insmod lime-3.2.0-49-generic.ko "path=/tmp/ubuntu1204.dump format=lime"


vol.py -f ubuntu1204.dump --profile=LinuxUbuntu1204_3_2_0_49x64 linux_ifconfig


svn checkout http://volatility.googlecode.com/svn/trunk Volatility


./vol.py -h


./vol.py --info


zip Ubuntu1304_3_8_0_26.zip modules.dwarf/boot/System.map-3.8.0-26-generic


vol.py -f victoria-v8.memdump.img --profile LinuxDebian5_26x86 linux_cpuinfo


export VOLATILITY_PROFILE=LinuxDebian5_26x86
export VOLATILITY_LOCATION=file:///tmp/victoria-v8.memdump.img


strings -td victoria-v8.memdump.img | egrep '(\.tar|\.tgz|.\tar\.gz)'


vol.py  linux_dentry_cache > bodyfile


vol.py linux_find_file -i 0xcf033e48 -O /tmp/passwd


<Listing 1>
vol.py --info | grep Win

<Listing 2>
vol.py --info | grep Linux

<Listing 3>
strings victoria-v8.memdump.img | grep vmlinuz
kernel /vmlinuz root=/dev/hda2 ro
strings victoria-v8.memdump.img | grep 2.6.26-2-686 | grep -i title

<Listing 4>
vol.py -f victoria-v8.memdump.img --profile LinuxDebian5_26x86 linux_cpuinfo

<Listing 5>
vol.py linux_mount
vol.py linux_arp
vol.py linux_netstat
vol.py linux_psaux | egrep  '(2065|2169)'
vol.py  linux_bash

<Listing 6>
strings -td victoria-v8.memdump.img | awk '$1>253507000 && $1 < 253509999 {print}'

<Listing 7>
mactime -b bodyfile > bodyfile.mac
cat bodyfile.mac

<Listing 7>
vol.py  linux_find_file -F "/etc/passwd"