Blue Team Field NotesDFIR · SOC · Vulnerability Management
Volatility 3

Plugins Windows essentiels

Analyse mémoire moderne, symboles automatiques, plugins Windows/Linux et workflow d’investigation reproductible.

Vue système

vol -f memory.raw windows.info
vol -f memory.raw windows.envars
vol -f memory.raw windows.sessions

Processus

vol -f memory.raw windows.pslist
vol -f memory.raw windows.pstree
vol -f memory.raw windows.psscan
vol -f memory.raw windows.cmdline
vol -f memory.raw windows.getsids --pid 1234

Réseau

vol -f memory.raw windows.netscan
vol -f memory.raw windows.netstat

Fichiers et DLL

vol -f memory.raw windows.filescan
vol -f memory.raw windows.dlllist --pid 1234
vol -f memory.raw windows.handles --pid 1234
vol -f memory.raw windows.dumpfiles --pid 1234

Détection de code suspect

vol -f memory.raw windows.malfind
vol -f memory.raw windows.vadinfo --pid 1234
vol -f memory.raw windows.vadyarascan --pid 1234 --yara-rules 'rule mz { strings: $mz = {4d 5a} condition: $mz at 0 }'

Registry

vol -f memory.raw windows.registry.hivelist
vol -f memory.raw windows.registry.printkey --key 'Software\Microsoft\Windows\CurrentVersion\Run'
vol -f memory.raw windows.registry.userassist

Ordre de triage conseillé

info → pslist/pstree/psscan → cmdline → netscan
→ dlllist/handles → malfind/vadinfo → filescan/dumpfiles
→ registry → chronologie et validation externe

Références officielles