Table of contents
Overview
We use Volatility3 to analyze a memory dump and extract three items:
- Name of the user that used the machine.
- Name of the machine (computer name).
- Non-local IPv4 address of the machine.
For installation Guide, you can click here.
Prerequisites
- Volatility3 installed and accessible as
vol(or usepython -m volatility3depending on install). - The memory dump file available (examples use
/path/to/analyse-memoire.dmp).
Step 1 - Find the user
Command
vol -f /path/to/analyse-memoire.dmp windows.envars | grep -Ei 'USERNAME'
What to look for
- Environment variables contain
USERNAMEentries. - Look for accounts tied to interactive processes (e.g.,
powershell.exe,explorer.exe,OneDrive.exe).
Result
- User:
userfcsc-10
Step 2 - Find the machine (COMPUTERNAME)
Command
vol -f /path/to/analyse-memoire.dmp windows.envars | grep -Ei 'COMPUTERNAME'
What to look for
COMPUTERNAMEenvironment variable contains the machine name.
Result
- Machine (COMPUTERNAME):
DESKTOP-JV996VQ
Step 3 - Find a non-local IPv4 address
Command
vol -f /path/to/analyse-memoire.dmp windows.netscan
What to look for
- Inspect the
LocalAddrcolumn for IP addresses that are not127.0.0.1or0.0.0.0. - Prefer addresses bound to real adapters (e.g.,
10.x.x.x,192.168.x.x,172.16.x.x).
Result
- Non-local IPv4:
10.0.2.15
Notes & tips
- If
volis not in yourPATH, run Volatility3 like:
python -m volatility3 -f /path/to/dump <plugin> ...
-
Use
| grep -ito quickly find env variables but review surrounding lines in case values wrap. -
Save
netscanoutput to a file for easier inspection:
vol -f file.dmp windows.netscan > netscan.txt
less netscan.txt
- If multiple candidate IPs appear, choose the one tied to a real network adapter and associated with established connections.
Flag assembly
Template
FCSC{<username>:<computername>:<ipv4>}
With the findings above:
FCSC{userfcsc-10:DESKTOP-JV996VQ:10.0.2.15}