PwnSec Notes
  • AppSec
    • General Notes
    • Payloads
    • Fuzzing
    • Code Review
    • ReDos
    • SSTI
    • LFI-RFI
    • PHP Tricks
    • Javascript
    • Serialization
    • SQL Injection
    • JWT
    • GraphQL
    • Side Channel
    • Command Execution
    • WebSockets
    • Ruby
    • 0Auth
    • Latex Injection
    • NoSQL
    • JS Analysis
    • Apache Lucene
  • Forensics
    • Basics
    • Network Captures
    • Windows Logs
    • Memory
    • Browser
    • Threat Intelligence
    • Disk
  • Binary-Exploitation
    • Concepts
    • Binary Analysis
    • Debugging
    • Shellcodes
  • Malware-Analysis
    • Memory Mapping
    • Macros
    • Unpacking
    • Analysis
    • Resources
  • Reverse-Engineering
    • GDB basics
    • MASM Basics
    • Decompilers
    • Useful Codes
  • Services
    • SNMP
    • Grafana
    • Consul
  • Network Pentesting
    • C2 Servers
    • Pivoting
    • CrackMapExec
    • Kubernetes
    • Docker
  • MISC
    • Slack
    • Git
    • Pyjails
    • Privilege Escalation
    • Python LOL Code
  • Cloud Hacking
    • AWS S3
    • AWS Cognito
  • Mobile Pentesting
    • Frida
    • ADB
    • Drozer
    • Smali
    • Static Analysis
    • Dynamic Analysis
    • Bypass SSL Pinning
    • APK Labs
    • Android Malwares
    • Abusing Firebase
    • Root Detection
Powered by GitBook
On this page
  • Installing Vol 2,3
  • Installing Volatility
  • Convert between formats
  • Create Volatility-2 Profile
  • Create volatility-3 Profile
  • Command history
  • Credentials Hunting
  1. Forensics

Memory

PreviousWindows LogsNextBrowser

Last updated 2 years ago

Installing Vol 2,3

Installing Volatility

  • Python2

sudo apt install -y build-essential git libdistorm3-dev yara libraw1394-11 libcapstone-dev capstone-tool tzdata
sudo apt install -y python2 python2.7-dev libpython2-dev
curl https://bootstrap.pypa.io/pip/2.7/get-pip.py --output get-pip.py
sudo python2 get-pip.py
sudo python2 -m pip install -U setuptools wheel
python2 -m pip install -U distorm3 yara pycrypto pillow openpyxl ujson pytz ipython capstone
sudo python2 -m pip install yara
sudo ln -s /usr/local/lib/python2.7/dist-packages/usr/lib/libyara.so /usr/lib/libyara.so
python2 -m pip install -U git+https://github.com/volatilityfoundation/volatility.git

  • Python3

sudo apt install -y python3 python3-dev libpython3-dev python3-pip python3-setuptools python3-wheel
python3 -m pip install -U distorm3 yara pycrypto pillow openpyxl ujson pytz ipython capstone
python3 -m pip install -U git+https://github.com/volatilityfoundation/volatility3.git

Convert between formats

The qemu-img convert command can do conversion between multiple formats, including qcow2, qed, raw, vdi, vhd, and vmdk.

qemu-img convert -f raw -O qcow2 image.img image.qcow2

Create Volatility-2 Profile

  • Determine OS and Kernel version

# vol3
.\vol.py -f PVE.vmem banner
# Or Using strings
git clone https://github.com/hanasuru/vol_profile_builder
cd vol_profile_builder
# Build volatility2 profile for Ubuntu Xenial (16.04) with 4.4.0-186-generic kernel
./build.sh 16.04 4.4.0-186-generic

Loading the profile

cp <Profile>.zip ~/tools/volatility/volatility/plugins/overlays/linux
# Verify
python  ~/tools/volatility/vol.py --info

Create volatility-3 Profile

Loading the profile

cp <Profile>.json /home/kali/.local/lib/python3.11/site-packages/volatility3/framework/symbols/linux/

Command history

  • Linux

linux_bash
limux_bash_hash

Credentials Hunting

  • Environment Variables

  • Lsass

  • Notepad

  • Clipboard

  • Browser Password Managers

  • Cookies

Reference:

https://seanthegeek.net/1172/how-to-install-volatility-2-and-volatility-3-on-debian-ubuntu-or-kali-linux/
https://docs.openstack.org/image-guide/convert-images.html
https://fahriguresci.com/create-specific-volatility-profile-and-symbol-table/