sign in sign up
<<
Home , Clipboard (computing), Dump (program), Pstree, Vol (command)

! ! 2.4!Edition! Cross!reference!processes!with!various!lists:! Scan!a!block!of!code!in!process!or!kernel!memory! psxview! for!imported!:! ! impscan!! Show!processes!in!parent/child!:! !!!!Hp/HHpid=PID!!!!!!!!!Process!ID!! pstree! !!!!Hb/HHbase=BASE!!!Base!address!to!scan! & !!!!Hs/HHsize=SIZE!!!!!!!Size!to!scan!from!!of!base! Process&Information& ! ! Logs&/&Histories& Specify!–o/HHoffset=OFFSET!or!Hp/HHpid=1,2,3!! ! ! !event!logs!(XP/2003):! Display!DLLs:! evtlogs!! ! ! dlllist! !!!!HS/HHsaveHevt!!!!!!!!!!!!!!!!!!!!Save!raw!event!logs! Development!build!and!wiki:! ! !!!!HD/HHdumpHdir=PATH!!!!to!this!! github.com/volatilityfoundation!! Show!command!line!arguments:! ! ! cmdline! Recover!command!history:! Download!a!stable!release:! ! cmdscan!and!consoles!! volatilityfoundation.org!! Display!details!on!VAD!allocations:! ! ! vadinfo![HHaddr]! Recover!IE!cache/Internet!history:! Read!the!book:! ! iehistory!! artofmemoryforensics.com! Dump!allocations!to!individual!files:! ! ! vaddump!HHdumpHdir=PATH![HHbase]! Show!running!services:! Development!Team!Blog:! ! svcscan!! http://volatilityHlabs.blogspot.com!! Dump!all!valid!pages!to!a!single!file:! !!!!Hv/HHverbose!!!!Show!ServiceDll!from!registry! ! memdump!HHdumpHdir=PATH! ! (Official)!Training!Contact:! ! Networking&Information& Display!open!handles:! voltraining@memoryanalysis.!! ! handles!! ! Active!info!(XP/2003):! !!!!Ht/HHobjectHtype=TYPE!!!Mutant,!,!Key,!etc…! Follow:!@volatility! connections!and!sockets!! !!!!Hs/HHsilent!!!!!!!!!!!!!!!!!!!!!!!!!!!Hide!unnamed!handles! Learn:!www.memoryanalysis.net!! ! ! ! Scan!for!residual!info!(XP/2003):! Display!privileges:! connscan!and!sockscan! Basic&Usage& privs!! ! ! !!!!Hr/HHregex=REGEX!!!!!!!!!!!Regex!privilege!name! Network!info!for!Vista,!2008,!and!7:& Typical!command!components:!! !!!!Hs/HHsilent!!!!!!!!!!!!!!!!!!!!!!!!!!!Explicitly!enabled!only! netscan! #!.py!Hf![image]!HHprofile=[profile]![plugin]! ! ! ! Display!SIDs:! Display!profiles,!address!spaces,!plugins:! getsids! Kernel&Memory& #!vol.py!HHinfo! ! ! ! Display!environment!variables:! Display!loaded!kernel!modules:! Display!global!commandHline!options:! envars! modules! #!vol.py!HHhelp! ! !& ! PE&File&Extraction& Scan!for!hidden!or!residual!modules:! Display!pluginHspecific!arguments:! modscan! ! #!vol.py![plugin]!HHhelp! ! Specify!HD/HHdumpHdir!to!any!of!these!plugins!to! ! Display!recently!unloaded!modules:& identify!your!desired!output!directory.!! Load!plugins!from!an!external!directory:! unloadedmodules! ! #!vol.py!HHplugins=[]![plugin]!! ! Dump!a!kernel!module:! ! Display!timers!and!associated!DPCs:& moddump!! Specify!a!DTB!or!KDBG!address:! timers!! !!!!Hr/HHregex=REGEX!!!Regex!module!name!! #!vol.py!HHdtb=[addr]!HHkdbg=[addr]! ! !!!!Hb/HHbase=BASE!!!!!!!Module!base!address!! ! Display!kernel!callbacks,!notification!routines:! ! Specify!an!output!file:! callbacks!! Dump!a!process:! #!vol.py!HHoutputHfile=[file]! !! procdump!! Audit!the!SSDT!& ! !!!!Hm/HHmemory!!!!!!!!!!!Include!memory!slack! ssdt!! ! Image&Identification& !!!!Hv/HHverbose!!!!Check!for!inline!API!hooks! Dump!DLLs!in!process!memory:! & ! dlldump!! Get!profile!suggestions!(OS!and!architecture):! Audit!the!IDT!and!GDT:! !!!!Hr/HHregex=REGEX!!!Regex!module!name!! imageinfo!! idt!(x86!only)! !!!!Hb/HHbase=BASE!!!!!!!Module!base!address!! & gdt!(x86!only)! & !and!parse!the!debugger!data!block:! ! kdbgscan! Injected&Code& Audit!driver!dispatch!(IRP)!tables:& ! ! driverirp!! Processes&Listings& Specify!–o/HHoffset=OFFSET!or!Hp/HHpid=1,2,3! !!!!Hr/HHregex=REGEX!!!Regex!driver!name! ! ! ! Basic!active!process!listing:! Find!and!extract!injected!code!blocks:! Display!device!tree!(find!stacked!drivers):! pslist! malfind!! devicetree! ! !!!!HD/HHdumpHdir=PATH!!!!Dump!findings!here!! ! Scan!for!hidden!or!terminated!processes:! ! Print!kernel!pool!tag!usage!stats:! psscan! CrossHreference!DLLs!with!memory!mapped!files:! pooltracker! ! ldrmodules! !!!!!!Ht/HHtags=TAGS!!!!!!!List!of!tags!to!analyze! ! ! !!!!!!HT/HHtagfile=FILE!!!pooltag.txt!for!labels! Copyright!©!2014!The!Volatility!Foundation! ! ! 2.4!Edition! Kernel&Objects& Display!a!/structure:! Dump!the!contents!of!the!:! >>>!dt(“_EPROCESS”,!recursive!=!True)! clipboard! ! ! ! Scan!for!driver!objects:! Display!a!type/structure!instance:! Detect!message!hooks!(keyloggers):! driverscan! >>>!dt(“_EPROCESS”,! 0x820c92a0)! messagehooks! ! ! ! ! Scan!for!mutexes:! Create!an!object!in!kernel!space:! Take!a!screen!shot!from!the!memory!dump:! mutantscan!! >>>!thread!=!obj.Object(“_ETHREAD”,!offset!=! !HHdumpHdir=PATH! !!!!Hs/HHsilent!!!!!Hide!unnamed!mutants! ! 0x820c92a0,!vm!=!addrspace())& ! ! & Display!visible!and!hidden!windows:! Scan!for!used/historical!file!objects:! windows!and!wintree! filescan! Dump&Conversion& ! ! ! Scan!for!symbolic!link!objects!(shows!drive! Create!a!raw!memory!dump!from!a!hibernation,! & mappings):& crash!dump,!firewire!acquisition,!,! ! symlinkscan! vmware!snapshot,!hpak,!or!EWF!file:! Use!GNU!strings!or!Sysinternals!strings.exe:& ! imagecopy!–O/HHoutputHimage=FILE! strings!Ha!Htd!FILE!>!strings.txt!! ! Registry& strings!Ha!Htd!Hel!FILE!>>!strings.txt!(Unicode)! !any!of!the!aforementioned!file!types!to!a! ! ! Windows!crash!dump!compatible!with!Windbg:! Display!cached!hives:& strings.exe!Hq!Ho!>!strings.txt!(Windows)! raw2dmp!–O/HHoutputHimage=FILE! hivelist! ! & ! Translate!the!string!addresses:! Print!a!key’s!values!and!data:& API&Hooks&& strings! printkey!! ! !!!!Hs/HHstringHfile=FILE!!!!Input!strings.txt!file! !!!Ho/HHhive_offset=OFFSET!!!Hive!address!(virtual)! Scan!for!API!hooks:! !!!!HS/HHscan!! !!!HK/HHkey=KEY!!!!!!!!!!!!!!!!!!!!!!!!!Key!path!! apihooks!! ! ! !!!!HR/HHskipHkernel!!!!!!!!Don’t!check!kernel!modules! Password&Recovery& Dump!userassist!data:! !!!!HP/HHskipHprocess!!!!!!Don’t!check!processes!! userassist! !!!!HQ/HHquick!!!!!!!!!!!!!!!!!!!!Scan!faster!! & ! ! Dump!LSA!secrets:! Dump!shellbags!information:! Yara&Scanning&& lsadump!! shellbags! ! ! ! Dump!cached!domain!hashes:! Scan!for!Yara!signatures:! Dump!the!shimcache:! cachedump!! yarascan!! shimcache! !!!!Hp/HHpid=PID!!!!!!!!!!!!!!!!!!!!!!!Process!IDs!to!scan!! ! ! !!!!HK/HHkernel!!!!!!!!!!!!!!!!!!!!!!!!!!Scan!kernel!memory! Dump!LM!and!NTLM!hashes:! Timelines& !!!!HY/HHyaraHrules=RULES!!!String,!regex,!bytes,!etc.! hashdump!(x86!only)! & !!!!Hy/HHyaraHfile=FILE!!!!!!!!!!!Yara!rules!file!! ! !!!!HW/HHwide!!!!!!!!!!!!!!!!!!!!!!!!!!!Match!Unicode!strings! Extract!OpenVPN!credentials:! To!create!a!timeline,!create!output!in!body!file! !!!!Hs/HHsize!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!Size!of!preview!bytes! openvpn!(github.com/Phaeilo)! .!Combine!the!data!and!run!sleuthkit’s! ! mactime!to!create!a!CSV!file.! ! ! File&System&Resources& Extract!RSA!private!keys!and!certificates:! timeliner!HHoutput=body!>!.txt! ! dumpcerts! shellbags!HHoutput=body!>>!time.txt!! Scan!for!MFT!records:! !!!!Hs/HHssl!!!!!!!Parse!certificates!with!openssl!! mftparser!HHoutput=body!>>!time.txt! mftparser!! ! ! !!!!HHoutput=body!!!!Output!body!format! Disk&Encryption&& !!!!HD/HHdumpHdir!!!!Dump!MFTHresident!data!! mactime!–b![time.txt]![Hd]!>!csv.txt! ! ! & Extract!cached!files!(registry!hives,!executables):! Recover!cached!TrueCrypt!passphrases:! Volshell& dumpfiles!! truecryptpassphrase!! ! !!!!HD/HHdumpHdir=PATH!!!!!!!Output!directory!! ! List!processes:! !!!!Hr/HHregex=REGEX!!!!!!!!!!!!!Regex!filename!! Triage!TrueCrypt!artifacts:! >>>!()! ! truecryptsummary! ! Parse!USN!journal!records:! ! Switch!contexts!by!pid,!offset,!or!name:! usnparser!(github.com/tomspencer)! Extract!TrueCrypt!master!keys! >>>!cc(pid!=!3028)! & truecryptmaster! >>>!cc(offset!=!0x3eb31340,!physical=True)! GUI&Memory& ! >>>!cc(name!=!“explorer.exe”)! ! Malware&Specific& ! Sessions!(shows!RDP!logins):!! ! Acquire!a!process!address!space!after!using!cc:! sessions! Dump!Zeus/Citadel!RC4!keys:! >>>!process_space!=! ! zeusscan!and!citadelscan! proc().get_process_address_space()! Window!stations!(shows!clipboard!owners):! ! ! wndscan! Find!and!decode!Poison!Ivy!configs:! Disassemble!data!in!an!address!space! ! poisonivyconfig! >>>!dis(address,!length,!space)! Desktops!(find!ransomware):! ! ! Deskscan! Decode!Java!RAT!config:! Dump!bytes,!dwords!or!qwords:! ! javaratscan!(github.com/Rurik)! >>>!db(address,!length,!space)! Display!global!and!session!atom!tables:! ! >>>!(address,!length,!space)! atoms!and!atomscan! >>>!dq(address,!length,!space)! ! ! ! ! Copyright!©!2014!The!Volatility!Foundation! ! ! 2.4!Edition! ! ! General!Investigations! Dump!the!system’s!raw!registry!hive!files! dumpfiles!Dp!4!DDregex='(config|ntuser)'!DDignoreDcase!DDname!DD!./! Create!a!Graphviz!diagram!of!processes! psscan!DDoutput=dot!DDoutputDfile=graph.dot! Create!a!color!coded!diagram!of!processes!memory! vadtree!Dp!PID!DDoutput=dot!DDoutputDfile=graph.dot! Translate!an!account!SID!to!user!name! printkey!DK!"\\Windows!NT\\CurrentVersion\\ProfileList\\[SID]"!|!!ProfileImagePath! List!run!keys!for!HKLM!and!all!users! printkey!DK!"Microsoft\\Windows\\CurrentVersion\\Run"! printkey!DK!"\\Microsoft\\Windows\\CurrentVersion\\Run"! Find!Unicode!hostnames!or!URLs! yarascan!DY!"/(www|http).+\.(com|net|org)/"!DDwide![DDkernel]! Find!nullDterminated!ASCII!dot!quad!IP!addresses! yarascan!DY!"/([0D9]{1,3}\.){3}[0D9]{1,3}\x00/"!DDwide![DDkernel]! Locate!and!extract!the!HOSTS!file!to!local!directory! filescan!|!egrep!hosts$!|!!'{!$1}'! ! 0x0000000005e3c6d8! dumpfiles!DQ!0x0000000005e3c6d8!DDname!DD!./! Extract!the!admin!password!hash! hashdump!|!grep!Administrator!>!admin.txt! Malicious!Code! Check!if!a!process!has!domain!or!enterprise!admin! getsids!|!egrep!'(Domain|Enterprise)'! Identify!processes!with!raw!sockets! handles!Dt!File!|!grep!"\\Device\\RawIp\\0"! Look!for!explicit!enabled!!privilege!! privs!DDsilent!DDregex=debug! Identify!alternate!data!streams! mftparser!|!grep!"DATA!ADS"! Dump!MFTDresident!batch!scripts! mftparser!DD!output/! file!output/*!|!grep!"DOS!batch!file"! Determine!what!is!spying!on!the!clipboard! wndscan!|!grep!ClipViewer! Dump!injected!code!and!focus!on!executables! malfind!DD!output/! file!output/*!|!grep!PE! Trace!API!hooks!through!memory! apihooks!Dp!PID!DDquick!|!grep!'Hook!address'! 0x1da654f! !"dis(0x1da654f,!length!=!512)"!|!volshell!Dp!PID!! Scan!for!a!specific!mutex!on!the!system! mutantscan!|!grep![Di]![MUTANT!NAME]! Dump!injected!DLL,!fix!image!base!+!IDA!import! dlldump!DDbase=ADDR!Dp!PID!DD./!DDfix!–memory! labels! impscan!DDbase=ADDR!Dp!PID!DDoutput=idc!>!labels.idc! Find!binaries!loaded!from!temporary!directories! envars!Dp!PID!|!grep!TEMP!|!awk!'{print!$5}'! C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp! Filter!dlllist!and!modules!output!for!the!specified!path! User!Activity! Detect!remote!mapped!shares! handles!Dt!File!|!egrep!"\\Device\\(LanmanRedirector|Mup)"! Files!on!Truecrypt!volumes! filescan!|!grep!TrueCryptVolume! Extract!ASCII!and!Unicode!clipboard!content! clipboard!|!grep!TEXT! Brute!force!search!for!command!history! yarascan!DY!"/C:\\\\.+>/"!DDwide![DDkernel]! Recently!clicked!applications!and!shortcuts! userassist!|!grep!REG_BINARY! Find!prefetch!files!(recently!executed!programs)! mftparser!|!grep!\.pf$!|!awk!'{print!$NF}'! Kernel!Memory! Identify!hooked!driver!dispatch!tables! driverirp!DDregex=tcpip!|!grep!IRP!|!egrep!Dvi!'(tcpip|ntos)'! Look!for!hooked!SSDT!functions! ssdt!|!egrep!–!'(ntos|win32k)!'! Malicious!kernel!callbacks!and!timers! callbacks!|!grep!UNKNOWN!(same!with!timers)! Locate!hidden!threadDbased!kernel!rootkits! threads!!OrphanThread!|!grep!StartAddress! Speed!Enhancements! Find!and!set!the!kernel!DTB! psscan!|!grep!System!|!awk!'{print!$5}'! 0x00319000!(Now!use!DDdtb=0x00319000)! Find!and!set!the!KDBG!on!XPD7!and!32Dbit!8! kdbgscan!|!grep!Offset!|!grep!V!|!! Offset!(V)!:!0xf80002803070!(add!to!DDkdbg)! Find!and!set!the!KDBG!on!64Dbit!8!and!2012! kdbgscan!DDprofile=[PROFILE]!|!grep!KdCopyDataBlock!! KdCopyDataBlock!(V)!:!0xf80281ff5ea0!(add!to!DDkdbg)! Volshell!Scripting! Create!a!process!ID!lookup!table! by_pid!=!dict((p.UniqueProcessId,!p)!for!p!in!getprocs())! parent_name!=!by_pid[PID].ImageFileName! Scan!process!memory!and!print!a!hex!dump! needles!=!["abc123",!"def456"]! for!hit!in!proc().search_process_memory(needles):! !!!!!db(hit)! Extract!a!chunk!of!kernel!memory!to!disk! data!=!addrspace().zread(ADDR,!SIZE)! with!open("output.bin",!"wb")!as!handle:! !!!!!handle.write(data)! Translate!a!kernel!address!and!seek!to!it!(raw! echo!"addrspace().vtop(0x98dfd9c8)"!|!volshell!Df![MEMDUMP]! dumps!only)! 597989832! xxd!Ds!597989832![MEMDUMP]! Kernel!modules!with!embedded!PE!signatures! signed!=![mod!for!mod!in!getmods()!if!mod.sec_dir()]! !

Copyright!©!2014!The!Volatility!Foundation! ! ! 2.4!Edition! !Commands! CrossJreference!shared!libraries!with!memoryJ Print!the!kernel!debug!buffer:! mapped!files:! linux_dmesg! ! linux_ldrmodules! ! Processes'Listings' ! Audit!the!IDT:! ! Check!for!process!hollowing:! linux_idt!(x86!only)! Basic!active!process!listing:! linux_process_hollow! ' linux_pslist! !!!!!Jb/JJbase!!!!Base!address!of!ELF!file!in!memory! Userland'API'Hooks'' !!!!!JP/JJpath!!!!Path!of!known!good!file!on!disk! ! ! ! List!processes!and!threads:! Scan!for!API!hooks:! linux_pidhashtable! Command'History' linux_apihooks!! ! ! !!!!!!Ja/JJall!!!!!!!!!!!Check!hooked!PLT!entries! Cross!reference!processes!with!various!lists:! Recover!command!history:! ! linux_psxview! linux_bash! Scan!for!GOT/PLT!hooks:! ! ! linux_plthook! Show!processes!in!parent/child!tree:! Recover!executed!binaries:! !!!!!!Ja/JJall!!!!!!!!!!List!all!PLT!entries! linux_pstree! linux_bash_hash! !!!!!!Ji/JJignore!!!Libraries!to!ignore!in!processing! ' ! ! Process'Information' Networking'Information' Yara'Scanning'' ! ! ! Specify!–o/JJoffset=OFFSET!or!Jp/JJpid=1,2,3!! Active!info:! Scan!for!Yara!signatures:! ! linux_netstat! linux_yarascan!! Display!shared!libraries:! ! !!!!Jp/JJpid=PID!!!!!!!!!!!!!!!!!!!!!!!Process!IDs!to!scan!! linux_library_list! Interface!information:! !!!!JK/JJkernel!!!!!!!!!!!!!!!!!!!!!!!!!!Scan!kernel!memory! ! linux_ifconfig! !!!!JY/JJyaraJrules=RULES!!!String,!regex,!bytes,!etc.! List!threads:! ! !!!!Jy/JJyaraJfile=FILE!!!!!!!!!!!Yara!rules!file!! linux_threads! Raw!sockets:' !!!!JW/JJwide!!!!!!!!!!!!!!!!!!!!!!!!!!!Match!Unicode!strings! ! linux_list_raw! !!!!Js/JJsize!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!Size!of!preview!bytes! Show!command!line!arguments:! ! ! linux_psaux! Routing!cache:' File'System'Resources' ! linux_route_cache! ! Display!details!on!memory!ranges:! !!!!!JR/JJresolve!!!!DNS!resolve!destination!IPs! List!mount!points:! linux_proc_maps! ! linux_mount! ! Netfilter!entries:! ! Dump!allocations!to!individual!files:! linux_netfilter! Enumerate!files:! linux_dump_map!! ! linux_enumerate_files! !!!!!!!!JD/JJdumpJdir=PATH!! ARP!cache:! ! !!!!!!!!JJvma=ADDR!!!!!Range!to!dump! linux_arp! Extract!cached!files:! ! ! Display!open!handles:! linux_find_file! linux_lsof! Kernel'Memory' !!!!JF/JJfind=FILE!!!!!!!!!!!!!Path!of!file!to!find! ! ! !!!!Ji/JJinode=INODE!!!!!!!Address!of!inode!to!dump!! Display!environment!variables:! Display!loaded!kernel!modules:! !!!!JL/JJlistfiles!!!!!!!!!!!!!!!!!!Lists!files!in!cache!! linux_psenv!and!linux_bash_env! linux_lsmod! !!!!JO/JJoutputfile!!!!!!!!!!!!!File!path!to!write! ! !! ' Check!for!system!call!hooks:! Disk'Encryption'' ELF'File'Extraction' linux_check_syscall!! ' ! ! Recover!cached!Truecrypt!passphrases:! Specify!JD/JJdumpJdir!to!any!of!these!plugins!to! Check!for!network!stack!hooks:! linux_truecryptpassphrase!! identify!your!desired!output!directory.!! linux_check_afinfo! ! ! ! Dump!a!kernel!module:! Check!for!credential!copying:! Strings' linux_moddump!! linux_check_creds! ! !!!!Jr/JJregex=REGEX!!!Regex!module!name!! ! Translate!extracted!strings:! !!!!Jb/JJbase=BASE!!!!!!!Module!base!address!! Check!for!file!operations!hooking:! linux_strings! ! linux_check_fop! !!!!Js/JJstringJfile=FILE!!!!Input!strings.txt!file! Dump!a!process:! ! !!!!! linux_procdump!! Check!for!inline!kernel!hooks:! ! ! linux_check_inline_kernel! Dump!shared!libraries!in!process!memory:! ! linux_librarydump!! Check!for!hidden!modules:! !!!!Jr/JJregex=REGEX!!!Regex!module!name!! linux_check_modules! !!!!Jb/JJbase=BASE!!!!!!!Module!base!address!! linux_hidden_modules! ' ! Injected'Code' Check!for!TTY!hooks:! ! linux_check_tty! Specify!–o/JJoffset=OFFSET!or!Jp/JJpid=1,2,3! ! ! Check!for!malicious!keyboard!callbacks:! Find!and!extract!injected!code!blocks:! linux_keyboard_notifiers! linux_malfind! ! ! ! ! ! !

Copyright!©!2014!The!Volatility!Foundation! ! ! 2.4!Edition! Mac$OS$X$Commands$ CrossNreference!shared!libraries!with!memoryN Print!the!kernel!debug!buffer:! mapped!files:! mac_dmesg! $ mac_ldrmodules! API$Hooks$$ ! Processes$Listings$ ! ! Command$History$ Scan!for!API!hooks:! Basic!active!process!listing:! ! mac_apihooks!! mac_pslist! Recover!command!history:! !!!!NR/NNskipNkernel!!!!!!!!Don’t!check!kernel!modules! ! mac_bash! !!!!NP/NNskipNprocess!!!!!!Don’t!check!processes!! List!PID!hash!table:! ! !!!!NQ/NNquick!!!!!!!!!!!!!!!!!!!!Scan!faster!! mac_pid_hash_table! Recover!executed!binaries:! ! ! mac_bash_hash! Check!for!process!hollowing:! List!tasks:! ! mac_process_hollow! mac_tasks! Networking$Information$ !!!!!Nb/NNbase!!!!Base!address!of!ELF!file!in!memory! !!!!!NP/NNpath!!!!Path!of!known!good!file!on!disk! ! ! ! Cross!reference!processes!with!various!lists:! Active!info:! Scan!for!GOT/PLT!hooks:! mac_psxview! mac_netstat! mac_plthook! ! ! !!!!!!Na/NNall!!!!!!!!!!List!all!PLT!entries! Show!processes!in!parent/child!tree:! Active!info!from!network!stack:! !!!!!!Ni/NNignore!!!Libraries!to!ignore!in!processing! mac_pstree! mac_network_conns! ! $ ! Process$Information$ Interface!Information:! Yara$Scanning$$ ! mac_ifconfig! ! Specify!–o/NNoffset=OFFSET!or!Np/NNpid=1,2,3!! ! Scan!for!Yara!signatures:! ! ARP!cache:! mac_yarascan!! Display!shared!libraries:! mac_arp! !!!!Np/NNpid=PID!!!!!!!!!!!!!!!!!!!!!!!Process!IDs!to!scan!! mac_dyld_maps! ! !!!!NK/NNkernel!!!!!!!!!!!!!!!!!!!!!!!!!!Scan!kernel!memory! ! !table:! !!!!NY/NNyaraNrules=RULES!!!String,!regex,!bytes,!etc.! Show!command!line!arguments:! mac_route! !!!!Ny/NNyaraNfile=FILE!!!!!!!!!!!Yara!rules!file!! mac_psaux! ! !!!!NW/NNwide!!!!!!!!!!!!!!!!!!!!!!!!!!!Match!Unicode!strings! ! Socket!filters:! !!!!Ns/NNsize!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!Size!of!preview!bytes! Display!details!on!memory!ranges:! mac_socket_filters! ! mac_proc_maps! ! Disk$Encryption$$ IP!filters:! ! $ mac_ip_filters! Dump!allocations!to!individual!files:! Recover!possible!Keychain!keys:! ! mac_dump_map!! mac_keychaindump! !!!!!!ND/NNdumpNdir=PATH!! Kernel$Memory$ ! !!!!!NNmap_address=ADDR!! ! File$System$Resources$ ! Display!loaded!kernel!modules:! ! Display!open!handles:! mac_lsmod! List!mount!points:! mac_lsof! !! mac_mount! ! Check!for!kernel!API!hooks:! ! Display!environment!variables:! mac_apihooks_kernel! List!cached!files!and!their!vnode!addresses:! mac_psenv!and!mac_bash_env! ! mac_list_files! ! Check!for!system!call!hooks:! ! Display!login!sessions:! mac_check_syscalls! Extract!cached!files:! mac_list_sessions! ! mac_dump_file! ! Check!for!shadow!system!call!table:! !!!!!Nq/NNfile_offset!!!!!!!Offset!of!vnode!to!dump!! mac_check_syscall_shadow! Mach8O$File$Extraction$ !!!!!NO/NNoutputfile!!!!!File!path!to!write! ! ! ! Specify!ND/NNdumpNdir!to!any!of!these!plugins!to! Check!sysctl!handlers:! identify!your!desired!output!directory.!! mac_check_sysctl! Strings$ ! ! ! Dump!a!kernel!module:! Check!the!trap!table:! Translate!extracted!string:! mac_moddump!! mac_check_trap_table! mac_strings! !!!!Nr/NNregex=REGEX!!!Regex!module!name!! ! !!!!Ns/NNstringNfile=FILE!!!!Input!strings.txt!file! !!!!Nb/NNbase=BASE!!!!!!!Module!base!address!! Check!the!mig!table:! ! ! mac_check_mig_table! User$Activity$ ! Dump!a!process:! $ Check!for!file!operations!hooking:! mac_procdump!! Recover!Adium!messages,!including!OTR!chat:! mac_check_fop! ! mac_adium! ! Dump!shared!libraries!in!process!memory:! $ Check!for!inline!kernel!hooks:! mac_librarydump!! Recover!Calendar!entries:! mac_check_inline_kernel! !!!!Nb/NNbase=BASE!!!!!!!Module!base!address!! mac_calendar! ! $ $ Check!for!hidden!modules:! Recover!contacts:! Injected$Code$ mac_lsmod_iokit! mac_contacts! ! mac_lsmod_kext_map! Specify!–o/NNoffset=OFFSET!or!Np/NNpid=1,2,3! ! $ ! Check!for!TrustedBSD!hooks:! Find!and!extract!injected!code!blocks:! mac_trustedbsd! mac_malfind! ! ! Copyright!©!2014!The!Volatility!Foundation!