Volatility 3.0 usage

3 min readNov 8, 2019

Hello friends, volatility has been released a new volatiliy version 3.0. In this blog post we use volatility’s new version quickly and give some information about it’s usage. I analyze stuxnet.vmem memory image file which is dumped from stuxnet infected machine whose version XP. First you can clone volatility 3 from its Github page for installation.

volatilityfoundation/volatility3

Volatility is the world's most widely used framework for extracting digital artifacts from volatile memory (RAM)…

github.com

I installed it to Kali and you can reach documentation link is given below;

Volatility 3 - Volatility 3 1.0.0-beta.1 documentation

This is the documentation for Volatility 3, the most advanced memory forensics framework in the world. Like previous…

volatility3.readthedocs.io

Before We start I present you my Udemy Trainings if you want you can benefit my training for learning deeply;

Practical Cyber Threat Hunting

Purple Team Techniques Part 1 Threat Hunting

www.udemy.com

Introduction To Reverse Engineering And Malware Analysis

Alparslan Akyıldız has 10+ years experience at cyber security sector as consultant, pentester, threat hunter and APT…

www.udemy.com

Lets start with examining processes. Commands a little different but genarally smillar to previous version;

We learned the version and other base information about dumped machine such as machine’s operating system is XP sp3. In next step we list processes with windows.pslist parameter;

There are 3 lsass.exe exists in the process list if you remember from previous blog post I noticed that there are only one lsass instance in the process list. It’s suspicious. Lets go on psscan module with windows.psscan module;

Look at the date and times of lsass process. It’s suspicious too, one year difference for opening same lasass processes times. We use windows.pstree plugin or parameter for displaying the process tree on the screen;

As you see process 1928 is weird because lsass process must be child of the winlogon or wininit process but here stuation is different and it’s tree depth is four, under normal conditions it must be three. With cmdline parameter we can examine commandline parameters;

Ok now go on examining process 1928, lets investigate drivers and modules with windows.moddump parameter;

We detected stuxnet dirver in the list;

We create a simple bash loop for calculating driver dumps hash values;

I investigated hash values from Virustotal by using Vttool is already preinstalled at Remnux.

I used malfind parameter for searching malware signutures from memory’s predefined process with -p parameter;

In a conclusion volatility 3.0 is faster than volatility 2.6 and I shared some usage parameters over Stuxnet example. See you a new blog post…