메모리 분석 툴 (Volatility)
■ Package Description
추출 기술은 조사중인 시스템과 완전히 독립적으로 수행되지만 시스템의 런타임 상태에 대한 전례없는 가시성을 제공합니다.
이 프레임 워크는 휘발성 메모리 샘플에서 디지털 아티팩트를 추출하는 것과 관련된 기술과 복잡성을 사람들에게 소개하고이
흥미 진진한 연구 영역에 대한 추가 작업을위한 플랫폼을 제공하기위한 것입니다.
[사용방법]
# volatility
참조 사이트
https://code.google.com/p/volatility/
■ OPTIONS
# volatility -h
|
# volatility -h
Volatility Foundation Volatility Framework 2.4
Usage: Volatility - A memory forensics analysis platform.
Options:
-h, --help list all available options and their default values.
Default values may be set in the configuration file
(/etc/volatilityrc)
--conf-file=/root/.volatilityrc
User based configuration file
-d, --debug Debug volatility
--plugins=PLUGINS Additional plugin directories to use (colon separated)
--info Print information about all registered objects
--cache-directory=/root/.cache/volatility
Directory where cache files are stored
--cache Use caching
--tz=TZ Sets the timezone for displaying timestamps
-f FILENAME, --filename=FILENAME
Filename to use when opening an image
--profile=WinXPSP2x86
Name of the profile to load
-l LOCATION, --location=LOCATION
A URN location from which to load an address space
-w, --write Enable write support
--dtb=DTB DTB Address
--shift=SHIFT Mac KASLR shift address
--output=text Output in this format (format support is module
specific)
--output-file=OUTPUT_FILE
write output in this file
-v, --verbose Verbose information
-g KDBG, --kdbg=KDBG Specify a specific KDBG virtual address
-k KPCR, --kpcr=KPCR Specify a specific KPCR address
|
[EX] 사용 예제
|
# volatility -f /root/xp-laptop-2005-07-04-1430.img pslist
Volatility Foundation Volatility Framework 2.4
Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start
---------- -------------------- ------ ------ ------ -------- ------ ------ ----------------------------
0x823c87c0 System 4 0 62 1133 ------ 0
0x8214b020 smss.exe 400 4 3 21 ------ 0 2005-07-04 18:17:26 UTC+0000
0x821c11a8 csrss.exe 456 400 11 551 0 0 2005-07-04 18:17:29 UTC+0000
0x814dc020 winlogon.exe 480 400 18 522 0 0 2005-07-04 18:17:29 UTC+0000
0x815221c8 services.exe 524 480 17 321 0 0 2005-07-04 18:17:30 UTC+0000
0x821d8248 lsass.exe 536 480 20 369 0 0 2005-07-04 18:17:30 UTC+0000
0x814f0020 svchost.exe 680 524 19 206 0 0 2005-07-04 18:17:31 UTC+0000
0x821daa88 svchost.exe 760 524 10 289 0 0 2005-07-04 18:17:31 UTC+0000
0x821463a8 svchost.exe 800 524 75 1558 0 0 2005-07-04 18:17:31 UTC+0000
0x8216c9b0 Smc.exe 840 524 22 421 0 0 2005-07-04 18:17:32 UTC+0000
0x81530228 svchost.exe 932 524 6 93 0 0 2005-07-04 18:17:33 UTC+0000
0x81534c10 svchost.exe 972 524 15 212 0 0 2005-07-04 18:17:34 UTC+0000
0x8202e7e8 spoolsv.exe 1104 524 11 145 0 0 2005-07-04 18:17:38 UTC+0000
0x8152f9a0 ati2evxx.exe 1272 524 4 38 0 0 2005-07-04 18:17:39 UTC+0000
0x820ac020 Crypserv.exe 1356 524 3 34 0 0 2005-07-04 18:17:40 UTC+0000
0x81521da0 DefWatch.exe 1380 524 3 27 0 0 2005-07-04 18:17:40 UTC+0000
0x820b5670 msdtc.exe 1440 524 15 164 0 0 2005-07-04 18:17:40 UTC+0000
0x81fcf460 Rtvscan.exe 1484 524 37 312 0 0 2005-07-04 18:17:40 UTC+0000
0x8204b8e0 tcpsvcs.exe 1548 524 2 105 0 0 2005-07-04 18:17:41 UTC+0000
0x82027a78 snmp.exe 1564 524 5 192 0 0 2005-07-04 18:17:41 UTC+0000 |
