The above screenshot shows a clear view of all the processes running during the memory dump. This plug-in gives us the option to view all running process on the particular system during which the memory dump was taken. So, if we are using Linux, we will need to create our own profile. We can see all Windows profiles here the Linux profiles will be included in future updates. Here is the list of the available profiles in Volatility. The default profile for Volatility is WinXPSP2x86 if we do not specifically set a profile. I have also explained how to take a memory dump using Helix ISO in the end of the document for the people who might be new to it.įrom the above screenshot, we can see that Volatility suggests using the profile for Windows XP SP2 x86 or Windows XP SP3 x86. We have a memory dump with us and we do not know what operating system it belongs to, so we use the imageinfo plug-in to find this out. It also comes pre-installed with Backtrack 5 R3, which I am presently using.įor performing analysis using Volatility we need to first set a profile to tell Volatility what operating system the dump came from, such as Windows XP, Vista, Linux flavors, etc. The Volatility software may be downloaded from here.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |