To show you the power of Volatility, we decided to use a memory image from a system infected with known malware - Stuxnet. Why? Because this memory image is freely available, so you can download it and use it for training.
Let's start by collecting information about our image.
- To do this, start cmd.exe.
- Change the directory to the one with the Volatility Standalone Executable, and use the imageinfo plugin:
volatility_2.6_win64_standalone.exe -f X:stuxnet.vmem imageinfoVolatility Foundation Volatility Framework 2.6INFO : volatility.debug : Determining profile based on KDBG search...Suggested Profile(s) : WinXPSP2x86, WinXPSP3x86 (Instantiated with WinXPSP2x86)AS Layer1 : IA32PagedMemoryPae (Kernel AS)AS Layer2 : FileAddressSpace ...