Zeroska
  • 🐱Zeroska - The Bold
  • Computer/Cyber Security
    • ⭐Fresh off the boat - for new Blue Teamer/ SOC Analyst
    • 💀Necromancer (DFIR)
      • 🕵️DFIR and DFIR case
        • 🗃️Case Files
          • Misconfiguration 0x01
      • 📔My own DFIR notes
        • The Mark of The Web (MOTW)
        • LNK Shortcut
        • Prefetch, AmCache, ShimCache in Windows
        • Malicious Document (VBA, Office, PDF, ...)
        • SRUM (System Resource Usage Monitor)
        • Volatility notes
        • Understand Logon Session in Windows
        • "Very" Hidden sheets in Excel
        • Hidden Processes
      • 📔Notes
        • Useful Resources
        • Useful Resources DFIR
        • Saved Content (Backup for the OG content get deleted)
          • How to be best SOC analyst ever
    • 🧙‍♂️Defense Witchcraft
      • Data Analysis as a Defender
      • Active Directory
      • Windows Event Logs
        • Authentication (Windows Account Life Cycle Events)
      • MS Exchange
      • Windows
    • 💙My Current Blue Team Operation
      • VLAN Monitoring Template
      • Daily Monitoring Report
      • General Playbook
      • JupyterHub Configuration Guide
      • How to train your Blue Team
    • 🏭ICS/OT
      • Setup ICS/OT Simulation Learning Lab
      • Smart Grids
      • Learning Modbus TCP
      • Learning DNP3
      • Resources/Blogs/Links
    • 🥷Threat Intelligence
      • Small Cyber Threat Intelligence Program
      • Intelligence Analysis [VN]
      • OSINT Information Monitoring
        • Telegram Info-Stealer Monitoring
      • C2 Tracker
      • Fake Website Tracker
      • Dark Web Investigation Attempt
      • Threat Intelligence Quick Win
      • Resources/Blogs/Links
  • 😒Computer and Technology
    • My Home Lab Setup
    • 🐴ELK Stack
      • Useful Resources
      • ELK Stack - Container - Docker Compose - AWS ECS
      • ECS - Elastic Common Schema
      • Elasticsearch
      • Logstash
      • Troubleshooting and Problems
    • 🐧Linux
      • Setting up good SSH Authentication
      • Configure Auditd and how to leverage it
      • ELF Format
      • Useful Links
    • 📦Containers
      • Docker container logs is quite big
      • Worth Reading
    • 🪠Splunk Learning Experience
      • Splunk Test Lab
      • Data Collection Tier (How to get the data)
      • SC4S Custom Filter For Windows Event Log in Syslog Format (NXLog)
      • Useful Resources
  • Threat Hunting
    • Hunting for Implant
    • Using STRIDE and DREAD
    • 🐳Predators and Preys (Computing)
      • Tracks or Hunting Artifacts
    • 📦Network Packet Analysis
      • The Basic
      • Tshark | Zeek Copy & Paste
      • Network Analysis Resources
    • Grep | Powershell Search | Regex
    • Hunting Resources
  • 🎵In my remains
    • Choices
    • The Art of Facing Unknown Problems
    • Build the best DFIR team
    • Reverse Engineering - Đồ án hướng ngành A "Hụt" của tôi
Powered by GitBook
On this page
  • The version problems
  • Practical Notes
  • How to fix annoying errors from volatility
  • How to dump the file
  • Plugins Links

Was this helpful?

  1. Computer/Cyber Security
  2. Necromancer (DFIR)
  3. My own DFIR notes

Volatility notes

When you start using Volatility for the first time, you will encounter the problem like me, Should I use Volatility 2 or 3

The version problems

I'm very stressed when using volatility because of the version, you have to use vol2 and vol3 together because some jobs require you to use vol2 because vol3 doesn't have that type of function and vol2 does the job better than vol3 (or other way around)

So get use to it. After you install the vol2 and 3 you should set up an alias for vol.py to vol2 (for better clarity) add this to your .bashrc or .zsh -> Make your life easier

alias vol2='vol.py'

Practical Notes

How to fix annoying errors from volatility

You will come across this once or twice or maybe a thousand times, I have already been in that situation before and now I'm here to show you how to fix it

Installation and Plugins error

Symbol error (Vol3)

When you install vol3 from the source, on the first run you will something get this error

How to dump the file

Most of you when you started out this Forensic thing if you struggle with how to dump a file from memory like me then here we go [Dump File flow chart]

Do you want to dump the file?

You got to have its offset or physical address

Plugins Links

PreviousSRUM (System Resource Usage Monitor)NextUnderstand Logon Session in Windows

Last updated 2 years ago

Was this helpful?

💀
📔
https://github.com/superponible/volatility-plugins