This course on memory forensics with Volatility 3 aims to teach learners how to extract information from memory images of Windows, macOS, and Linux systems. By the end of the course, students will be able to perform tasks such as listing processes, checking network connections, extracting files, and conducting basic Windows Registry analysis using Volatility 3. The course covers the installation of Volatility 3, basic commands, and advanced memory analysis techniques. The intended audience for this course includes digital forensic investigators and individuals interested in memory analysis for investigative purposes. The teaching method involves practical demonstrations and hands-on exercises using Volatility 3.
Overview
Syllabus
Introduction to Volatility 3
Install Volatility 3 on Windows
Volatility first run check
Find the path of your target memory image
Get RAM image info with windows.info
Listing installed plugins
Get process list from RAM with windows.pslist
Filter Volatility output with PowerShell Select-String
Find process handles with windows.handles
Dump a specific file from RAm with windows.dumpfile
Dump all files related to a PID
Check executable run options with windows.cmdline
Find active network connections with windows.netstat
Find local user password hash with windows.hashdump
Analyze user actions with windows.registry.userassist
Find and dump Registry hives from RAM with windows.registry.hivelist
Analyze a specific Registry key from RAM with windows.registry.printkey
Intro to Volatility 3 review
Taught by
DFIRScience
