The Volatility Framework and PStools-Week 9: The Volatility Framework and PStools
It is always better to collect IR data manually first, because collecting the RAM on a system that is compromised can sometimes result in the system freezing. In the Week 9 lab, we used PStools to capture IR information and then used DumpIt to collect the RAM of our Windows machine in MARS.
The free python-based tool volitivity can be used to parse this RAM to look for values like network connections or running processes. We will use the volatility framework to parse the RAM collected from the MARS Windows machine.
Help anyone on your Forensics team if they are having trouble or issues getting through the lab. It is encouraged!
If you want to discuss any of the volatility plugins (type volatility_2.6_win64_standalone.exe -h).
You can also discuss any of the PStools that we copied to our YOURNAME-IR Drive. See below:
If someone on your Forensic team has already picked the volatility plugin or PStool, pick a different volatility plugin or PStool to discuss with your team.
Answer Preview-The Volatility Framework and PStools-CST 640
