The Volatility Framework

The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. The extraction techniques are performed completely independent of the system being investigated but offer unprecedented visibilty into the runtime state of the system. The framework is intended to introduce people to the techniques and complexities associated with extracting digital artifacts from volatile memory samples and provide a platform for further work into this exciting area of research.



The following video and command list are not created by me, I just copied them for the reference. Please credit to the video maker.







Commands list



./vol.py –f zeus.vmem pslist



To list the processes of a system, use the pslist command.



./vol.py –f zeus.vmem malfind



You can use it to find hidden or injected code/DLLs in user mode memory



./vol.py –f zeus.vmem ldrmodules



To find out the hidden dll



./vol.py –f zeus.vmem apihooks



To find API hooks in user mode or kernel mode



./vol.py –f zeus.vmem idt



IDT (Interrupt Descriptor Table)



./vol.py –f zeus.vmem gdt



Gdt (Global Descriptor Table)



./vol.py –f zeus.vmem threads –L



The command gives you extensive details on threads



./vol.py –f zeus.vmem callbacks



Callbacks for detecting Windows kernel use of these callbacks to monitor and/or react to events.



./vol.py –f zeus.vmem driverirp



To print a driver's IRP Major Function table



./vol.py –f zeus.vmem devicetree



Windows uses a layered driver architecture



./vol.py –f zeus.vmem psxview



This plugin helps you detect hidden processes.



Source : - Volatility Wiki



That's all! See you.