Description
A memory forensics analysis platform.
| Platform | Python |
| Author | Volatility Foundation |
| License | GPLv2 |
| URL | https://www.volatilityfoundation.org/ |
Usage
Options:
-h, --help list all available options and their default values.
Default values may be set in the configuration file
(/etc/volatilityrc)
--conf-file=/root/.volatilityrc
User based configuration file
-d, --debug Debug volatility
--plugins=PLUGINS Additional plugin directories to use (colon separated)
--info Print information about all registered objects
--cache-directory=/root/.cache/volatility
Directory where cache files are stored
--cache Use caching
--tz=TZ Sets the (Olson) timezone for displaying timestamps
using pytz (if installed) or tzset
-f FILENAME, --filename=FILENAME
Filename to use when opening an image
--profile=WinXPSP2x86
Name of the profile to load (use --info to see a list
of supported profiles)
-l LOCATION, --location=LOCATION
A URN location from which to load an address space
-w, --write Enable write support
--dtb=DTB DTB Address
--shift=SHIFT Mac KASLR shift address
--output=text Output in this format (support is module specific, see
the Module Output Options below)
--output-file=OUTPUT_FILE
Write output in this file
-v, --verbose Verbose information
-g KDBG, --kdbg=KDBG Specify a KDBG virtual address (Note: for 64-bit
Windows 8 and above this is the address of
KdCopyDataBlock)
--force Force utilization of suspect profile
--cookie=COOKIE Specify the address of nt!ObHeaderCookie (valid for
Windows 10 only)
-k KPCR, --kpcr=KPCR Specify a specific KPCR addressSupported Plugins
Supported Plugin Commands:
amcache Print AmCache information
apihooks Detect API hooks in process and kernel memory
apihooksdeep Detect API hooks in process and kernel memory, with ssdeep for whitelisting
atoms Print session and window station atom tables
atomscan Pool scanner for atom tables
attributeht Find Hacking Team implants and attempt to attribute them using a watermark.
auditpol Prints out the Audit Policies from HKLM\SECURITY\Policy\PolAdtEv
autoruns Searches the registry and memory space for applications running at system startup and maps them to running processes
bigpools Dump the big page pools using BigPagePoolScanner
bioskbd Reads the keyboard buffer from Real Mode memory
cachedump Dumps cached domain hashes from memory
callbacks Print system-wide notification routines
chromecookies Scans for and parses potential Chrome cookie data
chromedownloadchains Scans for and parses potential Chrome download chain records
chromedownloads Scans for and parses potential Chrome download records
chromehistory Scans for and parses potential Chrome url history
chromesearchterms Scans for and parses potential Chrome keyword search terms
chromevisits Scans for and parses potential Chrome url visits data -- VERY SLOW, see -Q option
clipboard Extract the contents of the windows clipboard
cmdline Display process command-line arguments
cmdscan Extract command history by scanning for _COMMAND_HISTORY
connections Print list of open connections [Windows XP and 2003 Only]
connscan Pool scanner for tcp connections
consoles Extract command history by scanning for _CONSOLE_INFORMATION
crashinfo Dump crash-dump information
deskscan Poolscaner for tagDESKTOP (desktops)
devicetree Show device tree
dlldump Dump DLLs from a process address space
dlllist Print list of loaded dlls for each process
driverbl Scans memory for driver objects and compares the results with the baseline image
driverirp Driver IRP hook detection
driveritem
drivermodule Associate driver objects to kernel modules
driverscan Pool scanner for driver objects
dumpcerts Dump RSA private and public SSL keys
dumpfiles Extract memory mapped and cached files
dumpregistry Dumps registry files out to disk
editbox Dumps various data from ComCtl Edit controls (experimental: ListBox, ComboBox)
envars Display process environment variables
eventhooks Print details on windows event hooks
evtlogs Extract Windows Event Logs (XP/2003 only)
fileitem
filescan Pool scanner for file objects
firefoxcookies Scans for and parses potential Firefox cookies (cookies.sqlite moz_cookies table
firefoxdownloads Scans for and parses potential Firefox download records -- downloads.sqlite moz_downloads table pre FF26 only
firefoxhistory Scans for and parses potential Firefox url history (places.sqlite moz_places table)
gahti Dump the USER handle type information
gditimers Print installed GDI timers and callbacks
gdt Display Global Descriptor Table
getservicesids Get the names of services in the Registry and return Calculated SID
getsids Print the SIDs owning each process
handles Print list of open handles for each process
hashdump Dumps passwords hashes (LM/NTLM) from memory
hibinfo Dump hibernation file information
hivedump Prints out a hive
hivelist Print list of registry hives.
hivescan Pool scanner for registry hives
hookitem
hpakextract Extract physical memory from an HPAK file
hpakinfo Info on an HPAK file
idt Display Interrupt Descriptor Table
idxparser Scans for and parses Java IDX files
iehistory Reconstruct Internet Explorer cache / history
imagecopy Copies a physical address space out as a raw DD image
imageinfo Identify information for the image
impscan Scan for calls to imported functions
joblinks Print process job link information
kdbgscan Search for and dump potential KDBG values
kpcrscan Search for and dump potential KPCR values
ldrmodules Detect unlinked DLLs
lsadump Dump (decrypted) LSA secrets from the registry
machoinfo Dump Mach-O file format information
malfind Find hidden and injected code
malfinddeep Find hidden and injected code, whitelist with ssdeep hashes
malprocfind Finds malicious processes based on discrepancies from observed, normal behavior and properties
malsysproc Find malware hiding in plain sight as system processes
mbrparser Scans for and parses potential Master Boot Records (MBRs)
memdump Dump the addressable memory for a process
memmap Print the memory map
messagehooks List desktop and thread window message hooks
mftparser Scans for and parses potential MFT entries
mimikatz mimikatz offline
moddump Dump a kernel driver to an executable file sample
modscan Pool scanner for kernel modules
modules Print list of loaded modules
multiscan Scan for various objects at once
mutantscan Pool scanner for mutex objects
ndispktscan Extract the packets from memory
notepad List currently displayed notepad text
objtypescan Scan for Windows object type objects
openioc_scan Scan OpenIOC 1.1 based indicators
openvpn Extract OpenVPN client credentials (username, password) cached in memory.
patcher Patches memory based on page scans
poolpeek Configurable pool scanner plugin
prefetchparser Scans for and parses potential Prefetch files
printkey Print a registry key, and its subkeys and values
privs Display process privileges
procdump Dump a process to an executable file sample
processbl Scans memory for processes and loaded DLLs and compares the results with the baseline
pslist Print all running processes by following the EPROCESS lists
psscan Pool scanner for process objects
pstotal Combination of pslist,psscan & pstree --output=dot gives graphical representation
pstree Print process list as a tree
psxview Find hidden processes with various process listings
qemuinfo Dump Qemu information
raw2dmp Converts a physical memory sample to a windbg crash dump
registryitem
rsakey Extract base64/PEM encoded private RSA keys from physical memory.
schtasks Scans for and parses potential Scheduled Task (.JOB) files
screenshot Save a pseudo-screenshot based on GDI windows
servicebl Scans memory for service objects and compares the results with the baseline image
servicediff List Windows services (ala Plugx)
serviceitem
sessions List details on _MM_SESSION_SPACE (user logon sessions)
shellbags Prints ShellBags info
shimcache Parses the Application Compatibility Shim Cache registry key
shimcachemem Parses the Application Compatibility Shim Cache stored in kernel memory
shutdowntime Print ShutdownTime of machine from registry
sockets Print list of open sockets
sockscan Pool scanner for tcp socket objects
ssdeepscan Scan process or kernel memory with SSDeep signatures
ssdt Display SSDT entries
strings Match physical offsets to virtual addresses (may take a while, VERY verbose)
svcscan Scan for Windows services
symlinkscan Pool scanner for symlink objects
thrdscan Pool scanner for thread objects
threads Investigate _ETHREAD and _KTHREADs
timeliner Creates a timeline from various artifacts in memory
timers Print kernel timers and associated module DPCs
truecryptmaster Recover TrueCrypt 7.1a Master Keys
truecryptpassphrase TrueCrypt Cached Passphrase Finder
truecryptsummary TrueCrypt Summary
trustrecords Extract MS Office TrustRecords from the Registry
uninstallinfo Extract installed software info from Uninstall registry key
unloadedmodules Print list of unloaded modules
userassist Print userassist registry keys and information
userhandles Dump the USER handle tables
usnparser Scans for and parses USN journal records
vaddump Dumps out the vad sections to a file
vadinfo Dump the VAD info
vadtree Walk the VAD tree and display in tree format
vadwalk Walk the VAD tree
vboxinfo Dump virtualbox information
verinfo Prints out the version information from PE images
vmwareinfo Dump VMware VMSS/VMSN information
volshell Shell in the memory image
windows Print Desktop Windows (verbose details)
wintree Print Z-Order Desktop Windows Tree
wndscan Pool scanner for window stations
yarascan Scan process or kernel memory with Yara signaturesExamples
Find the correct profile to use
This command will scan the memory image and attempt to guess the correct profile to use:
root@siftworkstation:~# vol.py -f ./win7-32-nromanoff-memory-raw.001 imageinfo
Volatility Foundation Volatility Framework 2.5
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : Win7SP0x86, Win7SP1x86
AS Layer1 : IA32PagedMemoryPae (Kernel AS)
AS Layer2 : FileAddressSpace (/home/sansforensics/netwars/win7-32-nromanoff-memory/win7-32-nromanoff-memory-raw.001)
PAE type : PAE
DTB : 0x185000L
KDBG : 0x82d29c28L
Number of Processors : 1
Image Type (Service Pack) : 1
KPCR for CPU 0 : 0x82d2ac00L
KUSER_SHARED_DATA : 0xffdf0000L
Image date and time : 2012-04-06 20:52:46 UTC+0000
Image local date and time : 2012-04-06 16:52:46 -0400vol.py -f <image> –profile=<profile> pslist
This command will scan memory for currently running processes:
root@siftworkstation:~# vol.py -f ./win7-32-nromanoff-memory-raw.001 --profile=Win7SP0x86 pslist
Volatility Foundation Volatility Framework 2.5
Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit
---------- -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
0x85c50958 System 4 0 105 532 ------ 0 2012-04-04 11:47:29 UTC+0000
0x86ecaa70 smss.exe 280 4 3 32 ------ 0 2012-04-04 11:47:29 UTC+0000
0x86cfa540 csrss.exe 412 404 9 756 0 0 2012-04-04 11:47:41 UTC+0000
0x87d85d40 wininit.exe 464 404 3 74 0 0 2012-04-04 11:47:44 UTC+0000
0x86e7f030 csrss.exe 472 456 9 75 1 0 2012-04-04 11:47:44 UTC+0000
0x87d8fd40 winlogon.exe 520 456 3 91 1 0 2012-04-04 11:47:44 UTC+0000
0x87f68030 services.exe 564 464 7 243 0 0 2012-04-04 11:47:45 UTC+0000
0x87f79600 lsass.exe 592 464 8 888 0 0 2012-04-04 11:47:46 UTC+0000
0x87f8c030 lsm.exe 600 464 10 248 0 0 2012-04-04 11:47:46 UTC+0000
0x87fc5590 svchost.exe 704 564 11 358 0 0 2012-04-04 11:47:48 UTC+0000
0x87fee6d0 svchost.exe 780 564 6 277 0 0 2012-04-04 11:47:51 UTC+0000
0x88000d40 svchost.exe 820 564 18 469 0 0 2012-04-04 11:47:51 UTC+0000
0x8800e178 LogonUI.exe 880 520 7 197 1 0 2012-04-04 11:47:51 UTC+0000
0x880308e8 svchost.exe 920 564 18 495 0 0 2012-04-04 11:47:51 UTC+0000
0x88047a58 svchost.exe 944 564 31 1213 0 0 2012-04-04 11:47:52 UTC+0000
0x880462b8 svchost.exe 1032 564 17 394 0 0 2012-04-04 11:47:52 UTC+0000
0x880a0758 svchost.exe 1184 564 20 634 0 0 2012-04-04 11:48:00 UTC+0000
0x88070d40 spoolsv.exe 1308 564 13 328 0 0 2012-04-04 11:48:03 UTC+0000
0x880e7030 svchost.exe 1344 564 17 295 0 0 2012-04-04 11:48:03 UTC+0000
0x88120658 armsvc.exe 1456 564 4 61 0 0 2012-04-04 11:48:04 UTC+0000
0x88145b38 FireSvc.exe 1516 564 22 355 0 0 2012-04-04 11:48:05 UTC+0000
0x881b8030 McSACore.exe 1604 564 11 199 0 0 2012-04-04 11:48:08 UTC+0000
0x881b4900 FireTray.exe 1624 1516 0 -------- 0 0 2012-04-04 11:48:09 UTC+0000 2012-04-04 11:48:10 UTC+0000
0x881dd770 FrameworkServi 1740 564 31 426 0 0 2012-04-04 11:48:10 UTC+0000
0x8820bd40 VsTskMgr.exe 1796 564 21 365 0 0 2012-04-04 11:48:11 UTC+0000
0x88227358 mfevtps.exe 1824 564 5 171 0 0 2012-04-04 11:48:12 UTC+0000
0x8821a660 mfeann.exe 1872 1796 14 181 0 0 2012-04-04 11:48:12 UTC+0000
0x88220d40 conhost.exe 1880 412 2 30 0 0 2012-04-04 11:48:12 UTC+0000
0x88235cf8 VMwareService. 1964 564 7 192 0 0 2012-04-04 11:48:14 UTC+0000
0x8824cd40 naPrdMgr.exe 200 704 8 252 0 0 2012-04-04 11:48:15 UTC+0000
0x88263648 mcshield.exe 332 564 28 459 0 0 2012-04-04 11:48:15 UTC+0000
0x8827d9f0 mfefire.exe 456 564 7 108 0 0 2012-04-04 11:48:23 UTC+0000
0x88295900 VMUpgradeHelpe 888 564 4 87 0 0 2012-04-04 11:48:24 UTC+0000
0x8842a4b8 svchost.exe 2980 564 12 198 0 0 2012-04-04 11:50:42 UTC+0000
0x885561f8 SearchIndexer. 3092 564 14 992 0 0 2012-04-04 11:50:46 UTC+0000
0x862709a0 csrss.exe 2132 3112 9 271 2 0 2012-04-04 14:45:30 UTC+0000
0x8617bd40 winlogon.exe 3836 3112 3 112 2 0 2012-04-04 14:45:30 UTC+0000
0x85dbcb48 taskhost.exe 1108 564 9 290 2 0 2012-04-04 14:45:43 UTC+0000
0x861bb8f0 rdpclip.exe 2408 1184 4 88 2 0 2012-04-04 14:45:43 UTC+0000
0x8625b030 dwm.exe 3924 920 3 67 2 0 2012-04-04 14:45:44 UTC+0000
0x8622b4b8 explorer.exe 296 2392 22 853 2 0 2012-04-04 14:45:45 UTC+0000
0x861d4520 VMwareTray.exe 3780 296 5 65 2 0 2012-04-04 14:45:46 UTC+0000
0x861b6518 VMwareUser.exe 3804 296 3 77 2 0 2012-04-04 14:45:46 UTC+0000
0x86272d40 UdaterUI.exe 2944 1740 6 109 2 0 2012-04-04 14:49:35 UTC+0000
0x863c8030 McTray.exe 2864 2944 23 341 2 0 2012-04-04 14:49:35 UTC+0000
0x85f98728 a.exe 3264 3440 0 -------- 2 0 2012-04-04 14:57:52 UTC+0000 2012-04-04 18:40:58 UTC+0000
0x85e24030 OSPPSVC.EXE 4040 564 3 134 0 0 2012-04-04 15:42:01 UTC+0000
0x861d93a0 cmd.exe 3472 3264 0 -------- 2 0 2012-04-04 15:47:47 UTC+0000 2012-04-04 15:49:07 UTC+0000
0x862bfa40 spinlock.exe 3796 3472 0 -------- 2 0 2012-04-04 15:48:18 UTC+0000 2012-04-04 18:43:25 UTC+0000
0x8654c4a8 spinlock.exe 1208 3796 0 -------- 2 0 2012-04-04 15:48:18 UTC+0000 2012-04-04 18:43:25 UTC+0000
0x860f2578 cmd.exe 208 1208 1 31 2 0 2012-04-04 18:43:24 UTC+0000
0x86136a60 conhost.exe 2840 2132 2 28 2 0 2012-04-04 18:43:25 UTC+0000
0x864e57c8 PSEXESVC.EXE 2100 564 6 104 0 0 2012-04-04 18:52:11 UTC+0000
0x862a4d40 svchost.exe 3612 2100 0 -------- 0 0 2012-04-04 18:52:11 UTC+0000 2012-04-05 13:25:07 UTC+0000
0x862bb290 spinlock.exe 2956 2100 1 26 0 0 2012-04-04 18:54:51 UTC+0000
0x86383c18 spinlock.exe 1328 2956 2 128 0 0 2012-04-04 18:54:51 UTC+0000
0x86d2b578 a.exe 5008 4212 0 -------- 0 0 2012-04-06 13:19:34 UTC+0000 2012-04-06 16:58:26 UTC+0000
0x862f9a58 cmd.exe 5192 5008 1 28 0 0 2012-04-06 14:03:11 UTC+0000
0x86a1c8b8 conhost.exe 3408 412 2 31 0 0 2012-04-06 14:03:11 UTC+0000
0x8649d880 svchost.exe 6404 2100 8 256 0 0 2012-04-06 19:22:20 UTC+0000
0x86eeb430 f-response-ent 7776 564 8 75 0 0 2012-04-06 20:34:42 UTC+0000
0x85dde298 svchost.exe 5176 564 5 90 0 0 2012-04-06 20:34:44 UTC+0000vol.py -f <image> –profile=<profile> netscan
This command will scan memory for net connections and their associated processes:
root@siftworkstation:~# vol.py -f ./win7-32-nromanoff-memory-raw.001 --profile=Win7SP0x86 netscan
Volatility Foundation Volatility Framework 2.5
Offset(P) Proto Local Address Foreign Address State Pid Owner Created
0x4fb90e0 UDPv4 0.0.0.0:0 *:* 456 mfefire.exe 2012-04-04 11:48:37 UTC+0000
0x4fb90e0 UDPv6 :::0 *:* 456 mfefire.exe 2012-04-04 11:48:37 UTC+0000
0x7d8e1b20 UDPv4 0.0.0.0:8082 *:* 1740 FrameworkServi 2012-04-04 11:48:26 UTC+0000
0x7d8e2d38 UDPv4 0.0.0.0:8082 *:* 1740 FrameworkServi 2012-04-04 11:48:26 UTC+0000
0x7d8e2d38 UDPv6 :::8082 *:* 1740 FrameworkServi 2012-04-04 11:48:26 UTC+0000
0x7d931120 UDPv4 0.0.0.0:0 *:* 456 mfefire.exe 2012-04-04 11:48:37 UTC+0000
0x7d946818 UDPv4 0.0.0.0:0 *:* 1032 svchost.exe 2012-04-04 11:48:38 UTC+0000
0x7d947330 UDPv4 0.0.0.0:0 *:* 1032 svchost.exe 2012-04-04 11:48:38 UTC+0000
0x7d947330 UDPv6 :::0 *:* 1032 svchost.exe 2012-04-04 11:48:38 UTC+0000
0x7d984e20 UDPv4 0.0.0.0:123 *:* 1032 svchost.exe 2012-04-04 11:48:39 UTC+0000
0x7d985bb0 UDPv4 0.0.0.0:123 *:* 1032 svchost.exe 2012-04-04 11:48:39 UTC+0000
0x7d985bb0 UDPv6 :::123 *:* 1032 svchost.exe 2012-04-04 11:48:39 UTC+0000
0x7d8b0b50 TCPv4 0.0.0.0:445 0.0.0.0:0 LISTENING 4 System
0x7d8b0b50 TCPv6 :::445 :::0 LISTENING 4 System
0x7d8df2a8 TCPv4 0.0.0.0:8081 0.0.0.0:0 LISTENING 1740 FrameworkServi
0x7d8e1ea8 TCPv4 0.0.0.0:8081 0.0.0.0:0 LISTENING 1740 FrameworkServi
0x7d8e1ea8 TCPv6 :::8081 :::0 LISTENING 1740 FrameworkServi
0x7d93ca70 TCPv4 0.0.0.0:49186 0.0.0.0:0 LISTENING 564 services.exe
0x7d93ca70 TCPv6 :::49186 :::0 LISTENING 564 services.exe
0x7d969ec0 TCPv4 0.0.0.0:3389 0.0.0.0:0 LISTENING 1184 svchost.exe
0x7d96e308 TCPv4 0.0.0.0:3389 0.0.0.0:0 LISTENING 1184 svchost.exe
0x7d96e308 TCPv6 :::3389 :::0 LISTENING 1184 svchost.exe
0x7dab56c0 UDPv4 0.0.0.0:5355 *:* 1184 svchost.exe 2012-04-04 11:48:00 UTC+0000
0x7dab6208 UDPv4 0.0.0.0:0 *:* 1184 svchost.exe 2012-04-04 11:48:00 UTC+0000
0x7dab6208 UDPv6 :::0 *:* 1184 svchost.exe 2012-04-04 11:48:00 UTC+0000
0x7daf8960 UDPv4 0.0.0.0:0 *:* 592 lsass.exe 2012-04-04 11:48:04 UTC+0000
0x7daf8960 UDPv6 :::0 *:* 592 lsass.exe 2012-04-04 11:48:04 UTC+0000
0x7db136a0 UDPv4 127.0.0.1:55829 *:* 592 lsass.exe 2012-04-04 11:48:04 UTC+0000
0x7db17770 UDPv4 127.0.0.1:55827 *:* 1184 svchost.exe 2012-04-04 11:48:04 UTC+0000
0x7db24ac8 UDPv4 0.0.0.0:0 *:* 592 lsass.exe 2012-04-04 11:48:04 UTC+0000
0x7db24ac8 UDPv6 :::0 *:* 592 lsass.exe 2012-04-04 11:48:04 UTC+0000
0x7db2a008 UDPv4 0.0.0.0:0 *:* 592 lsass.exe 2012-04-04 11:48:04 UTC+0000
0x7db2a008 UDPv6 :::0 *:* 592 lsass.exe 2012-04-04 11:48:04 UTC+0000
0x7db2af50 UDPv4 0.0.0.0:0 *:* 592 lsass.exe 2012-04-04 11:48:04 UTC+0000
0x7db31320 UDPv4 0.0.0.0:0 *:* 592 lsass.exe 2012-04-04 11:48:04 UTC+0000
0x7db36008 UDPv4 127.0.0.1:55832 *:* 944 svchost.exe 2012-04-04 11:48:04 UTC+0000
0x7da02898 TCPv4 0.0.0.0:49152 0.0.0.0:0 LISTENING 464 wininit.exe
0x7da03298 TCPv4 0.0.0.0:135 0.0.0.0:0 LISTENING 780 svchost.exe
0x7da03298 TCPv6 :::135 :::0 LISTENING 780 svchost.exe
0x7da223e8 TCPv4 0.0.0.0:49153 0.0.0.0:0 LISTENING 820 svchost.exe
0x7da25648 TCPv4 0.0.0.0:49153 0.0.0.0:0 LISTENING 820 svchost.exe
0x7da25648 TCPv6 :::49153 :::0 LISTENING 820 svchost.exe
0x7da96700 TCPv4 0.0.0.0:49154 0.0.0.0:0 LISTENING 592 lsass.exe
0x7da96700 TCPv6 :::49154 :::0 LISTENING 592 lsass.exe
0x7da96de8 TCPv4 0.0.0.0:49154 0.0.0.0:0 LISTENING 592 lsass.exe
0x7dad06f0 TCPv4 0.0.0.0:49155 0.0.0.0:0 LISTENING 944 svchost.exe
0x7dad2430 TCPv4 0.0.0.0:49155 0.0.0.0:0 LISTENING 944 svchost.exe
0x7dad2430 TCPv6 :::49155 :::0 LISTENING 944 svchost.exe
0x7ddf35a0 TCPv4 0.0.0.0:135 0.0.0.0:0 LISTENING 780 svchost.exe
0x7ddfb440 TCPv4 0.0.0.0:49152 0.0.0.0:0 LISTENING 464 wininit.exe
0x7ddfb440 TCPv6 :::49152 :::0 LISTENING 464 wininit.exe
0x7db4cc10 TCPv4 -:62342 -:80 CLOSED 1184 svchost.exe
0x7ec1f2b8 UDPv4 10.3.58.5:138 *:* 4 System 2012-04-04 11:47:39 UTC+0000
0x7eccb7c8 UDPv4 10.3.58.5:137 *:* 4 System 2012-04-04 11:47:39 UTC+0000
0x7ed807e0 TCPv4 0.0.0.0:49186 0.0.0.0:0 LISTENING 564 services.exe
0x7ed974b0 TCPv4 10.3.58.5:139 0.0.0.0:0 LISTENING 4 System
0x7f463770 UDPv4 127.0.0.1:1900 *:* 2980 svchost.exe 2012-04-04 19:40:36 UTC+0000
0x7f476008 UDPv4 127.0.0.1:49724 *:* 2980 svchost.exe 2012-04-04 19:40:36 UTC+0000
0x7f476b40 UDPv6 ::1:49722 *:* 2980 svchost.exe 2012-04-04 19:40:36 UTC+0000
0x7f47b880 UDPv4 10.3.58.5:1900 *:* 2980 svchost.exe 2012-04-04 19:40:36 UTC+0000
0x7f4e5548 UDPv4 10.3.58.5:49723 *:* 2980 svchost.exe 2012-04-04 19:40:36 UTC+0000
0x7f5b5248 UDPv4 10.3.58.5:55261 *:* 7816 Skype.exe 2012-04-06 19:44:03 UTC+0000
0x7eec5a58 TCPv4 -:62344 -:443 CLOSED 7816 Skype.exe
0x7ef2b988 TCPv4 10.3.58.5:62619 10.3.58.4:445 CLOSED 4 System
0x7f451df8 TCPv4 -:62331 224.0.0.252:443 CLOSED 7816 Skype.exe
0x7f60adf8 TCPv4 127.0.0.1:5678 127.0.0.1:62608 CLOSED 6404 svchost.exe
0x7f632008 TCPv4 -:62336 69.171.229.13:443 CLOSED 7816 Skype.exe
0x7f67a448 TCPv4 -:139 12.190.135.235:2264 CLOSED 4 System
0x7f693140 TCPv4 10.3.58.5:62567 10.3.58.255:80 CLOSED 6404 svchost.exe
0x7f6fb448 TCPv4 10.3.58.5:62617 10.3.58.4:445 CLOSED 4 System
0x7f7492f0 TCPv4 10.3.58.5:62294 10.3.58.9:135 CLOSED 4172 taskhost.exe
0x7f760a08 TCPv4 10.3.58.5:62295 10.3.58.9:49156 CLOSED 4172 taskhost.exe
0x7f899400 UDPv4 127.0.0.1:49290 *:* 1108 taskhost.exe 2012-04-04 14:45:46 UTC+0000
0x7f940568 UDPv6 ::1:1900 *:* 2980 svchost.exe 2012-04-04 19:40:36 UTC+0000
0x7fd46238 UDPv4 0.0.0.0:0 *:* 5176 svchost.exe 2012-04-06 20:34:44 UTC+0000
0x7fd9f688 UDPv4 0.0.0.0:0 *:* 5176 svchost.exe 2012-04-06 20:34:44 UTC+0000
0x7fd9f688 UDPv6 :::0 *:* 5176 svchost.exe 2012-04-06 20:34:44 UTC+0000
0x7f947098 TCPv4 0.0.0.0:3260 0.0.0.0:0 LISTENING 7776 f-response-ent
0x7ff175f8 TCPv4 127.0.0.1:5678 0.0.0.0:0 LISTENING 6404 svchost.exe
0x7f837580 TCPv4 10.3.58.5:49805 10.3.58.9:445 ESTABLISHED 4 System
0x7f89a1d0 TCPv4 10.3.58.5:50817 199.73.28.114:443 CLOSED 1328 spinlock.exe
0x7f8c8008 TCPv4 10.3.58.5:62421 10.3.58.9:135 CLOSED 592 lsass.exe
0x7f8f8008 TCPv4 10.3.58.5:62333 10.3.16.5:443 CLOSED 7816 Skype.exe
0x7fa47008 TCPv4 -:62334 184.51.253.195:443 CLOSED 7816 Skype.exe
0x7fa559f8 TCPv4 -:62335 184.51.255.240:443 CLOSED 7816 Skype.exe
0x7fc6e318 TCPv4 10.3.58.5:3260 10.3.16.5:48351 ESTABLISHED 7776 f-response-ent
0x7fe9b278 TCPv4 10.3.58.5:62380 10.3.58.9:445 CLOSED 4 Systemvol.py imagecopy -f hiberfil.sys -O hiber.raw
This command will uncompress a hibernation file into raw memory dump:
root@siftworkstation:~# vol.py imagecopy -f /mnt/romanoff/hiberfil.sys -O hiber.raw
Volatility Foundation Volatility Framework 2.5
Writing data (5.00 MB chunks): |....................................................................................................................................................................................................................................................................................................................|Blog Posts
