Is your PC hacked? RAM Forensics with Volatility

Don't forget, there will be a live workshop event right after this video premiers on discord.tpsc.tech. Maybe we'll do something special and try to clean the system using your suggestions. Everyone is welcome to join. :) Links:
Volatility (Command Line Interface) -- For this tool, be sure to review the documentation within the -h command
www.volatilityfoundation.org/releases
Dump It -- Tool used to create dump files -- remember to rename your dump to .mem file extension
github.com/thimbleweed/All-In-USB/blob/master/utilities/DumpIt/DumpIt.exe?raw=true
Volatility GUI -- User Friendly Version of the utility tested
www.osforensics.com/tools/volatility-workbench.html

About 10 years ago I use to do this remote. I had the best resolve rate, best single call rate, best customer care rate. I was fired for not doing more calls per day, because as far as they are concerned leaving a customer with some malware was ok as long as the system worked for a couple of weeks.

I like the way you do not hide anything from and you do not assume we know anything about the subject. You did a great video as to why and how to do. Great job, please keep up the great work!

I've had one very nasty virus where it would let me do everything BUT: open task manager, type in any word resembling 'virus' or 'antivirus' anywhere, or visit any site like avast. It was impressive really, how polite it was in letting me do work but not allowing me to get rid of it. :D

Instantly subbed after this video. Looking forward to diving deeper into this channel. I’m a gen X who started using computers with apple IIe. These days I consider myself very capable of avoiding infections in the first place but have never been able to be sure of that other than knowing my system is running well and being able to spot evidence well. So I believe. Lol
Will be trying out some of this stuff to see if I can find anything.

Very informative. I've been out of the computer space since 2002. I was once the go to guy to fix everyones computers, not anymore lol. Glad there is a channel like this to get me caught up.

Great video! Volatility is such an amazing tool. I used Volatility 2 extensively but haven't had the opportunity to use 3 as much so far. The developers are all some of the smartest people I've ever met.

6:00 You can also open cmd (or any executable really) in the current directory by just entering 'cmd' in the path bar
10:20 note that basically anything can be encrypted in RAM or anywhere

I'd love to see more. Your content is always great, Leo.

Great tools you introduced. I know Windows, comfortable with the command line, and appreciate your thorough explanation of how to approach the troubleshoot. Some viruses will resist getting the dump off the computer anyway. Often I just restart with no network (cable unplugged/WiFi disabled) - that stops many viruses from completing their execution long enough to get the thumb drive to cooperate for a moment.

Im satisfied and slightly impressed how consisely you speak. An obvious good perk for creating informative videos that surprisingly many lack on youtube I believe.

Thank you very much for this video. I got here randomly but I love how much insight this provided me.

awesome, thanks for your work and efforts Leo :)

In the SANS FOR508 course, they advise running netscan over netstat as this scans through the entire memory dump looking for network activity, including from processes unlinked from the VAD tree. Netstat is limited to just the network activity that is easy to find. If a process is unlinked from the VAD tree netstat would not find it. The same applies with psscan vs pslist.

That was an amazing video, keep the awesome work!

Interesting. I get pretty lost on newer stuff. I was certainly not very familiar with OS files, but back when I helped people with this sort of thing, I often got pretty lucky picking out processes that just "didn't look right".
Of course, you really knew you were on to something when it would just immediately restart after you shut it down or started open even more processes.
Lately I've been more interested in how people are hacked, and there can be a lot of parallels, but not much in the way of repair software, lol.

Excellent ! this is exactly what I am looking for
Kindly do more such related videos !

for the api key generation, go to the main page, ones your signed in, hover over your account on top right corner, press account details, on the bottom, there is a generate key option, press it, then copy the key and enter it on the 'enter api key'

Great work, great channel

Thank You, I will be learning this tool for sure.

Excellent video and good to learn some tools here for my STEM students learning Cyber Security. We don’t teach hacking, but this looks like a good topic to put on next summers Cyber Camp. Thanks

Excellent analysis! Would love to know more about the disinfection process!

All I say is ... ThankU!!! very imformative. Keep the good work going.

This video got me subbed to channel. Very informative. Thank you for this great content. I am aspiring to become cybersecurity expert and videos like these just keep me motivated on my way.

This is really helpful!

Hello and thank you for those well explained videos. I am just starting to learn commands and fix my windows by removing unwelcome stuff put in my system.

Great video thanks Leo!

so this is excellent content, about 10 years ago i used to do this type of analysis for virus infections, but 3rd party software like rkill, adwcleaner (before being bought by malwarebytes) and even malwarebytes sort of made this type of investigation pointless
the combo of those three software were good enough to track down like 99.9% of all infections in a quarter of the time this type of analysis required so i just stopped doing this type of analysis. thanks for making this video, gives me a place to start to familiarize myself with the common tools these days for proper virus removal now adwcleaner was mostly destroyed by malwarebytes, and malwarebytes itself no longer is half as good as it used to be... (especially now they've disabled virus removal on domain pcs)

You should make a follow up video on how to isolate malware like this! I think it would help a lot of people especially because most people would just wipe the system and reinstall windows. I think it would be good for the world to learn the basics of cyber security like that so they can isolate malware on their systems and save their precious data! Just a suggestion, love your video!

great information, Please keep up the videos, excellent quality and presentation ❤

Thanks for the info, I will refer back to this for reference.👍

It comes with exposure to the windows file system. Run the Forensics on a "clean" install of windows get some screen shots and you will see the difference when you run into the compromised files. Yes I know that some of the files will be different due to the type of machine that you are working on but this will give you a baseline reference of the system files. Build your own toolbox and keep them on a USB. Some free some you have to pay for but very handy This is a start of reverse software engineering it comes over time on looking for what is bad and is compromising the machine. Dig deeper and learn how hackers are using system files to get their stuff to run on windows.

That's useful, but it's worth mentioning for all the non-technical people: you can do most of this on your system without creating a memory dump.

Brilliant video!! Thank you, so much!

damn that intezer analyze is p good i'd actually recommend anyone to skip the grunt work and just do the analysis like that cause its free and you dont gotta worry that u missed something

It would be cool if there were automatic filters for every version of windows, that hide any expected traffic. That's probably more accurate then doing it with your own tired eyeballs.

Followed your advice and tried out Intezer... pretty cool stuff. found some things that seemed to stop executing once the dynamic analysis in the sand box begins... do you think that the malware could be aware that it is in a sandbox or do you think that intezer would pick up on those kinds of evasion techniques?

DumpIt and the FTK Imager gave me an BSOD, but Magnet DumpIt from MagnetForensics did the job, thanks for the good video

Nicely done. Subbed

Best 14min Ive spent all month. Thank you!

Great video as always but why did you not include links to the software you used?
Like Dumpit and ftk

Hi, I really appreciate your amazing video. I have a question.
So are these the type of malwares that AV can't detect? Because can't we boot in safe mode and plug in a USB with the antivirus installed and run a scan? Or are these too advanced for AV to detect as they can mimick real process?

Thanks for this, this helped me see all the trackers google or windows uses to sell my data. Which is pretty gnarly on its own .

Love security videos. Thanks for sharing.

I'm seriously lacking in malware removal for Windows 10. A lot of my tools worked great for Windows XP/7. Now that I found this channel, I'm grabbing all the tools mentioned! As of today, Volatility cannot be downloaded. On Brave, a new tab opens then closes immediately. I used Edge and it tries to download but says it can't securely.

Please post a good link for the ftk imager. It leads me to fill out a form of which organization I belong to, and I have no such thing. The Volatility workbench keeps crashing on me. Also, is there a way to make vol.exe work with a .raw file like the one produced from DumpIt? or is there a way to transform the raw file to a .mem file?
Thank you.

This was super interesting. Thanks!

I love how you went through changing a directory in the CLI... lol. I don't think the venn diagram of people who can't CD and people interested in memdump forensics overlap...

I ran this dump it app and ran it got a blue screen instantly 😭

I got dumpit but whenever I open it and input "y" - before I can hit enter, the computer goes blue screen and I get a "system service exception" error...

This channel is at another level. :D

Reykjavik, Weird. I also sub to Just Icelandic & he posted a vid today about the capitol of Iceland. Anywho, Always a pleasure learning new things from you.

You know... this might sound weird, but I keep having dreams about getting hacked, really badly and that I wouldn't be able to do anything unless I trace it down and confront the attacker/s, so it makes me feel useless, I just find it weird that not only have I been having dreams about someone trying to absolutely ruin my life specifically, but now without even peeping a word into my mic I get these videos recommended to me, I mean I thank you because this is knowledge I am more than happy to take in, especially after my own head is coming up with dumb weird scenarios in my sleep XD

But how do you remove that mallware or close that unwanted connection?

I’m going to try this, thanks!

Great stuff, thank you !

Hi! I'm a layman in this area and I just happened to watch this video because YT recommendations, and I really find it interesting.
I would just like to ask, what's the next step? Like after finding out the malicious files, what do we do with them? Do we just delete them? Or is there another program to use to remove them?
Thanks in advance!

Hi, how can i safely transfer the memory dump to another machine withou risking contamination? Thank you for sharing such valuebla knowledge!

you can also write cmd in the path text box and hit enter it will open command prompt at your current location.

This is way too much to expect anyone but the most experienced to perform and get right.
Never assume that malware always will be found running in memory at the time of your dump, it won't.
My methods of cleanup, gathered over 31+ years, don't look at memory dumps. Not anymore.
But for regular users, If you think you're hacked or constantly infected, visit me or take it to a professional.
Sometimes it's just worth it to backup your data, virus scan the data and wipe the drive.
I've removed malware that survived drive wipe, so even that can fail, unless you know how and where to look.
Thanks for the video. Thought I knew every tool Passmark makes, evidently not.

I seem to get a constant blue screen error every time I try to dump my memory regardless of whether Im using DumpIt.exe or FTK Images? Could I get some advice on what to do?

The volatility workbench keeps soft crashing or locking at 52.04% during the Scanning Layer_name using PDBSignatureScanner any ideas what might cause this ?

This reminds me back when I was new to PCs(and probably a bit quicker wit).
I could tell any process or program that didn't belong, find and manually delete and zero the section of the drive.
Reverse engineer and edit already compiled programs in hex/text editors...
A few too many bonks to the head, and the fact good habits lead to infections being edgecases, I just don't remember anymore.
I'm well out of practice.
I do remember, and still to this day, that I can touch something and it just work.
So subconsciously I guess it's still there, but I can't tell or explain how I managed it.
Even my passwords are just muscle memory, I don't know them most of the time.
*_/back_in_my_day_*

Very nice video. thanks for the tips

I'm only going to say, it wasn't THAT heavily infected if you were able to run several tools on it.

What about just using Process Explorer with the VirusTotal feature enabled?
It checks the hash of everything running in ram.

Volatility didn't seem to like the file DumpIt generated, so I used FTK Imager and it worked perfectly. Thanks.

I can't wait for the follow up video

when I try to use volatility, I get an error. Does this mean my system is compromised?
I tried on a different system too. Same error. "Failed to obtain process list" even though it is windows.
I also noticed I get a .raw when I use dumpit, whilst you get a .mem file

Thank you for using your IT-superpowers for good. One question though: wouldn't an antivirus program have catched any of this?

Awesome video please I would love to watch more videos like that 👍

Thank you this is amazing

I wonder why my computer just crashes when I try to use dumpit of the other tool.. interesting. Really no reason for my system to even be infected but the crashing got me paranoid

Everytime I run any program that trys to create a MEMORY DUMP FILE (Dumpit, FTX Imager) the computer crashes immediately. Any ideas how to get past this?

Thank you for information

Great video! Thanks!

it gives me the error.. failed to obtain processlist this could be to selection wrong platform? XD im on windows and selected windows.

So, is there a recommended way to clean all this malware? Or is it very much situational?

This would have been really cool to know during my 1st year of Cyber Security and Forensics

Thanks, please do more, subscribed and liked.

Once these problems are identified, how are they solved?

Hacked? Good luck, I'm behind 7 Boxxies!

Imho it is crazy to upload your data to some service to analyze them :P

This looks really interesting I might try this on my PC just for curiosity.

Hi there, when I run the dumpit.exe file and enter "y"... blue windows screen appears with the message... "your device ran into an problem and it needs to restart". After restart I can see .raw file but its only 4 MB. What to do?

dumpit bluescreened my pc and fucked up my ram. thank you!

I prefer to use some of the older tools available and creating memory rumps directly from the command line if available on the operating system I am working with. Some of the newer software out there I have seen, tested or used is often times what I call internet locked, sometimes its a good idea not to let the "attacker" know what you are doing, while you are doing it. That being said, its an interesting newer tool. However you can get a lot of similar scanning and dump analyzation and process analyzation through other or built in means. I just don't like the entire, sign in and use my tool deal. Its always bugged me, hence I like to use other resources used by corporate security firms.

Thanks u for this, When are you doingthe follow up video

Hi can you resolve Disk 100% bug in Win10 i3 running with HDD. I tried every method from google. No luck

If your computer had a root kit, wouldn't you have to suspect that the memory dump is incomplete? After all, the program making the memory dump would be running on top of the root kit.

Thank you for the valuable knowledge.
Is there a benefit in this process over simply booting into some free antivirus OS, updating the catalogue and scanning the entire hard drive for malicious software?

Great video. Thanks

6:08 a small tip: once you click the path, you can also type cmd right on it and then shift enter to open cmd on that path with administrator privileges

What if the malicious program recognized what you were trying to do and tampered with that ram dump file, and you didnt have another PC?

Good stuff thank you

Thanks! Found some malware. I was worried the pc gets hot when sleeping, now I know why. there was a miner working

Firmware viruses are practically impossible to remove. The CPU, for example, contains several hidden filesystems.

Be careful before you upload your memory dumps into some "security tools" you don't know or trust.
Might as well steal all your passwords and everything.
And i hope that tool can filter known file hashes and known IP addresses by default.
Pretty big waste of time to check them all manually.

Thank you 👍👌

this tutorial is so great im speechless.