Back to Details

memory-forensics

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

memory-forensics

内存取证

Purpose

用途

This skill enables analysis of volatile memory dumps using tools like Volatility to identify malware, rootkits, and security breaches, supporting digital forensics investigations.
此技能可借助Volatility等工具分析易失性内存转储文件,识别恶意软件、Rootkit和安全漏洞,为数字取证调查提供支持。

When to Use

适用场景

Use this skill during incident response for suspected breaches, when analyzing RAM dumps from compromised systems, or for proactive security assessments on endpoints with potential malware infections.
当响应疑似安全漏洞的事件、分析受感染系统的RAM转储文件,或对可能存在恶意软件感染的端点进行主动安全评估时,可使用此技能。

Key Capabilities

核心功能

  • Parse memory dumps to extract processes, network connections, and injected code using Volatility's plugins.
  • Detect hidden processes and rootkits via checks for process hollowing or DKOM (Direct Kernel Object Manipulation).
  • Analyze hibernation files or pagefiles for artifacts like command history or encryption keys.
  • Support for multiple dump formats, including raw, VMware, and crash dumps, with automated profile detection.
  • 借助Volatility的插件解析内存转储文件,提取进程、网络连接和注入的代码。
  • 通过检查进程空心化或DKOM(直接内核对象操作)来检测隐藏进程和Rootkit。
  • 分析休眠文件或页面文件,查找命令历史记录或加密密钥等痕迹。
  • 支持多种转储格式(包括原始格式、VMware格式和崩溃转储),并可自动检测系统配置文件。

Usage Patterns

使用模式

Invoke this skill via CLI commands in a Python script or directly in a terminal. Always specify the memory dump file and required plugins. For automation, wrap commands in a function that handles file paths and outputs. Use environment variables for API keys if extending to cloud-based forensics tools.
Example pattern in Python:
python
import subprocess
dump_file = 'memory.dmp'
subprocess.run(['volatility', '-f', dump_file, 'pslist'])
可通过Python脚本中的CLI命令或直接在终端中调用此技能。请始终指定内存转储文件和所需插件。如需自动化,可将命令封装在处理文件路径和输出结果的函数中。如果扩展至云取证工具,可使用环境变量存储API密钥。
示例Python代码:
python
import subprocess
dump_file = 'memory.dmp'
subprocess.run(['volatility', '-f', dump_file, 'pslist'])

Common Commands/API

常用命令/API

Use Volatility framework commands for core functionality. Set the VOLATILITY_PROFILE env var for profile mismatches, e.g., 
$VOLATILITY_PROFILE=Win7SP1x64
.
  • Command: 
    volatility -f memory.dmp imageinfo
    — Identifies the OS profile from the dump.
    • Flags: 
      -f
      for file path, 
      --profile=Win10x64
      to override auto-detection.
  • Command: 
    volatility -f memory.dmp malfind
    — Scans for injected code or malware hooks.
    • Example: Pipe output: 
      volatility -f memory.dmp malfind > malware_output.txt
  • API Endpoint: If using Volatility3 via Python API, import as 
    from volatility3.framework import interfaces
    , then call 
    interfaces.configuration.ConfObject()
    for configurations.
    • Snippet:
      python
      from volatility3 import framework
config = framework.require_plugin('windows').build_configuration()
config['primary'] = 'memory.dmp'
  • Config Format: JSON-based, e.g., 
    {"plugin": "pslist", "dumpfile": "memory.dmp"}
    for custom runs.
核心功能使用Volatility框架命令实现。若出现配置文件不匹配的情况,可设置VOLATILITY_PROFILE环境变量,例如 
$VOLATILITY_PROFILE=Win7SP1x64
  • 命令:
    volatility -f memory.dmp imageinfo
    — 从转储文件中识别操作系统配置文件。
    • 参数:
      -f
      指定文件路径,
      --profile=Win10x64
      覆盖自动检测结果。
  • 命令:
    volatility -f memory.dmp malfind
    — 扫描注入的代码或恶意软件钩子。
    • 示例:将输出导出至文件:
      volatility -f memory.dmp malfind > malware_output.txt
  • API端点:若通过Python API使用Volatility3,需导入 
    from volatility3.framework import interfaces
    ,然后调用 
    interfaces.configuration.ConfObject()
    进行配置。
    • 代码片段:
      python
      from volatility3 import framework
config = framework.require_plugin('windows').build_configuration()
config['primary'] = 'memory.dmp'
  • 配置格式:基于JSON,例如 
    {"plugin": "pslist", "dumpfile": "memory.dmp"}
    可用于自定义运行。

Integration Notes

集成说明

Integrate by installing Volatility via pip (
pip install volatility
), then call from scripts. For authentication in cloud forensics (e.g., AWS Memory DB analysis), use env vars like 
$AWS_ACCESS_KEY_ID
and 
$AWS_SECRET_ACCESS_KEY
. Ensure the skill runs in a isolated environment to avoid contamination; pass dump files via secure paths. For multi-tool integration, chain with tools like strings or YARA by piping outputs, e.g., 
volatility -f memory.dmp strings | grep suspicious
.
通过pip安装Volatility(
pip install volatility
)后,即可在脚本中调用此技能。若进行云取证认证(例如AWS Memory DB分析),可使用 
$AWS_ACCESS_KEY_ID
$AWS_SECRET_ACCESS_KEY
等环境变量。请确保技能在隔离环境中运行,避免样本污染;通过安全路径传递转储文件。如需多工具集成,可将输出通过管道传递给strings或YARA等工具,例如 
volatility -f memory.dmp strings | grep suspicious

Error Handling

错误处理

Handle common errors by checking Volatility's exit codes; e.g., if profile not found, use 
imageinfo
first. For file not found errors, validate paths before running. In scripts, wrap commands in try-except blocks:
python
try:
    result = subprocess.run(['volatility', '-f', 'memory.dmp', 'pslist'], capture_output=True, check=True)
except subprocess.CalledProcessError as e:
    print(f"Error: {e.returncode} - {e.stderr.decode()}")
Log detailed errors for debugging, and use 
$VOLATILITY_DEBUG=1
env var to enable verbose output.
通过检查Volatility的退出码处理常见错误;例如,若未找到配置文件,应先运行
imageinfo
。若出现文件未找到错误,需在运行前验证路径。在脚本中,可将命令包裹在try-except块中:
python
try:
    result = subprocess.run(['volatility', '-f', 'memory.dmp', 'pslist'], capture_output=True, check=True)
except subprocess.CalledProcessError as e:
    print(f"Error: {e.returncode} - {e.stderr.decode()}")
记录详细错误以便调试,可使用 
$VOLATILITY_DEBUG=1
环境变量启用详细输出。

Concrete Usage Examples

实际使用示例

  1. Detect Malware in a Windows Dump: Load a memory dump from a suspected infected machine and scan for anomalies.
    • Command: 
      volatility -f infected.dmp --profile=Win10x64 malfind
    • Steps: First run 
      volatility -f infected.dmp imageinfo
      to confirm profile, then analyze output for PID and virtual address of suspicious processes.
  2. Investigate Rootkit Presence: Analyze a Linux memory dump for hidden kernel modules.
    • Command: 
      volatility -f linux.dmp linux_pslist
    • Steps: Cross-reference with 
      linux_modules
      to spot discrepancies, then use 
      strings
      on flagged addresses for further inspection.
  1. 在Windows转储文件中检测恶意软件: 加载疑似感染机器的内存转储文件并扫描异常。
    • 命令:
      volatility -f infected.dmp --profile=Win10x64 malfind
    • 步骤:首先运行
      volatility -f infected.dmp imageinfo
      确认系统配置文件,然后分析输出结果,查找可疑进程的PID和虚拟地址。
  2. 调查Rootkit存在情况: 分析Linux内存转储文件中的隐藏内核模块。
    • 命令:
      volatility -f linux.dmp linux_pslist
    • 步骤:将结果与
      linux_modules
      的输出交叉对比以发现差异,然后对标记地址使用
      strings
      工具进行进一步检查。

Graph Relationships

关联关系

  • Related to: blue-team cluster skills like "incident-response" (depends on outputs) and "threat-intelligence" (provides input data).
  • Connected via: tags such as "forensics" and "security", linking to skills like "network-forensics" for comprehensive breach analysis.
  • 相关技能:属于蓝队集群技能,例如“事件响应”(依赖此技能的输出)和“威胁情报”(为此技能提供输入数据)。
  • 关联标签:通过“取证”和“安全”等标签,与“网络取证”等技能相连,以实现全面的漏洞分析。