How to install volatility 2 and how to use it

8 min readOct 5, 2023

We already know that volatility is a famous tool for analysing memory image.

First you need a memory image right? Here is the writeup of mine how to take windows memory image.

Windows memory capture using Belkasoft live RAM capture free tool and dumpit

There are two tools that are good for capturing windows memory.

mahim-firoj.medium.com

Now let’s see how we can install this tool. Then we will see its usage commands. Please run the below commands one by one. Please note, you need python2 installed first.

git clone https://github.com/volatilityfoundation/volatility.git

cd volatility

python2 setup.py install

This is what you actually need to install the tool. Now all the following plugins that will be used to analysis windows memory image. Please note that.

There are two plugins that you need to use to find out the profile. Because volatility 2 requires profile parameter to parse the data correctly. Here both the imageinfo and kdbgscan gives you the name of the profile. Now the question is which one you would use? I would suggest kdbgscan because it gives you the result quickly and the profile information is more accurate than imageinfo. Also imageinfo takes longer time to give you the result.

Now to find process list, you need to give following command:

python2 vol.py --profile=Win10x64_19041 -f /home/sansforensics/Downloads/20231003.mem pslist

If you want to see specific process id, then you need to give -p flag.

To find out process tree in parent-child relationship manner, you need to use pstree plugin.

Now here you need to concentrate more to understand pstree. You may notice that in left most side of every process, there is single dot, double dot and sometimes no dot are present.

No dot means = This is the parent process of some child process.
Single dot means = Child process from the parent process.
Double dot means = Nested child process from the child process.

Example:

See the first process having zero dot in front, wininit.exe and its pid is 560. Now see services.exe having single dot in front; whose pid is 704 but its parent pid is 560 that means from the parent process wininit.exe, services.exe is created. Hope this clears a bit.

Now again check svchost.exe having two dot in front; whose pid is 3584 but its parent pid is 704. That means, from the parent process services.exe, svchost.exe is created. I hope this clears now.

If not then read this one also. Check number 5 svchost.exe whose pid is 4628 and having two dot in front. You already know now what does two dot means. Now check number 6 ctfmon.exe whose pid is 3508 having three dot in front. Check its parent which is 4628. That means the parent svchost.exe 4628, ctfmon.exe 3508 is created.

Psscan plugin: Sometimes this is used to find hidden processes. You need to correlate this result with pslist or pstree result to find out which process is hidden.

Psxview plugin: To find out thr process is running on memory or not or there is any hidden process used by malware or not. If the process is not listed in psActiveProcessHead then it could be an indicator that this is malware. If you see that true statement is present under pslist column then assume that processes are active in psActiveProcessHead, so no processes are hidden. If you see it false, then its an indicator of malicious activity.

To dump a process in current directory you need to use memdump plugin. Sometimes you need to upload the dumped malicious process hash to the virustotal to check:

We have dumped Lightshot.exe process whose pid is 10204. Now we can take the hash of it and upload it to virustotal to see its malicious or not. Assume instead of lightshot.exe you need to dump malicious process in real case.

To find out what are the dll’s added in a process then you need to provide that specific process id:

Without the -p flag, all the process dll’s will be shown. This dlllist plugin will also help you to know what is the directory of the malware from where it is executed.

Also handles plugin is used to do the same.

You may wish to dump all the dll or specific process id related dll:

python2 vol.py --profile=Win10x64_19041 -f /home/sansforensics/Downloads/20231003.mem dlldump --dump-dir /root/dlldump/

or 

python2 vol.py --profile=Win10x64_19041 -f /home/sansforensics/Downloads/20231003.mem dlldump -p 10204 --dump-dir /root/dlldump/

Get sids of winlogon.exe with pid 620:

You may wish to dump all the hashes:

Sometimes volatility 2 is unable to find hashes. In that case you need to use volatility 3. I will release a writeup soon regarding volatility 3.

python2 vol.py --profile=Win10x64_19041 -f /home/sansforensics/Downloads/20231003.mem hashdump

or 

python2 vol.py --profile=Win10x64_19041 -f /home/sansforensics/Downloads/20231003.mem lsadump

Malfind plugin to find malicious process hidden in high privileged kernel mode: At the time of process hollowing techniques, process injection technique; this plugin will help you.

This is Microsoft defender process and this is legitimate most of the case unless attacker change their process name to this name. This process has the right to access high privileged kernel mode. If you find any other process presents in this area then examine that. It could be indicator of attack.

If you are asked what is the malicious executable that is making network connection? Then first use malfind plugin to find out the malicious exe then using that pid, search using netscan plugin.

Netscan plugin: To find out which process is making network connection.

ldrmodules plugin: The ldrmodules command is used to identify memory-mapped PE files in a process’s address space and then cross-referencing their information with the three PEB lists: InLoad, InInit, and InMem. The InLoad list contains all loaded modules, the InInit list contains modules that require initialization, and the InMem list contains modules that have been fully initialized and are currently in memory.

When the ldrmodules plugin command is executed, it checks if each memory-mapped PE file exists in any of the three PEB lists. If a file is not listed in any of the PEB lists, it means that it is not loaded by the process and may be a hidden or malicious DLL. If three of them appear as false then it is suspicious. Again this is probability. You need to investigate this when you got the suspicious process.

Filescan plugin to search files:

If you find any files that looks suspicious then note down the offset number. You can dump this using the following command.

python2 vol.py --profile=Win10x64_19041 -f /home/sansforensics/Downloads/20231003.mem dumpfiles --dump-dir=. -Q 0x000000007f7cb980

Svcscan plugin to find service details: You can find any malicious service full details including image binary path, etc.

Registry hive list. If not work in windows 10 memory image, then try with volatility 3.

python2 vol.py --profile=Win10x64_19041 -f /home/sansforensics/Downloads/20231003.mem hivelist

python2 vol.py --profile=Win10x64_19041 -f /home/sansforensics/Downloads/20231003.mem printkey

To check persistence.

python2 vol.py --profile=Win10x64_19041 -f /home/sansforensics/Downloads/20231003.mem printkey -K 'Software\Microsoft\Windows\CurrentVersion\Run'

IEHistory. This will check if user downloaded any suspicious things or not.

python2 vol.py --profile=Win10x64_19041 -f /home/sansforensics/Downloads/20231003.mem iehistory

Dump registry. This will dump the registry hive into a folder.

python2 vol.py --profile=Win10x64_19041 -f /home/sansforensics/Downloads/20231003.mem dumpregistry -D regdump/

Dump kernel drivers into a folder.

python2 vol.py --profile=Win10x64_19041 -f /home/sansforensics/Downloads/20231003.mem moddump -D kernel_driver/

Procdump. This will dump all the process in a single folder. By mentioning the single process id, you can also dump that of process executables.

python2 vol.py --profile=Win10x64_19041 -f /home/sansforensics/Downloads/20231003.mem procdump -D procdump/

Shellbags plugins to find out last directory accessed by the user. It is used to find out files, folders, zip, installers that were present on the system at one point of time even if deleted:

python2 vol.py --profile=Win10x64_19041 -f /home/sansforensics/Downloads/20231003.mem shellbags

Read the content of notepad documents:

python2 vol.py --profile=Win10x64_19041 -f /home/sansforensics/Downloads/20231003.mem notepad

Malfind plugin to find out malicious code injection. It is related to network connection as well:

python2 vol.py --profile=Win10x64_19041 -f /home/sansforensics/Downloads/20231003.mem malfind

or

python2 vol.py --profile=Win10x64_19041 -f /home/sansforensics/Downloads/20231003.mem malfind -D .

Cmdline plugin: