Skip to content

VolExp Help

Jump to bottom
memoryforensics1 edited this page Apr 5, 2020 · 2 revisions
Volatility Explorer Help:

This program can run as a plugin of Volatility or as a separate process (which will use Volatility API and some of its plugins).

In this Help window, shortcuts will be displayed inside a parentheses [].

Main process tab:

Menu help:

File:
Save / Save As - Save the current state of the analysis to load later (.atz file type). Exit - Exit the program.
View:
Open Sub View:
<Sub View Name> - Open a new view as another tab to the main tabs.

Registry Explorer [ctrl+r]- A regedit-like tool that shows all the keys found in this specific image Runs automatically on first load. Click "View Keys" to view key data (using Volatility registryapi). https://github.com/memoryforensics1/info/blob/master/RegView.png

MFT Explorer [ctrl+m]- Explorer-like tool that contains all the files and directories (a little bit verbose but there is a search bar [ctrl+s] to help you) with timestamps and other MFT data (using mftparsegui plugin which uses the mftparser plugin). https://github.com/memoryforensics1/info/blob/master/Explorers.png

File Explorer [ctrl+e]- Explorer-like tool that contains all the files and directories inside, capable of dumping a single file and has a search bar [ctrl+s] (using filescangui plugin which uses the filescan plugin). https://github.com/memoryforensics1/info/blob/master/FilesExplorer.png

WinObj Explorer [ctrl+w]- Explorer-like tool that contains all the Windows objects in their directories (similar to winobj from sysinternals), has a search bar to help you [ctrl+s], (using winobjgui plugin which uses winobj plugin). https://github.com/memoryforensics1/info/blob/master/Explorers.png

Process Tree [ctrl+t]- If you want to get the process tree in the right order again (after ordering by a coulumn)

System Information [ctrl+i]- Show related system information.

Services [ctrl+s]- Display all the services in this memory dump with related information (using svcscan plugin).

Select Columns [ctrl+c] - Allows you to select a column from all the available columns for this table.

Process:

Dlls [ctrl+d]- Display all of the dlls of the pressed process.

Handles [ctrl+h]- Display all of the handles of the pressed process.

Network [ctrl+n]- Display all of the network information of the pressed process.

Find:
Find Handles and Dlls - Search for handles and dlls in all of the processes (double click on the result will go to the process and the dll/handle pressed).
Plugins:
<Plugin Name> [ctrl+p]- Run the specific plugin pressed and display it in another process, cmd-like gui (you can run another plugin from there).
Dump:

Dump Registry Hives - Dump all hives files (using dumpregistry plugin).

Dump Event Log - Dump event log files (dump .evtx files, using dumpfiles plugin).

Dump Certs - Dump all certificates from memory (using dumpcerts plugin).

Options:
Options [ctrl+o]- Show options menu and allows you to change different options.


Process Right Click:

Copy:
<Field Name> - Copy this specific field from the selected process to the clipboard.

ProcDump - Dump this process.

HexDump - Dump this process and display a HexDump of this process file.

Color:
<Color> - Allows you to color processes as suspicious|clean for your analysis (Recommended: Take a note why this process is suspicious|clean in the properties>image tab).
Plugins:
<Plugin Name> - Run the specific plugin on the pressed process (Volatility ...<plugin name> -p <process pid>) and displays it in a new tab on the specific process->properties-><plugin name>.
Virus Total:

Upload To VirusTotal - Dump this file and upload it to VirusTotal VirusTotal (Check Hash) - Check the hash of this file with the VirusTotal database (without uploading).

Note! This option will run in real time --> it may take a couple of seconds.

Vad Information:

Display all the memory mapped regions of this process with detailed information (by analyzing the vads). https://github.com/memoryforensics1/info/blob/master/VadInformation.png

Note! This option will run in real time --> it may take a couple of seconds.

Struct Analysis:

Run structanalysis plugin with type _EPROCESS and the address of the pressed process's _EPROCESS struct to analyze the specific _EPROCESS struct. https://github.com/memoryforensics1/info/blob/master/StructAnalyzer.png

Note! This option will run in real time --> it may take a couple of seconds.

Properties [Double Click]- Open properties tab:

Image - Display process basic information, has a comment tab and buttons to go to the process's working directory and file path. https://github.com/memoryforensics1/info/blob/master/ImageProperties.png

Imports - Display all the process's imports (if you can't click this tab it means that the impscan plugin didn't run on this process yet, try again later, but if there is an empty table then the plugin didn't find anything).

Performance - Display process's performance information.

Services - Display all the services related to this process (using svcscan plugin).

Threads - Display all the process's threads,
HexDump [Double Click]- will display the HexDump dissasmbly of the start address of the thread. Struct Analysis - open a new tab with structanalyze plugin.

TcpIp - Display all network information (using netscan plugin).

Security - Display all the security related information (using both privs and getsids plugins. If both tables don't show it means the plugins didn't finish running).

Environment - Display all the process environment variables.

Job - Display all the process's connected jobs.



PE Right Click:

Copy:
<Field Name> - Copy this specific field from the selected dll to the clipboard.

Dump PE - Dump this PE.

HexDump - Dump this PE and display a HexDump of this PE file.

Color:
<Color> - Allows you to color the PE as suspicious|clean for your analysis (Recommended: take a note why this PE is suspicious|clean in the properties>PEimage tab of that PE).
Properties [Double Click]- Open properties tab:

https://github.com/memoryforensics1/info/blob/master/PeProeprties.png

PEImage - Display process basic information, has a comment tab (with an option to sticky this comment on this specific PE universally), features a button to go to the PE file in Explorer.

PEImports - Display all the PE imports.

PEImports - Display all the PE exports.

PEMemStrings - Display the image strings.

PEImageStrings - Display the strings present in memory.

Note! This option will run in real time --> it may take a couple of seconds.



General Gui Help:

Explorer:
All explorer tabs (File Explorer, MFT Explorer, WinObj Explorer) are Windows-Explorer-like gui that display all the files and directories found, in which directories will be colored yellow. Each of the explorers has a search bar (ctrl+f).
Search <somthing>:
All search tabs (from File Explorer, MFT Explorer, WinObj Explorer) allow you to find files/directories given an attribute of the target file/directory. The results will display in a table. Double clicking on specific row will jump to this item.
Registry Viewer (RegView):
The RegView will display all of its hives, expand the hive/key to display the sub-directories for this hive/key. Press the button "Search Data (Slow)" will search and display the path of the current key (while seaching for the data the RegView Gui will be unavailable), Double clicking values will display the value data in HexDump.
HexDump:
Display the data in hexdump format, there is a tab for string data view only.
Tables:
A lot of the gui here are represented by a table with a lot of options:
Menus:
Header Menu:

Select Columns [ctrl+c]- Allows you to select columns from all the available columns for this table.

Default Columns - Return the table columns's state to default.

Hide Column - Hide this column.

Resize Column [Select on column header]- Resize this column to fit.

Resize All Columns - Resize all columns to fit.

Item Menu:
Copy:
<Field Name> - Copy this field from the selected item to the clipboard.
Clone this wiki locally