O'Reilly logo

Windows Forensics Cookbook by Scar de Courcier, Oleg Skulkin

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

How to do it...

To show you the power of Volatility, we decided to use a memory image from a system infected with known malware - Stuxnet. Why? Because this memory image is freely available, so you can download it and use it for training.

Let's start by collecting information about our image.

  1. To do this, start cmd.exe.
  2. Change the directory to the one with the Volatility Standalone Executable, and use the imageinfo plugin:
volatility_2.6_win64_standalone.exe -f              X:stuxnet.vmem imageinfoVolatility Foundation Volatility Framework 2.6INFO : volatility.debug : Determining profile based    on KDBG          search...Suggested Profile(s) : WinXPSP2x86, WinXPSP3x86 (Instantiated    with WinXPSP2x86)AS Layer1 : IA32PagedMemoryPae (Kernel AS)AS Layer2 : FileAddressSpace ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required