openhiberfil

ThischeatsheetsupportstheSANSFOR508AdvancedDigitalForensics,IncidentResponse,andThreatHunting&SANSFOR526MemoryForensicsIn-Depthcourses.
ItisnotintendedtobeanexhaustiveresourceforVolatilityorotherhighlightedtools.
VolatilityisatrademarkofVerizon.
TheSANSInstituteisnotsponsored,approvedbyoraffiliatedwithVerizon.
Thetimelinerpluginparsestime-stampedobjectsfoundinmemoryimages.
Outputissortedby:ProcesscreationtimeThreadcreationtimeDrivercompiletimeDLL/EXEcompiletimeNetworksocketcreationtimeMemoryresidentregistrykeylastwritetimeMemoryresidenteventlogentrycreationtimetimeliner--output-fileOptionalfiletowriteoutput--output=bodyBodyfileformat(alsotext,xlsx)--type=RegistryExtractregistrykeylastwritetimes#vol.
py-fmem.
imgtimeliner--output-fileout.
body--output=body--profile=Win10x64MemoryArtifactTimeliningPurposeHowToUseThisDocumentMemoryanalysisisoneofthemostpowerfultoolsavailabletoforensicexaminers.
Thisguidehopestosimplifytheoverwhelmingnumberofavailableoptions.
Analysiscangenerallybeaccomplishedinsixsteps:1.
IdentifyRogueProcesses2.
AnalyzeProcessDLLsandHandles3.
ReviewNetworkArtifacts4.
LookforEvidenceofCodeInjection5.
CheckforSignsofaRootkit6.
ExtractProcesses,Drivers,andObjectsWeoutlinethemostusefulVolatilitypluginssupportingthesesixstepshere.
Furtherinformationisprovidedfor:MemoryAcquisitionAlternateMemoryLocationsConvertingHibernationFilesandCrashDumpsMemoryArtifactTimeliningRegistryAnalysisPluginsRemembertoopencommandpromptasAdministratorwinpmem-oOutputfilelocation-pIncludepagefile-eExtractrawimagefromAFF4file-lLoaddriverforlivememoryanalysisC:\>winpmem_.
exe-oF:\mem.
aff4C:\>winpmem_.
exeF:\mem.
aff4-ePhysicalMemory-omem.
rawDumpIt/fOutputfilelocation/sHashfunctiontouse/tSendtoremotehost(setuplistenerwith/l)C:\>DumpIt.
exe/fF:\mem.
raw/s1MemoryAcquisitionHibernationFileCompressedRAMImage;availableinVolumeShadowCopies%SystemDrive%\hiberfil.
sysPageandSwapFiles%SystemDrive%\pagefile.
sys%SystemDrive%\swapfile.
sys(Win8+\2012+)MemoryDump%WINDIR%\MEMORY.
DMPAlternateMemoryLocationsMemoryForensicsCheatSheetv2.
0POCKETREFERENCEGUIDESANSInstitutebyChadTilburyhttps://digital-forensics.
sans.
orghttp://forensicmethods.
comhivelist-Findandlistavailableregistryhives#vol.
pyhivelisthivedump-Printallkeysandsubkeysinahive-oOffsetofregistryhivetodump(virtualoffset)#vol.
pyhivedump–o0xe1a14b60printkey-Outputaregistrykey,subkeys,andvalues-K"Registrykeypath"#vol.
pyprintkey–K"Microsoft\Windows\CurrentVersion\Run"dumpregistry-Extractallavailableregistryhives-oExtractusingvirtualoffsetofregistryhive--dump-dirDirectorytosaveextractedfiles#vol.
pydumpregistry--dump-dir.
/outputuserassist-Findandparseuserassistkeyvalues#vol.
pyuserassisthashdump-DumpuserNTLMandLanmanhashes#vol.
pyhashdumpautoruns-MapASEPstorunningprocesses-vShoweverything#vol.
pyautoruns-vRegistryAnalysisPluginsConvertingHibernationFilesandCrashDumpsimagecopy-Convertalternatememorysourcestoraw-fNameofsourcefile-OOutputfilename--profileSourceOSfromimageinfo#vol.
pyimagecopy-fhiberfil.
sys-Ohiber.
raw--profile=Win7SP1x64#vol.
pyimagecopy-fMEMORY.
DMP-Ocrashdump.
raw–-profile=Win2016x64_14393ExtractProcesses,Drivers,andObjectspslist-Highlevelviewofrunningprocesses#vol.
pypslistpsscan-ScanmemoryforEPROCESSblocks#vol.
pypsscanpstree-Displayparent-processrelationships#vol.
pypstreeIdentifyRogueProcessespsxview-Findhiddenprocessesusingcross-view#vol.
pypsxviewmodscan-Scanmemoryforloaded,unloaded,andunlinkeddrivers#vol.
pymodscanapihooks-FindAPI/DLLfunctionhooks-pOperateonlyonspecificPIDs-QOnlyscancriticalprocessesandDLLS#vol.
pyapihooksssdt-HooksinSystemServiceDescriptorTable#vol.
pyssdt|egrep–v'(ntoskrnl|win32k)'driverirp-IdentifyI/ORequestPacket(IRP)hooks-rAnalyzedriversmatchingREGEXnamepattern#vol.
pydriverirp–rtcpipidt-DisplayInterruptDescriptorTable#vol.
pyidtCheckforSignsofaRootkitdlldump-ExtractDLLsfromspecificprocesses-pDumpDLLsonlyforspecificPIDs-bDumpDLLusingbaseoffset-rDumpDLLsmatchingREGEXname--dump-dirDirectorytosaveextractedfiles#vol.
pydlldump--dump-dir.
/output–rmetsrvmoddump-Extractkerneldrivers-bDumpdriverusingoffsetaddress(frommodscan)-rDumpdriversmatchingREGEXname--dump-dirDirectorytosaveextractedfiles#vol.
pymoddump--dump-dir.
/output–rgaopdxprocdump-Dumpprocesstoexecutablesample-pDumponlyspecificPIDs-oSpecifyprocessbyphysicalmemoryoffset-nUseREGEXtospecifyprocess--dump-dirDirectorytosaveextractedfiles#vol.
pyprocdump--dump-dir.
/output–p868memdump-Extracteverymemorysectionintoonefile-pDumpmemorysectionsfromthesePIDs-nUseREGEXtospecifyprocess--dump-dirDirectorytosaveextractedfiles#vol.
pymemdump–-dump-dir.
/output–p868filescan-ScanmemoryforFILE_OBJECThandles#vol.
pyfilescandumpfiles-ExtractFILE_OBJECTsfrommemory-QDumpusingphysicaloffsetofFILE_OBJECT-rExtractusingaREGEX(add-iforcaseinsensitive)-nAddoriginalfilenametooutputname--dump-dirDirectorytosaveextractedfiles#vol.
pydumpfiles-n-i-r\\.
exe--dump-dir=.
/svcscan-ScanforWindowsServicerecordstructures-vShowserviceDLLforsvchostinstances#vol.
pysvcscan-vcmdscan-ScanforCOMMAND_HISTORYbuffers#vol.
pycmdscanconsoles-ScanforCONSOLE_INFORMATIONoutput#vol.
pyconsolesnetscan-ScanforTCPconnectionsandsockets#vol.
pynetscanNote:UseconnscanandsockscanforXPsystemsReviewNetworkArtifactsdlllist-Listofloadeddllsbyprocess-pShowinformationonlyforspecificprocesses(PIDs)#vol.
pydlllist–p1022,868getsids-Printprocesssecurityidentifiers-pShowinformationonlyforspecificPIDs#vol.
pygetsids–p868handles-Listofopenhandlesforeachprocess-pShowinformationonlyforspecificPIDs-tDisplayonlyhandlesofacertaintype{Process,Thread,Key,Event,File,Mutant,Token,Port}#vol.
pyhandles–p868–tFile,KeyAnalyzeProcessDLLsandHandlesmalfind-Findinjectedcodeanddumpsections-pShowinformationonlyforspecificPIDs-oProvidephysicaloffsetofsingleprocesstoscan--dump-dirDirectorytosavesuspiciousmemorysections#vol.
pymalfind--dump-dir.
/output_dirldrmodules-DetectunlinkedDLLs-pShowinformationonlyforspecificPIDs-vVerbose:showfullpathsfromthreeDLLlists#vol.
pyldrmodules–p868-vhollowfind-Detectprocesshollowingtechniques-pShowinformationonlyforspecificPIDs-DDirectorytosavesuspiciousmemorysections#vol.
pyhollowfind-D.
/output_dirLookforEvidenceofCodeInjectionGettingHelp#vol.
py–h(showoptionsandsupportedplugins)#vol.
pyplugin–h(showpluginusage)#vol.
pyplugin--info(showavailableOSprofiles)SampleCommandLine#vol.
py-fimage--profile=profilepluginIdentifySystemProfileimageinfo-Displaymemoryimagemetadata#vol.
py–fmem.
imgimageinfoUsingEnvironmentVariablesSetnameofmemoryimage(takesplaceof-f)#exportVOLATILITY_LOCATION=file:///images/mem.
imgSetprofiletype(takesplaceof--profile=)#exportVOLATILITY_PROFILE=Win10x64_14393GettingStartedwithVolatility