Just started learning memory forensics with "The Art of Memory Forensics" and wanted a nice little video to supplement my learning. So glad you're here 🤗 thanks a lot
Excellent Video and thank you. The only thing I would add is, when I was trying to point Volatility to the .raw memory file I was receiving errors for permissions and so on. I then placed the .raw file in the same folder as the Volatility3 and it finally worked. Just in case others run into this issue.
hey there. I would like to know what to do if the translation requirement and symbol table requirement are not fulfilled while listing installed plugins?
Thanks for this informative but extremely important video for those who need to give a start . There is a request, Can you make a video on Network Artifacts for Linux Memory Forensics, I will be grateful to you, Thanks in advanced.
I just wrote a massive post then lost it.. my pc then subsequently my network got compromised back in June. Clean install did nothing. Microsoft, HP and bitdefender say that since all virus scans are clear and system has been reinstalled that it's fine. It's taken me literally months to get to the point where I have a good idea what is going on but still can't resolve it. Have seen boot files on wireshark from specific ips, my winRE is empty so concluded it must be a pxe boot. Sure enough managed to locate relevant files. However need more info to be able to work out safe removal as so far anything I do hasn't worked. Ran a massive memory dump and tried to use volatility but yeh couldn't get it going properly. However this vid has helped a lot and fingers crossed I'll find the treasure :) thanks a lot for uploading this!
volatility 2.6 didn't work for WIn10 memory, but now i gonna use volatility 3. Really helpful video! Thanks. And could I write those processes in my blog with citation? If you say "NO", I'll just memorize in my head.
Take a look at dfir.science/2022/02/Introduction-to-Memory-Forensics-with-Volatility-3 The commands are listed under the video. But, yeah, if you want to put it in your blog, it's all good.
Hi thanks for the video. I would like to know what to do if the translation requirement and symbol table requirement are not fulfilled while listing installed plugins?
I can't get the installation stuff to work. I know how to open the windows powershell in the try hack me attack room. So frustrating. video after video and I can't get volatility to be installed. 😞
Hi, I have a question, 28:25 I have my .hive file, but it's a bit confusing using the hex reader, I'm using kali, is there an alternative to analyse this file?
hey there. I would like to know what to do if the translation requirement and symbol table requirement are not fulfilled while listing installed plugins?
Hi, thanks for that video, I really want to replicate that memory dump by myself - On which windows 10x64 OS build have you used? and do you which windows 10 os builds are supported by the volatility version that you have used in the video?
It was Windows 10 but the build was from about a year ago. You should get the same results with newer builds of Windows 10 and an updated version of Volatility. Use FTK Imager or Magnet RAM capture on Win10 and you should get what you need. Let me know if you don't get the same results!
Hey there. I would like to know what to do if the translation requirement and symbol table requirement are not fulfilled while listing installed plugins?
For some reason, when doing the windows.handles nothing shows up at all, and when trying to dump a file, it just does a PDB scanning. I cannot find any answers to this problem on the internet
Please i have an issue , after installing volatility 3. I get this error everytime i try to run a command "volatility: error: Please select a plugin to run" how do i get past this?, Also Ive been unable to get the python snappy.
I was having problem with checking the python version. It was so trivial. It didn't work coz in windows I must also install python using Microsoft store.
It's about 75% of the way down. They have v0.6.1. Here is the link for Win AMD64: download.lfd.uci.edu/pythonlibs/archived/python_snappy-0.6.1-cp311-cp311-win_amd64.whl
I download "python_snappy-0.6.1-cp310-cp310-win_amd64.whl" and install using pip install. Power shell told me "python-snappy is already installed with the same version as the provided wheel. Use --force-reinstall to force an installation of the wheel." And I try "pip install -r . equirements.txt" but I got "ERROR: Failed building wheel for python-snappy". How to solve this problem??
@@DFIRScience I try "pip uninstall python-snappy" and get "Successfully uninstalled python-snappy-0.6.1" now I try again "pip install python_snappy-0.6.1-cp310-cp310-win_amd64.whl" and get "Successfully installed python-snappy-0.6.1" And try "pip install -r . equirements.txt" and get "ERROR: Failed building wheel for python-snappy". PowerShell told me "fatal error LNK1181: 'snappy.lib' can't open " Please help me . . . :(
@@user-jh6yv1wh9w Do you happen to have two versions of python installed? That could be the conflict. Try removing all version of python and installing the newest version (3.10.7) from www.python.org/
I'm stuck at snappy. tried every single one for my laptop and none of them are supported. I've double-checked the build tools being installed correctly and it is. Power Shell is now saying volatility error: please select a plugin to run. How do I resolve this? I need to get volatility up and running for a project. Thanks!
Did you ever figure this out? I'm trying to install Python Snappy as well and getting the same issue. Just says it isn't a supported .whl on this platform
Hi there and thanks for posting! How did you dump the ntuser.dat (25:21) ? cant seem to find an option for that and windows.dumpfiles does not take the hive offset...EDIT: I used windows.filescan, thanks anyway
Just started learning memory forensics with "The Art of Memory Forensics" and wanted a nice little video to supplement my learning. So glad you're here 🤗 thanks a lot
That's a great book! Let me know if you if you have any questions. Thank you!
Excellent Video and thank you. The only thing I would add is, when I was trying to point Volatility to the .raw memory file I was receiving errors for permissions and so on. I then placed the .raw file in the same folder as the Volatility3 and it finally worked. Just in case others run into this issue.
hey there. I would like to know what to do if the translation requirement and symbol table requirement are not fulfilled while listing installed plugins?
👍Excellent presentation. Thank you!
Thanks for this informative but extremely important video for those who need to give a start . There is a request, Can you make a video on Network Artifacts for Linux Memory Forensics, I will be grateful to you, Thanks in advanced.
I just wrote a massive post then lost it.. my pc then subsequently my network got compromised back in June. Clean install did nothing. Microsoft, HP and bitdefender say that since all virus scans are clear and system has been reinstalled that it's fine.
It's taken me literally months to get to the point where I have a good idea what is going on but still can't resolve it. Have seen boot files on wireshark from specific ips, my winRE is empty so concluded it must be a pxe boot. Sure enough managed to locate relevant files. However need more info to be able to work out safe removal as so far anything I do hasn't worked. Ran a massive memory dump and tried to use volatility but yeh couldn't get it going properly. However this vid has helped a lot and fingers crossed I'll find the treasure :) thanks a lot for uploading this!
Really enjoyed the class :)
awesome tutorial. this is very informative and easy to understand
thank you so much for this
Can you make a follow up on the issues setting up when you are installing Microsoft tools? Maybe show us what we actually need?
Thank you! This video has been the best resource so far!! Much appreciate it man! 😊
Glad it was helpful!
Thanks for video, i have a problem with this: Volatility could not import a necessary module: capstone.
volatility 2.6 didn't work for WIn10 memory, but now i gonna use volatility 3. Really helpful video! Thanks. And could I write those processes in my blog with citation? If you say "NO", I'll just memorize in my head.
Take a look at dfir.science/2022/02/Introduction-to-Memory-Forensics-with-Volatility-3
The commands are listed under the video. But, yeah, if you want to put it in your blog, it's all good.
I would like to know what to do if the translation requirement and symbol table requirement are not fulfilled while listing installed plugins?
It's okay to hit like before starting the video correct? Because that's what I do before I watch any of your videos.
Thank you so much! 😆
lol just did the same thing
Thanks a lot. Very useful this explaining.
The link is broken for Snappy, not sure where to go from there.
hello, will you have a video analyzing the ram memory of a linux with volatility3?
Hi thanks for the video. I would like to know what to do if the translation requirement and symbol table requirement are not fulfilled while listing installed plugins?
Bro you rock! I am subscribing
I can't get the installation stuff to work. I know how to open the windows powershell in the try hack me attack room. So frustrating. video after video and I can't get volatility to be installed. 😞
I installed Volatility 3 in Windows 11, and it works great.
Great video. Unfortunately hashdump and netstat don't seem to appear in the 2.4.0 framework (the latest pulled as of this posting)
hey how did you end up using hashmap?
yeah I tried using windows.netstat but it just errored
@@bartkor1220 Yes, stop using this piece of software :D
It would be great to see this for ubuntu-22.04 (note: ubuntu-24.x memory protection stops its use) with vol3
thanks for the video! it was a great help
Glad it helped!
Hey there! Amazing video, but I got stuck at the part of the ACTF.mem file. I could not figure out from where to get that file.
Kindly help.
Very informative with great tips thanks 🙏🏻
Glad it was helpful!
I am not able to install python snappy... it says wheel is not supported... What should I do now?
It is very simple to install and config
@@CyDig So explain it to them, don't be a dick.
Thank you
Good stuff as usual!
Hi, I have a question, 28:25 I have my .hive file, but it's a bit confusing using the hex reader, I'm using kali, is there an alternative to analyse this file?
hey there. I would like to know what to do if the translation requirement and symbol table requirement are not fulfilled while listing installed plugins?
How should we know if there is malware in the field or in memory
Do you have to install all the C++ build tools or only the core ones?
I believe core only would work.
Hi, thanks for that video, I really want to replicate that memory dump by myself - On which windows 10x64 OS build have you used? and do you which windows 10 os builds are supported by the volatility version that you have used in the video?
It was Windows 10 but the build was from about a year ago. You should get the same results with newer builds of Windows 10 and an updated version of Volatility. Use FTK Imager or Magnet RAM capture on Win10 and you should get what you need. Let me know if you don't get the same results!
Hey there. I would like to know what to do if the translation requirement and symbol table requirement are not fulfilled while listing installed plugins?
Appreciate you ♥
Great Video!
Thanks! Hope it was helpful!
Hey, how are you, just a question, how do i know my correct version of windows to download snappy?
Has anyone came across with the idea of creating aliases for volatility plugins, so we make the command line cleaner? --btw great video, thank you
What is the purpose of filtering chrome? Doe chrome make connections to malware servers? I don't think so.
For some reason, when doing the windows.handles nothing shows up at all, and when trying to dump a file, it just does a PDB scanning. I cannot find any answers to this problem on the internet
I am having the same problem. did u solve the problem? please let me know
Can somebody provide a link for example dump files
You can create it by using FTK Imager or Magnet RAM Capture
Please i have an issue , after installing volatility 3. I get this error everytime i try to run a command "volatility: error: Please select a plugin to run" how do i get past this?, Also Ive been unable to get the python snappy.
I am unable to get windows.cachedump.Cachedump option in my volatility latest version.pls help
I was having problem with checking the python version. It was so trivial. It didn't work coz in windows I must also install python using Microsoft store.
the easiest way to get python 3 to work with powershell goto the MS Store
I don't know why I didn't even consider MS Store. Thanks for that!
It appears python-snappy isn't allowing the installation of "requirements.txt". Any help?
You may need to download python-snappy and install it separately. I had the same trouble on Windows.
pypi.org/project/python-snappy/
I don't see snappy v0.6.0 available at that link which is the required version for volatility3. is there another way to install snappy on windows?
It's about 75% of the way down. They have v0.6.1. Here is the link for Win AMD64: download.lfd.uci.edu/pythonlibs/archived/python_snappy-0.6.1-cp311-cp311-win_amd64.whl
@@DFIRScience The requirementss.txt for Volatility3 says v0.6.0 so I'm not able to get it work with v0.6.1
I don't seem to have hashdump - to the Googles.
One can always count on the Googles :D
Did you get the newest version of Volatility 3? (2.0.0+)? Did you find hashdump?
@@DFIRScience yeah I had to pip the full requirements and then reinstall. I had only done minimal before.
I download "python_snappy-0.6.1-cp310-cp310-win_amd64.whl" and install using pip install.
Power shell told me
"python-snappy is already installed with the same version as the provided wheel. Use --force-reinstall to force an installation of the wheel."
And I try "pip install -r .
equirements.txt" but I got "ERROR: Failed building wheel for python-snappy".
How to solve this problem??
Try pip uninstall python-snappy then reinstall from the downloaded whl. You should not need to compile.
@@DFIRScience I try
"pip uninstall python-snappy" and get
"Successfully uninstalled python-snappy-0.6.1"
now I try again
"pip install python_snappy-0.6.1-cp310-cp310-win_amd64.whl" and get
"Successfully installed python-snappy-0.6.1"
And try
"pip install -r .
equirements.txt" and get
"ERROR: Failed building wheel for python-snappy".
PowerShell told me "fatal error LNK1181: 'snappy.lib' can't open "
Please help me . . . :(
@@user-jh6yv1wh9w Do you happen to have two versions of python installed? That could be the conflict. Try removing all version of python and installing the newest version (3.10.7) from www.python.org/
Is this eli the computer guy?
I'm stuck at snappy. tried every single one for my laptop and none of them are supported. I've double-checked the build tools being installed correctly and it is. Power Shell is now saying volatility error: please select a plugin to run. How do I resolve this? I need to get volatility up and running for a project. Thanks!
Did you ever figure this out? I'm trying to install Python Snappy as well and getting the same issue. Just says it isn't a supported .whl on this platform
✌
👍😆
Hi there and thanks for posting! How did you dump the ntuser.dat (25:21) ? cant seem to find an option for that and windows.dumpfiles does not take the hive offset...EDIT: I used windows.filescan, thanks anyway
Great video!
Thanks a lot!