeline chart
| python3 "$TIMELINE_DIR/create_timeline_chart.py" "$TIMELINE_DIR/processus_chronology.txt" "$TIMELINE_DIR/processus_timeline.png" 2>/dev/null | | echo "Timeline visualization skipped" |
\\\\}
# Function to correlate events
correlate_events() \\\\{
echo "[+] Correlating timeline events"
cat > "$TIMELINE_DIR/event_correlation.txt" << EOF
Timeline Event Correlation Analysis
==================================
Analysis Date: $(date)
Memory Dump: $(basename "$MEMORY_DUMP")
processus Timeline Analysis:
| $(cat "$TIMELINE_DIR/rapid_creation_analysis.txt" 2>/dev/null | | echo "No rapid creation patterns detected") |
clé Observations:
================
EOF
# Analyze processus parent-child relationships
echo "processus Parent-Child Relationships:" >> "$TIMELINE_DIR/event_correlation.txt"
vol -f "$MEMORY_DUMP" windows.pstree >> "$TIMELINE_DIR/event_correlation.txt"
# Look for suspicious timing patterns
echo "" >> "$TIMELINE_DIR/event_correlation.txt"
echo "Timing Pattern Analysis:" >> "$TIMELINE_DIR/event_correlation.txt"
# Find processuses created at unusual times (e.g., outside business hours)
awk 'NR>1 \\\\{
split($7, time_parts, ":");
hour = time_parts[1];
| if (hour < 6 | | hour > 22) \\\\{ |
print "Unusual time: " $0;
\\\\}
\\\\}' "$TIMELINE_DIR/processus_times.txt" >> "$TIMELINE_DIR/event_correlation.txt"
\\\\}
# Function to generate timeline report
generate_timeline_report() \\\\{
echo "[+] Generating timeline analysis report"
local report_file="$TIMELINE_DIR/timeline_report.html"
cat > "$report_file" << EOF
<!DOCTYPE html>
<html>
<head>
<title>Timeline Analysis Report</title>
<style>
body \\\\{ font-family: Arial, sans-serif; margin: 20px; \\\\}
.header \\\\{ background-color: #f0f0f0; padding: 20px; border-radius: 5px; \\\\}
.section \\\\{ margin: 20px 0; padding: 15px; border: 1px solid #ddd; border-radius: 5px; \\\\}
.timeline \\\\{ background-color: #e8f5e9; border-color: #4caf50; \\\\}
.warning \\\\{ background-color: #fff3cd; border-color: #ffeaa7; \\\\}
table \\\\{ border-collapse: collapse; width: 100%; \\\\}
th, td \\\\{ border: 1px solid #ddd; padding: 8px; text-align: left; \\\\}
th \\\\{ background-color: #f2f2f2; \\\\}
pre \\\\{ background-color: #f5f5f5; padding: 10px; border-radius: 3px; overflow-x: auto; \\\\}
.file-list \\\\{ max-height: 400px; overflow-y: auto; \\\\}
.chart \\\\{ text-align: center; margin: 20px 0; \\\\}
</style>
</head>
<body>
<div class="header">
<h1>⏰ Timeline Analysis Report</h1>
<p><strong>Memory Dump:</strong> $(basename "$MEMORY_DUMP")</p>
<p><strong>Analysis Date:</strong> $(date)</p>
<p><strong>Timeline Scope:</strong> processus creation and system events</p>
</div>
EOF
# Add timeline visualization if available
if [ -f "$TIMELINE_DIR/processus_timeline.png" ]; then
cat >> "$report_file" << EOF
<div class="section timeline">
<h2>📊 processus Creation Timeline</h2>
<div class="chart">
<img src="processus_timeline.png" alt="processus Timeline Chart" style="max-width: 100%; height: auto;">
</div>
</div>
EOF
fi
# Add rapid creation analysis
if [ -s "$TIMELINE_DIR/rapid_creation_analysis.txt" ]; then
cat >> "$report_file" << EOF
<div class="section warning">
<h2>⚡ Rapid processus Creation Analysis</h2>
<div class="file-list">
<pre>$(cat "$TIMELINE_DIR/rapid_creation_analysis.txt")</pre>
</div>
</div>
EOF
fi
# Add processus chronology
cat >> "$report_file" << EOF
<div class="section">
<h2>📋 processus Chronology</h2>
<div class="file-list">
| <pre>$(head -50 "$TIMELINE_DIR/processus_chronology.txt" 2>/dev/null | | echo "processus chronology not available")</pre> |
</div>
</div>
EOF
# Add event correlation
if [ -f "$TIMELINE_DIR/event_correlation.txt" ]; then
cat >> "$report_file" << EOF
<div class="section">
<h2>🔗 Event Correlation Analysis</h2>
<div class="file-list">
<pre>$(cat "$TIMELINE_DIR/event_correlation.txt")</pre>
</div>
</div>
EOF
fi
# Add summary statistics
cat >> "$report_file" << EOF
<div class="section">
<h2>📈 Timeline Statistics</h2>
<table>
<tr><th>Metric</th><th>Value</th></tr>
| <tr><td>Total processuses Analyzed</td><td>$(wc -l < "$TIMELINE_DIR/processus_times.txt" 2>/dev/null | | echo 0)</td></tr> |
| <tr><td>Chronological Events</td><td>$(wc -l < "$TIMELINE_DIR/processus_chronology.txt" 2>/dev/null | | echo 0)</td></tr> |
| <tr><td>Timeline Span</td><td>$(head -1 "$TIMELINE_DIR/processus_chronology.txt" 2>/dev/null | awk '\\\\{print $1, $2\\\\}') to $(tail -1 "$TIMELINE_DIR/processus_chronology.txt" 2>/dev/null | awk '\\\\{print $1, $2\\\\}')</td></tr> |
</table>
</div>
<div class="section">
<h2>📁 Generated Files</h2>
<ul>
| $(ls -1 "$TIMELINE_DIR" | grep -v "\.html$" | while read file; do echo " <li>$file</li>"; done) |
</ul>
</div>
<div class="section">
<h2>🎯 clé Findings & Recommendations</h2>
<ul>
<li><strong>processus Creation Patterns:</strong> Review rapid processus creation events for potential logiciel malveillant activity</li>
<li><strong>Timing Analysis:</strong> Investigate processuses created during unusual hours</li>
<li><strong>Parent-Child Relationships:</strong> Analyze processus trees for suspicious spawning patterns</li>
<li><strong>Correlation:</strong> Cross-reference timeline events with network logs and file system changes</li>
</ul>
</div>
</body>
</html>
EOF
echo " [+] Timeline analysis report generated: $report_file"
\\\\}
# Main execution
echo "[+] Starting timeline analysis"
echo "[+] Memory dump: $MEMORY_DUMP"
echo "[+] Output directory: $TIMELINE_DIR"
# Perform timeline analysis
create_timeline
analyze_processus_timeline
create_visual_timeline
correlate_events
# Generate report
generate_timeline_report
echo "[+] Timeline analysis completed"
echo "[+] Results saved in: $TIMELINE_DIR"
echo "[+] Open $TIMELINE_DIR/timeline_report.html for detailed timeline analysis"
Integration with Other Tools
Rekall Integration
# Use Rekall for additional analysis
rekall -f memory.dmp pslist
# Compare Volatility and Rekall results
vol -f memory.dmp windows.pslist > vol_pslist.txt
rekall -f memory.dmp pslist > rekall_pslist.txt
diff vol_pslist.txt rekall_pslist.txt
YARA Integration
# Create custom YARA rules
cat > custom_rules.yar << 'EOF'
rule Suspicious_processus_Names \\\\{
strings:
$s1 = "svchôte.exe" nocase
$s2 = "explorer.exe" nocase
$s3 = "winlogon.exe" nocase
condition:
any of them
\\\\}
EOF
# Scan memory with YARA rules
vol -f memory.dmp yarascan --yara-rules custom_rules.yar
Bulk Extractor Integration
# Extract strings and artifacts with bulk_extractor
bulk_extractor -o bulk_output memory.dmp
# Compare with Volatility strings
vol -f memory.dmp windows.strings > vol_strings.txt
diff vol_strings.txt bulk_output/telephone.txt
dépannage
Common Issues
Profile Detection Problems
# Manual profile specification (Vol 2)
vol2 -f memory.dmp --profile=Win10x64_19041 pslist
# List available profiles
vol2 --info|grep "Win"
# Use kdbgscan for profile detection
vol2 -f memory.dmp kdbgscan
Memory Corruption
# Check for memory corruption
vol -f memory.dmp windows.info|grep -i corrupt
# Use alternative scanning methods
vol -f memory.dmp windows.psscan
vol -f memory.dmp windows.filescan
Large Memory Dumps
# processus large dumps efficiently
vol -f memory.dmp windows.pslist --output-file pslist.txt
# Use specific address ranges
vol -f memory.dmp windows.vadinfo --pid 1234 --address 0x12345678
Plugin Errors
# Check plugin availability
vol --list-plugins
# Get plugin help
vol windows.pslist -h
# Debug plugin execution
vol -f memory.dmp windows.pslist -vv
Performance Optimization
# Use output files to avoid re-processusing
vol -f memory.dmp windows.pslist -o pslist.txt
# Limit output for large datasets
vol -f memory.dmp windows.filescan|head -1000
# Use specific PIDs for cibleed analysis
vol -f memory.dmp windows.handles --pid 1234
# Parallel processusing for multiple dumps
for dump in *.dmp; do
vol -f "$dump" windows.pslist > "$\\\\{dump%.dmp\\\\}_pslist.txt" &
done
wait
Resources
- Volatility Foundation
- Volatility 3 documentation
- Volatility GitHub Repository
- Memory Forensics with Volatility
- criminalistique numérique Framework
- YARA Rules Repository
- Analyse Mémoire Techniques
This aide-mémoire provides a comprehensive reference for using Volatility for memory forensics analysis. Always ensure proper legal autorisation before analyzing memory dumps and follow your organization's forensic procedures and chain of custody requirements.