Hello dear volatility community,

I am a ISE master student at Ben Gurion University in Israel.

And I need you help.

My research deals with extracting many features from a windows memory dump taken from vSphere snapshots. (Mostly Windows 2012 R2).

In order to extract as many features as possible I am using volatility framework which helps me to receive the most basic features I need.

I want to leverage volatility framework even more so I can extract more valuable features.

Here is the list of features I want to try to extract from the memory:

- Achieving the stack of all processes. or any thing that can be deduced by it, for example call sequence or function's parameters etc.

- Gathering information about reading or writing actions that were happening while the snapshot was taken or before.

- Find / detect usages of cryptography keys in the memory, especially asymmetric keys.

- Find / detect changes in the registry.

I hope this post is not too abstract, and that maybe you can help me start.

I want to first know if what I am trying to do is even possible? Is volatility the right tool?

If it is, where should I begin?

Appreciate your help!

Thanks,

Yuval