# vol.py linux_mount Volatile Systems Volatility Framework 2.3_beta [...] sysfs rw,nosuid,nodev,noexec udev /dev tmpfs rw tmpfs /lib/init/rw tmpfs rw,nosuid /dev/sda1 / ext3 rw none /proc proc rw,nosuid,nodev,noexec devpts /dev/pts devpts rw,nosuid,noexec usbfs /proc/bus/usb usbfs rw,nosuid,nodev,noexec tmpfs /dev/shm tmpfs rw,nosuid,nodev [...] # vol.py linux_arp Volatile Systems Volatility Framework 2.3_beta [:: ] at 00:00:00:00:00:00 on lo [192.168.56.1 ] at 0a:00:27:00:00:00 on eth0 [192.168.56.101 ] at 08:00:27:28:5a:cc on eth0 # vol.py linux_netstat Volatile Systems Volatility Framework 2.3_beta UDP 0.0.0.0:111 0.0.0.0:0 portmap/1429 TCP 0.0.0.0:111 0.0.0.0:0 LISTEN portmap/1429 UDP 0.0.0.0:769 0.0.0.0:0 rpc.statd/1441 UDP 0.0.0.0:38921 0.0.0.0:0 rpc.statd/1441 TCP 0.0.0.0:39296 0.0.0.0:0 LISTEN rpc.statd/1441 UDP 0.0.0.0:68 0.0.0.0:0 dhclient3/1624 UNIX /dev/log UNIX /var/run/acpid.socket TCP :::22 :::0 LISTEN sshd/1687 TCP 0.0.0.0:22 0.0.0.0:0 LISTEN sshd/1687 TCP :::25 :::0 LISTEN exim4/1942 TCP 0.0.0.0:25 0.0.0.0:0 LISTEN exim4/1942 TCP 192.168.56.102:43327 192.168.56.1:4444 ESTABLISHED sh/2065 TCP 192.168.56.102:43327 192.168.56.1:4444 ESTABLISHED sh/2065 TCP 192.168.56.102:43327 192.168.56.1:4444 ESTABLISHED sh/2065 TCP 192.168.56.102:25 192.168.56.101:37202 CLOSE sh/2065 TCP 192.168.56.102:25 192.168.56.101:37202 CLOSE sh/2065 TCP 192.168.56.102:56955 192.168.56.1:8888 ESTABLISHED nc/2169 # vol.py linux_psaux | egrep '(2065|2169)' Volatile Systems Volatility Framework 2.3_beta 2065 0 0 sh 2169 0 0 nc 192.168.56.1 8888 # vol.py linux_bash Volatile Systems Volatility Framework 2.3_beta Pid Name Command Time Command -------- -------------------- ------------------------------ ------- 2042 bash 2011-02-06 14:04:39 UTC+0000 apt-get remove exim4 [...] 2042 bash 2011-02-06 14:04:39 UTC+0000 scp yom@192.168.56.1:/home/yom/temporary/exmi4/* . [...] 2042 bash 2011-02-06 14:04:39 UTC+0000 vi update-exim4.conf.conf 2042 bash 2011-02-06 14:04:39 UTC+0000 update-exim4.conf 2042 bash 2011-02-06 14:04:39 UTC+0000 halt 2042 bash 2011-02-06 14:04:39 UTC+0000 reboot 2042 bash 2011-02-06 14:04:39 UTC+0000 whereis gcc 2042 bash 2011-02-06 14:04:39 UTC+0000 whereis memdump 2042 bash 2011-02-06 14:04:39 UTC+0000 apt-get install memdump 2042 bash 2011-02-06 14:04:39 UTC+0000 halt 2042 bash 2011-02-06 14:04:39 UTC+0000 ifconfig 2042 bash 2011-02-06 14:04:39 UTC+0000 ping 192.168.56.1 2042 bash 2011-02-06 14:04:39 UTC+0000 mount 2042 bash 2011-02-06 14:04:39 UTC+0000 sudo dd if=/dev/sda | nc 192.168.56.1 4444 [...] 2042 bash 2011-02-06 14:04:39 UTC+0000 apt-get install memdump 2042 bash 2011-02-06 14:04:39 UTC+0000 netstat -ant 2042 bash 2011-02-06 14:04:39 UTC+0000 apt-get install ddrescue 2042 bash 2011-02-06 14:04:39 UTC+0000 apt-get install dcfldd 2042 bash 2011-02-06 14:04:39 UTC+0000 ls /dev/kmem 2042 bash 2011-02-06 14:04:39 UTC+0000 ls /dev/mem 2042 bash 2011-02-06 14:04:39 UTC+0000 halt 2042 bash 2011-02-06 14:04:39 UTC+0000 ifconfig 2042 bash 2011-02-06 14:04:39 UTC+0000 ifconfig 2042 bash 2011-02-06 14:04:39 UTC+0000 reboot 2042 bash 2011-02-06 14:04:46 UTC+0000 ifconfig 2042 bash 2011-02-06 14:24:43 UTC+0000 dd if=/dev/sda1 | nc 192.168.56.1 8888 2042 bash 2011-02-06 14:42:29 UTC+0000 memdump | nc 192.168.56.1 8888