memory-forensics-volatility

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

SKILL: Memory Forensics — Expert Analysis Playbook

SKILL: 内存取证 — 专家分析操作手册

AI LOAD INSTRUCTION: Expert memory forensics techniques using Volatility 2 and 3. Covers memory acquisition, OS identification, process analysis (hidden process detection), network connections, DLL/module analysis, code injection detection (malfind), credential extraction, file carving, registry analysis, and timeline generation. Base models miss the Vol2/Vol3 command differences, malware indicator patterns, and Linux-specific memory analysis.

AI加载说明：基于Volatility 2和3的专业内存取证技术，涵盖内存采集、操作系统识别、进程分析（隐藏进程检测）、网络连接分析、DLL/模块分析、代码注入检测（malfind）、凭证提取、文件雕刻、注册表分析以及时间线生成。基础模型缺少Vol2/Vol3的命令差异、恶意软件指标模式以及Linux专属内存分析相关知识。

0. RELATED ROUTING

0. 相关关联技能

Before going deep, consider loading:

traffic-analysis-pcap for correlating network artifacts with memory findings
steganography-techniques if hidden data suspected in extracted files
windows-privilege-escalation for understanding post-exploitation artifacts in memory

深入学习前，可考虑加载以下内容：

traffic-analysis-pcap 用于将网络 artifacts 与内存分析结果关联
steganography-techniques 若怀疑提取的文件中存在隐藏数据可使用
windows-privilege-escalation 用于理解内存中的后渗透 artifacts

Quick Reference

快速参考

Also load VOLATILITY_CHEATSHEET.md when you need:

Vol2 vs Vol3 command comparison table
Common plugin sequences for specific investigation types

当你需要以下内容时，也可加载VOLATILITY_CHEATSHEET.md：

Vol2与Vol3命令对比表
特定调查类型的常用插件执行序列

1. MEMORY ACQUISITION

1. 内存采集

Linux

bash

undefined

bash

undefined

LiME (Linux Memory Extractor) — kernel module

LiME (Linux Memory Extractor) — 内核模块

insmod lime.ko "path=/tmp/mem.lime format=lime"

/proc/kcore (if available)

/proc/kcore (如果可用)

dd if=/proc/kcore of=/tmp/mem.raw bs=1M

AVML (Microsoft's open-source)

AVML (微软开源工具)

./avml /tmp/mem.lime

undefined

./avml /tmp/mem.lime

undefined

Windows

bash

undefined

bash

undefined

WinPmem

winpmem_mini_x64.exe memdump.raw

FTK Imager (GUI) — capture memory to file

FTK Imager (GUI) — 捕获内存到文件

DumpIt (single-click memory dump)

DumpIt (一键内存转储)

DumpIt.exe

Comae (MagnetRAM)

MagnetRAMCapture.exe /output memdump.raw

undefined

MagnetRAMCapture.exe /output memdump.raw

undefined

Virtual Machines

虚拟机

bash

undefined

bash

undefined

VMware: .vmem file in VM directory (suspend VM first)

VMware: 虚拟机目录下的.vmem文件 (需先挂起虚拟机)

VirtualBox: VBoxManage debugvm "VM_NAME" dumpvmcore --filename mem.raw

KVM/QEMU: virsh dump DOMAIN memdump --memory-only

Hyper-V: checkpoint VM → inspect .bin files

Hyper-V: 给虚拟机创建检查点 → 检查对应的.bin文件

---

---

2. VOLATILITY 2 vs 3

2. Volatility 2 vs 3 对比

Concept	Volatility 2	Volatility 3
Profile system	`--profile=Win10x64_19041`	Auto-detected (symbol tables)
Image info	`imageinfo`	`windows.info` / `linux.info`
Process list	`pslist`	`windows.pslist`
Network	`netscan` / `connections`	`windows.netscan` / `windows.netstat`
DLLs	`dlllist`	`windows.dlllist`
Injection	`malfind`	`windows.malfind`
Hashes	`hashdump`	`windows.hashdump`
Files	`filescan`	`windows.filescan`
Registry	`hivelist` / `printkey`	`windows.registry.hivelist` / `windows.registry.printkey`
Install	`pip2 install volatility`	`pip3 install volatility3`

功能概念	Volatility 2	Volatility 3
配置文件系统	`--profile=Win10x64_19041`	自动检测 (符号表)
镜像信息查询	`imageinfo`	`windows.info` / `linux.info`
进程列表查询	`pslist`	`windows.pslist`
网络信息查询	`netscan` / `connections`	`windows.netscan` / `windows.netstat`
DLL查询	`dlllist`	`windows.dlllist`
注入检测	`malfind`	`windows.malfind`
哈希导出	`hashdump`	`windows.hashdump`
文件扫描	`filescan`	`windows.filescan`
注册表查询	`hivelist` / `printkey`	`windows.registry.hivelist` / `windows.registry.printkey`
安装方式	`pip2 install volatility`	`pip3 install volatility3`

3. ANALYSIS METHODOLOGY

3. 分析方法论

Step 1: Identify OS

步骤1：识别操作系统

bash

undefined

bash

undefined

Vol2

vol.py -f mem.raw imageinfo vol.py -f mem.raw kdbgscan

Vol3

vol -f mem.raw windows.info vol -f mem.raw banners.Banners

undefined

vol -f mem.raw windows.info vol -f mem.raw banners.Banners

undefined

Step 2: Process Listing — Hidden Process Detection

步骤2：进程列表查询 — 隐藏进程检测

bash

undefined

bash

undefined

Vol2

vol.py -f mem.raw --profile=PROFILE pslist # EPROCESS linked list vol.py -f mem.raw --profile=PROFILE psscan # pool tag scan (finds unlinked) vol.py -f mem.raw --profile=PROFILE pstree # parent-child hierarchy

vol.py -f mem.raw --profile=PROFILE pslist # EPROCESS链表查询 vol.py -f mem.raw --profile=PROFILE psscan # 池标签扫描 (可找到未链接的进程) vol.py -f mem.raw --profile=PROFILE pstree # 进程父子层级关系

Vol3

vol -f mem.raw windows.pslist vol -f mem.raw windows.psscan vol -f mem.raw windows.pstree


**Red flags**: Process in `psscan` but not `pslist` = DKOM (Direct Kernel Object Manipulation) hiding.

vol -f mem.raw windows.pslist vol -f mem.raw windows.psscan vol -f mem.raw windows.pstree


**危险信号**：psscan中存在但pslist中不存在的进程 = 存在DKOM（直接内核对象操作）进程隐藏行为。

Step 3: Network Connections

步骤3：网络连接分析

bash

undefined

bash

undefined

Vol2

vol.py -f mem.raw --profile=PROFILE netscan # TCP/UDP endpoints vol.py -f mem.raw --profile=PROFILE connections # XP/2003 only vol.py -f mem.raw --profile=PROFILE connscan # closed connections

vol.py -f mem.raw --profile=PROFILE netscan # TCP/UDP端点查询 vol.py -f mem.raw --profile=PROFILE connections # 仅支持XP/2003 vol.py -f mem.raw --profile=PROFILE connscan # 已关闭的连接查询

Vol3

vol -f mem.raw windows.netscan vol -f mem.raw windows.netstat

undefined

vol -f mem.raw windows.netscan vol -f mem.raw windows.netstat

undefined

Step 4: DLL / Module Analysis

步骤4：DLL / 模块分析

bash

undefined

bash

undefined

Vol2

vol.py -f mem.raw --profile=PROFILE dlllist -p PID vol.py -f mem.raw --profile=PROFILE ldrmodules -p PID # find unlinked DLLs

vol.py -f mem.raw --profile=PROFILE dlllist -p PID vol.py -f mem.raw --profile=PROFILE ldrmodules -p PID # 查找未链接的DLL

Vol3

vol -f mem.raw windows.dlllist --pid PID


**Red flags**: DLL in `dlllist` but `False` in all three `ldrmodules` columns = reflective DLL injection.

vol -f mem.raw windows.dlllist --pid PID


**危险信号**：dlllist中存在但ldrmodules三个列全为False的DLL = 反射式DLL注入。

Step 5: Code Injection Detection (Malfind)

步骤5：代码注入检测 (Malfind)

bash

undefined

bash

undefined

Vol2

vol.py -f mem.raw --profile=PROFILE malfind -p PID vol.py -f mem.raw --profile=PROFILE malfind -D /tmp/dump/ # dump injected sections

vol.py -f mem.raw --profile=PROFILE malfind -p PID vol.py -f mem.raw --profile=PROFILE malfind -D /tmp/dump/ # 导出注入的内存段

Vol3

vol -f mem.raw windows.malfind --pid PID


**What malfind detects**: Memory regions with `PAGE_EXECUTE_READWRITE` that don't map to a file on disk — classic shellcode/injection indicator.

vol -f mem.raw windows.malfind --pid PID


**malfind检测逻辑**：带有`PAGE_EXECUTE_READWRITE`权限、且未映射到磁盘文件的内存区域，是典型的shellcode/注入特征。

Step 6: Credential Extraction

步骤6：凭证提取

bash

undefined

bash

undefined

Vol2

vol.py -f mem.raw --profile=PROFILE hashdump # SAM hashes vol.py -f mem.raw --profile=PROFILE lsadump # LSA secrets vol.py -f mem.raw --profile=PROFILE cachedump # domain cached creds vol.py -f mem.raw --profile=PROFILE mimikatz # (plugin) plaintext creds

vol.py -f mem.raw --profile=PROFILE hashdump # SAM哈希导出 vol.py -f mem.raw --profile=PROFILE lsadump # LSA密钥导出 vol.py -f mem.raw --profile=PROFILE cachedump # 域缓存凭证导出 vol.py -f mem.raw --profile=PROFILE mimikatz # (插件) 明文凭证导出

Vol3

vol -f mem.raw windows.hashdump vol -f mem.raw windows.lsadump vol -f mem.raw windows.cachedump

undefined

vol -f mem.raw windows.hashdump vol -f mem.raw windows.lsadump vol -f mem.raw windows.cachedump

undefined

Step 7: File Extraction

步骤7：文件提取

bash

undefined

bash

undefined

Vol2

vol.py -f mem.raw --profile=PROFILE filescan | grep -i "password|secret|flag" vol.py -f mem.raw --profile=PROFILE dumpfiles -Q OFFSET -D /tmp/dump/

Vol3

vol -f mem.raw windows.filescan vol -f mem.raw windows.dumpfiles --virtaddr OFFSET

undefined

vol -f mem.raw windows.filescan vol -f mem.raw windows.dumpfiles --virtaddr OFFSET

undefined

Step 8: Registry Analysis

步骤8：注册表分析

bash

undefined

bash

undefined

Vol2

vol.py -f mem.raw --profile=PROFILE hivelist vol.py -f mem.raw --profile=PROFILE printkey -K "Software\Microsoft\Windows\CurrentVersion\Run" vol.py -f mem.raw --profile=PROFILE userassist # program execution evidence

Vol3

vol -f mem.raw windows.registry.hivelist vol -f mem.raw windows.registry.printkey --key "Software\Microsoft\Windows\CurrentVersion\Run"

undefined

vol -f mem.raw windows.registry.hivelist vol -f mem.raw windows.registry.printkey --key "Software\Microsoft\Windows\CurrentVersion\Run"

undefined

Step 9: Command History

步骤9：命令历史查询

bash

undefined

bash

undefined

Vol2

vol.py -f mem.raw --profile=PROFILE cmdscan # cmd.exe history vol.py -f mem.raw --profile=PROFILE consoles # full console output

vol.py -f mem.raw --profile=PROFILE cmdscan # cmd.exe历史记录 vol.py -f mem.raw --profile=PROFILE consoles # 完整控制台输出

Vol3

vol -f mem.raw windows.cmdline

undefined

vol -f mem.raw windows.cmdline

undefined

Step 10: Timeline Generation

步骤10：时间线生成

bash

undefined

bash

undefined

Vol2

vol.py -f mem.raw --profile=PROFILE timeliner --output=body --output-file=timeline.body mactime -b timeline.body -d > timeline.csv

Vol3

vol -f mem.raw timeliner.Timeliner

---

vol -f mem.raw timeliner.Timeliner

---

4. LINUX MEMORY ANALYSIS

4. Linux内存分析

bash

undefined

bash

undefined

Vol2 (requires Linux profile)

Vol2 (需要Linux profile)

vol.py -f mem.lime --profile=LinuxProfile linux_pslist vol.py -f mem.lime --profile=LinuxProfile linux_pstree vol.py -f mem.lime --profile=LinuxProfile linux_netstat vol.py -f mem.lime --profile=LinuxProfile linux_bash # bash history vol.py -f mem.lime --profile=LinuxProfile linux_enumerate_files vol.py -f mem.lime --profile=LinuxProfile linux_proc_maps -p PID vol.py -f mem.lime --profile=LinuxProfile linux_malfind

vol.py -f mem.lime --profile=LinuxProfile linux_pslist vol.py -f mem.lime --profile=LinuxProfile linux_pstree vol.py -f mem.lime --profile=LinuxProfile linux_netstat vol.py -f mem.lime --profile=LinuxProfile linux_bash # bash历史记录 vol.py -f mem.lime --profile=LinuxProfile linux_enumerate_files vol.py -f mem.lime --profile=LinuxProfile linux_proc_maps -p PID vol.py -f mem.lime --profile=LinuxProfile linux_malfind

Vol3

vol -f mem.lime linux.pslist vol -f mem.lime linux.pstree vol -f mem.lime linux.bash vol -f mem.lime linux.check_afinfo # rootkit detection vol -f mem.lime linux.check_syscall # syscall hooking vol -f mem.lime linux.tty_check # TTY hooking

undefined

vol -f mem.lime linux.pslist vol -f mem.lime linux.pstree vol -f mem.lime linux.bash vol -f mem.lime linux.check_afinfo # rootkit检测 vol -f mem.lime linux.check_syscall # 系统调用钩子检测 vol -f mem.lime linux.tty_check # TTY钩子检测

undefined

Building Linux Profiles (Vol2)

构建Linux Profiles (Vol2)

bash

cd volatility/tools/linux
make

bash

cd volatility/tools/linux
make

Creates module.dwarf + System.map → zip as profile

生成module.dwarf + System.map → 打包为profile

zip LinuxProfile.zip module.dwarf /boot/System.map-$(uname -r)

Place in volatility/plugins/overlays/linux/

放到volatility/plugins/overlays/linux/目录下

---

---

5. MALWARE INDICATORS IN MEMORY

5. 内存中的恶意软件特征

Indicator	Detection Method	What It Means
Process in psscan but not pslist	Compare pslist vs psscan	DKOM — process hiding
Unexpected parent-child	pstree analysis	e.g., svchost spawned by cmd.exe
MZ header in non-image memory	malfind	Reflective DLL / PE injection
RWX memory without backing file	malfind	Shellcode injection
DLL unlinked from all PEB lists	ldrmodules (all False)	Stealth DLL loading
svchost.exe not child of services.exe	pstree	Fake svchost (malware)
Unusual network connections	netscan + PID correlation	C2 communication
Hooking in SSDT/IDT	ssdt / idt plugins	Rootkit
Modified kernel objects	linux_check_syscall	Linux rootkit

特征	检测方法	含义
psscan中存在但pslist中不存在的进程	对比pslist与psscan结果	DKOM — 进程隐藏
不符合预期的父子进程关系	pstree分析	例如svchost由cmd.exe启动
非镜像内存中存在MZ头	malfind检测	反射式DLL / PE注入
无关联磁盘文件的RWX权限内存	malfind检测	Shellcode注入
从所有PEB列表中取消链接的DLL	ldrmodules检测 (全为False)	隐蔽DLL加载
svchost.exe不是services.exe的子进程	pstree分析	伪造svchost (恶意软件)
异常网络连接	netscan + PID关联	C2通信
SSDT/IDT中存在钩子	ssdt / idt插件检测	Rootkit
内核对象被篡改	linux_check_syscall检测	Linux rootkit

Normal Parent-Child Relationships (Windows)

Windows正常父子进程关系

System (4)
└── smss.exe
    └── csrss.exe
    └── wininit.exe
        └── services.exe
            └── svchost.exe (multiple)
            └── spoolsv.exe
        └── lsass.exe
    └── winlogon.exe
        └── explorer.exe
            └── user applications

System (4)
└── smss.exe
    └── csrss.exe
    └── wininit.exe
        └── services.exe
            └── svchost.exe (多个)
            └── spoolsv.exe
        └── lsass.exe
    └── winlogon.exe
        └── explorer.exe
            └── 用户应用程序

6. DECISION TREE

6. 分析决策树

Memory dump acquired — need to analyze
│
├── What OS?
│   ├── Windows → vol imageinfo / windows.info (§3 Step 1)
│   └── Linux → build profile or use Vol3 auto-detect (§4)
│
├── Malware investigation?
│   ├── Check processes: pslist vs psscan (hidden?) (§3 Step 2)
│   ├── Check parent-child: pstree (suspicious spawning?) (§5)
│   ├── Check injections: malfind (RWX memory?) (§3 Step 5)
│   ├── Check DLLs: ldrmodules (unlinked?) (§3 Step 4)
│   ├── Check network: netscan (C2 connections?) (§3 Step 3)
│   └── Extract suspicious files: dumpfiles (§3 Step 7)
│
├── Credential recovery?
│   ├── SAM hashes → hashdump (§3 Step 6)
│   ├── LSA secrets → lsadump (§3 Step 6)
│   ├── Cached domain creds → cachedump (§3 Step 6)
│   └── Plaintext passwords → mimikatz plugin (§3 Step 6)
│
├── Incident timeline?
│   ├── timeliner for comprehensive timeline (§3 Step 10)
│   ├── cmdscan / consoles for command history (§3 Step 9)
│   ├── userassist for program execution (§3 Step 8)
│   └── Cross-reference with PCAP timeline (→ traffic-analysis-pcap)
│
├── CTF / flag hunting?
│   ├── filescan + grep for flag patterns (§3 Step 7)
│   ├── cmdscan for typed flags/passwords (§3 Step 9)
│   ├── Clipboard: clipboard plugin
│   ├── Screenshots: screenshot plugin
│   └── Environment vars: envars plugin
│
└── Linux-specific?
    ├── linux_bash for shell history (§4)
    ├── linux_check_syscall for rootkit (§4)
    └── linux_netstat for connections (§4)

已获取内存转储文件，需要分析
│
├── 是什么操作系统？
│   ├── Windows → 执行vol imageinfo / windows.info (§3 步骤1)
│   └── Linux → 构建profile或使用Vol3自动检测 (§4)
│
├── 恶意软件调查场景？
│   ├── 检查进程：pslist vs psscan (是否有隐藏进程？) (§3 步骤2)
│   ├── 检查父子进程关系：pstree (是否有可疑启动行为？) (§5)
│   ├── 检查注入：malfind (是否有RWX内存？) (§3 步骤5)
│   ├── 检查DLL：ldrmodules (是否有未链接的DLL？) (§3 步骤4)
│   ├── 检查网络：netscan (是否有C2连接？) (§3 步骤3)
│   └── 提取可疑文件：dumpfiles (§3 步骤7)
│
├── 凭证恢复场景？
│   ├── SAM哈希 → hashdump (§3 步骤6)
│   ├── LSA密钥 → lsadump (§3 步骤6)
│   ├── 缓存域凭证 → cachedump (§3 步骤6)
│   └── 明文密码 → mimikatz插件 (§3 步骤6)
│
├── 事件时间线构建场景？
│   ├── timeliner生成全量时间线 (§3 步骤10)
│   ├── cmdscan / consoles获取命令历史 (§3 步骤9)
│   ├── userassist获取程序执行记录 (§3 步骤8)
│   └── 与PCAP时间线交叉验证 (→ traffic-analysis-pcap)
│
├── CTF / flag查找场景？
│   ├── filescan + grep查找flag特征 (§3 步骤7)
│   ├── cmdscan查找输入的flag/密码 (§3 步骤9)
│   ├── 剪贴板：clipboard插件
│   ├── 截图：screenshot插件
│   └── 环境变量：envars插件
│
└── Linux专属场景？
    ├── linux_bash获取shell历史 (§4)
    ├── linux_check_syscall检测rootkit (§4)
    └── linux_netstat获取连接记录 (§4)