- Download Volatility.
- get a sample for analyzing.
- run as below.
C:\Users\admin\Desktop>volatility_2.6_win64_standalone -f windows.raw imageinfo
Volatility Foundation Volatility Framework 2.6
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_23418
AS Layer1 : WindowsAMD64PagedMemory (Kernel AS)
AS Layer2 : FileAddressSpace (C:\Users\admin\Desktop\windows.raw)
PAE type : No PAE
DTB : 0x187000L
KDBG : 0xf800027f90a0L
Number of Processors : 1
Image Type (Service Pack) : 1
KPCR for CPU 0 : 0xfffff800027fad00L
KUSER_SHARED_DATA : 0xfffff78000000000L
Image date and time : 2014-07-19 02:46:55 UTC+0000
Image local date and time : 2014-07-18 19:46:55 -0700
-
and then look at suggested fields.
-
run below which picked up from suggested profile Win7SP1.x64.
C:\Users\admin\Desktop>volatility_2.6_win64_standalone -f windows.raw --profile=Win7SP1x64 pslist
Volatility Foundation Volatility Framework 2.6
Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit
0xfffffa8000697040 System 4 0 74 509 ------ 0 2014-07-19 02:39:15 UTC+0000
0xfffffa800151cb30 smss.exe 224 4 2 29 ------ 0 2014-07-19 02:39:15 UTC+0000
0xfffffa8001be0b30 csrss.exe 316 308 8 414 0 0 2014-07-19 02:39:22 UTC+0000
0xfffffa8001bf5060 csrss.exe 352 344 8 248 1 0 2014-07-19 02:39:37 UTC+0000
0xfffffa8001bc2620 wininit.exe 360 308 3 75 0 0 2014-07-19 02:39:38 UTC+0000
0xfffffa8001bfe060 winlogon.exe 388 344 7 133 1 0 2014-07-19 02:39:38 UTC+0000
0xfffffa8001114b30 services.exe 448 360 7 197 0 0 2014-07-19 02:39:42 UTC+0000
0xfffffa8001f5a230 lsass.exe 464 360 7 555 0 0 2014-07-19 02:39:42 UTC+0000
0xfffffa8001f5db30 lsm.exe 472 360 9 144 0 0 2014-07-19 02:39:42 UTC+0000
0xfffffa80020bd060 svchost.exe 564 448 10 361 0 0 2014-07-19 02:39:45 UTC+0000
0xfffffa80012ed450 svchost.exe 636 448 10 258 0 0 2014-07-19 02:39:46 UTC+0000
0xfffffa8001488260 sppsvc.exe 820 448 5 160 0 0 2014-07-19 02:40:00 UTC+0000
0xfffffa8001f5fb30 svchost.exe 860 448 20 423 0 0 2014-07-19 02:40:01 UTC+0000
0xfffffa800159d060 svchost.exe 884 448 36 999 0 0 2014-07-19 02:40:01 UTC+0000
0xfffffa80021aeb30 svchost.exe 920 448 19 455 0 0 2014-07-19 02:40:02 UTC+0000
0xfffffa80021f5b30 svchost.exe 260 448 13 325 0 0 2014-07-19 02:40:25 UTC+0000
0xfffffa80021f9060 svchost.exe 252 448 17 471 0 0 2014-07-19 02:40:25 UTC+0000
0xfffffa8002299430 TrustedInstall 840 448 5 125 0 0 2014-07-19 02:40:27 UTC+0000
0xfffffa80022e0b30 spoolsv.exe 1128 448 12 273 0 0 2014-07-19 02:40:29 UTC+0000
0xfffffa800230eb30 svchost.exe 1156 448 19 306 0 0 2014-07-19 02:40:29 UTC+0000
0xfffffa8001c3cb30 svchost.exe 1804 448 15 235 0 0 2014-07-19 02:40:59 UTC+0000
0xfffffa8001ca33a0 SearchIndexer. 1880 448 15 755 0 0 2014-07-19 02:41:00 UTC+0000
0xfffffa8001c56910 SearchProtocol 1176 1880 10 449 0 0 2014-07-19 02:41:05 UTC+0000
0xfffffa8001440740 taskhost.exe 1760 448 8 192 1 0 2014-07-19 02:41:11 UTC+0000
0xfffffa8001c93b30 dwm.exe 1788 860 3 78 1 0 2014-07-19 02:41:11 UTC+0000
0xfffffa8001ef5060 explorer.exe 984 1868 41 1089 1 0 2014-07-19 02:41:12 UTC+0000
0xfffffa8001ce2060 regsvr32.exe 1848 984 0 -------- 1 0 2014-07-19 02:41:24 UTC+0000 2014-07-19 02:41:26 UTC+0000
0xfffffa8000e2cb30 wmpnetwk.exe 732 448 9 210 0 0 2014-07-19 02:42:00 UTC+0000
0xfffffa8000e81780 mscorsvw.exe 2344 448 7 95 0 1 2014-07-19 02:42:32 UTC+0000
0xfffffa8000ecbb30 mscorsvw.exe 2368 448 7 89 0 0 2014-07-19 02:42:33 UTC+0000
0xfffffa8000f2ab30 svchost.exe 2408 448 14 343 0 0 2014-07-19 02:42:34 UTC+0000
0xfffffa8001e8f520 SearchProtocol 2844 1880 8 280 1 0 2014-07-19 02:44:08 UTC+0000
0xfffffa80007503d0 WmiPrvSE.exe 2912 564 7 125 0 0 2014-07-19 02:44:32 UTC+0000
0xfffffa8002005b30 WinSCP.exe 2668 2580 6 165 1 1 2014-07-19 02:46:02 UTC+0000
0xfffffa8000f2d560 SearchFilterHo 548 1880 9 181 0 0 2014-07-19 02:46:09 UTC+0000
0xfffffa8000ef6960 DumpIt.exe 708 984 2 45 1 1 2014-07-19 02:46:52 UTC+0000
0xfffffa8000ed1060 conhost.exe 808 352 2 51 1 0 2014-07-19 02:46:52 UTC+0000
C:\Users\admin\Desktop>