Volatility Lab - MegChef/Systems GitHub Wiki

In this volatility lab, we learned how to execute volatility on our Windows VM. We used it to gather information about an image. The first piece of information we sought out was the date and time; to get this information we used the command: vol.exe -f imagename imageinfo. imagename must be exchanged with the actual name of the image. The next piece of information we were looking for was the process list, to gain this we used the command vol.exe -f imagename pslist; with this, we can see how many handles are being used by each application as well as their Process ID. If we want access to the full path of an application we use the command vol.exe -f imagename cmdline. We also found hashes attached to the image through the command vol.exe -f imagename hashdump.

This lab was very insightful. I now have a better understanding of how volatility works. I can also gather important information from images using the commands we used in the lab. I especially liked it when we had the chance to find out information about an image that we chose. I feel as though that part really solidified my understanding of how volatility works. My favorite part of this lab was when we learned a shortcut to Command Prompt through File Explorer.