2023年7月10日发(作者：)

volatility基本⽤法volatility—基本⽤法Keyword: forensic 取证⼤部分使⽤相关操作都可以这样看：volatility --helpvolatility --info1. 查看基本信息，根据查到的信息确定profile的值volatility -f imageinfo

这个有可能找不到正确的系统版本，可以参考这个链接对⽐⼀下/volatilityfoundation/volatility/wiki/2.6-Win-Profiles2. 指定profile，使⽤具体的命令iehistory 是看浏览器的进程，pslist是ps命令(也可以⽤psscan)volatility -f --profile=Win7SP1x64 iehistory

3. 查找并dump相应进程的可执⾏程序root@kali:~/Desktop# volatility -f --profile=Win7SP1x86_BBA98F40 pslist | grep notepadVolatility Foundation Volatility Framework 2.50x8398dad8 3524 1636 2 61 1 0 2019-09-16 13:53:51 UTC+0000

root@kali:~/Desktop# volatility -f --profile=Win7SP1x86_BBA98F40 procdump -p 3524 -D ./Volatility Foundation Volatility Framework 2.5Process(V) ImageBase Name Result---------- ---------- -------------------- ------0x8398dad8 0x00be0000 OK: 4. 查找并dump进程内存root@kali:~/Desktop# volatility -f --profile=Win7SP1x86_BBA98F40 pslist | grep notepadVolatility Foundation Volatility Framework 2.50x8398dad8 3524 1636 2 61 1 0 2019-09-16 13:53:51 UTC+0000

root@kali:~/Desktop# volatility -f --profile=Win7SP1x86_BBA98F40 memdump -p 3524 -D ./Volatility Foundation Volatility Framework 2.5************************************************************************Writing [ 3524] to 5. 查找并dump⽂件root@kali:~/Desktop# volatility -f --profile=Win7SP1x86_BBA98F40 filescan | grep keyVolatility Foundation Volatility Framework 2.50x000000001e10a868 1 1 ------ DeviceNamedPipekeysvc0x000000001e10a920 2 1 ------ DeviceNamedPipekeysvc0x000000001e10aa90 1 1 ------ DeviceNamedPipekeysvc0x000000001efb9370 1 0 R--rw- DeviceHarddiskVolume2UserslethalDesktopkeyroot@kali:~/Desktop# volatility -f --profile=Win7SP1x86_BBA98F40 dumpfiles -Q 0x000000001efb9370 -D ./Volatility Foundation Volatility Framework 2.5DataSectionObject 0x1efb9370 None DeviceHarddiskVolume2UserslethalDesktopkey部分感觉有⽤的插件命令clipboard Extract the contents of the windows clipboardcmdline Display process command-line argumentscmdscan Extract command history by scanning for _COMMAND_HISTORYconsoles Extract command history by scanning for _CONSOLE_INFORMATIONdeskscan Poolscaner for tagDESKTOP (desktops)dumpcerts Dump RSA private and public SSL keysdumpfiles Extract memory mapped and cached filesdumpregistry Dumps registry files out to disk

editbox Displays information about Edit controls. (Listbox experimental.)filescan Pool scanner for file objectslsadump Dump (decrypted) LSA secrets from the registry #

已登录⽤户密码明⽂hashdump Dumps passwords hashes (LM/NTLM) from memory #

已登录⽤户密码hashimageinfo Identify information for the imagemalfind Find hidden and injected codememdump Dump the addressable memory for a processraw2dmp Converts a physical memory sample to a windbg crash dumpmftparser Scans for and parses potential MFT entriesnotepad List currently displayed notepad textprocdump Dump a process to an executable file samplepslist Print all running processes by following the EPROCESS lists

psscan Pool scanner for process objectspstree Print process list as a treepsxview Find hidden processes with various process listingstimeliner Creates a timeline from various artifacts in memory

truecryptmaster Recover TrueCrypt 7.1a Master Keystruecryptpassphrase TrueCrypt Cached Passphrase Findertruecryptsummary TrueCrypt Summarywindows Print Desktop Windows (verbose details)wintree Print Z-Order Desktop Windows Tree注："```r"只是为了让⾼亮更好看⼀些2019/10/22