Skip to main content

Data Carving


File Carving​

On-Disk Files​

Purpose: Extract an individual file that was loaded into memory from the filesystem.

  1. Identify File Physical Address: Run filescan to locate file objects in memory and identify the physical address for the specific file.

    vol.py -f <image> --profile=<profile> filescan | grep <file_name>

    Note the physical address (e.g., 0x0000000006439800) of the target file from the output.

  2. Dump File from Memory: Use the identified physical address with dumpfiles to extract the file.

    vol.py -f <image> --profile=<profile> dumpfiles -n -F DataSectionObject -Q <physical_address> -D <output_dir>

Vol3 Equivalent

Vol3 dumpfiles uses the virtual address from filescan output (the Offset column), not the physical address.

# Find the file
vol3 -f <image> windows.filescan | grep <file_name>

# Dump using virtual address from the Offset column
vol3 -f <image> windows.dumpfiles --virtaddr <virtual_address>

# Dump all files matching a pattern
vol3 -f <image> windows.dumpfiles --filter <file_name>

Output is written to the current working directory β€” run from your output folder or redirect with a path.


Windows Event Log Carving​

On-Disk Files​

Purpose: Extract Windows Event Log files (.evtx) that were loaded into memory from the filesystem.

  1. Identify Event Log File Physical Address: Run filescan to locate event log files in memory.

    vol.py -f <image> --profile=<profile> filescan | grep -iE "\.evtx?$"

    Note the physical address of the target file.

  2. Dump File from Memory: Use the identified physical address with dumpfiles.

    vol.py -f <image> --profile=<profile> dumpfiles -n -F DataSectionObject -Q <physical_address> -D <output_dir>

Dumping All Event Log Files
vol.py -f <image> --profile=<profile> filescan | grep -iE "\.evtx?$" > filescan-evt_files
while read line; do
vol.py -f <image> --profile=<profile> dumpfiles -n -F DataSectionObject \
-Q $(echo $line | awk '{print $1}') -D <output_dir>
done < filescan-evt_files
Vol3 Equivalent
# Dump all .evtx files
vol3 -f <image> windows.dumpfiles --filter ".evtx"
After Extraction

Extracted .evtx files can be opened in Windows Event Viewer, or parsed on Linux with:

python3 -m evtx.evtx_dump <file.evtx> | less
# or
chainsaw search -t "Sigma" --sigma /rules/ <output_dir>/

Process Carving​

Process Executable (On-Disk)​

Purpose: Extract a process executable file that was loaded into memory from the filesystem. This retrieves the original on-disk binary β€” useful as a baseline to compare against the in-memory version.

  1. Identify Target Process: Run pslist and cmdline to identify the process and its executable path.

    vol.py -f <image> --profile=<profile> pslist
    vol.py -f <image> --profile=<profile> cmdline -p <PID>

    Note the PID and executable name from the output.

  2. Identify File Physical Address: Run filescan to locate the executable file object in memory.

    vol.py -f <image> --profile=<profile> filescan | grep <file_name>

    Note the physical address of the target executable.

  3. Dump Process Executable File from Memory:

    vol.py -f <image> --profile=<profile> dumpfiles -n -F DataSectionObject -Q <physical_address> -D <output_dir>

Vol3 Equivalent
vol3 -f <image> windows.filescan | grep <file_name>
vol3 -f <image> windows.dumpfiles --virtaddr <virtual_address>

Process Executable (In-Memory)​

Purpose: Extract the in-memory image of a process executable. This may differ from the on-disk version β€” packed malware unpacks itself in memory, making this the deobfuscated version. procdump reconstructs the PE format from memory, making it suitable for static analysis.

  1. Identify Target Process:

    vol.py -f <image> --profile=<profile> pslist

    Note the PID of the target process.

  2. Dump the In-Memory PE:

    vol.py -f <image> --profile=<profile> procdump -p <PID> -D <output_dir>

Vol3 Equivalent
vol3 -f <image> windows.procdump --pid <PID>

Output is written to the current working directory as pid.<PID>.0x<addr>.dmp.

On-Disk vs In-Memory Hash Comparison

After dumping both the on-disk file (dumpfiles) and the in-memory image (procdump), compare their hashes to detect unpacking or patching:

sha256sum /output/executable.on-disk.exe /output/executable.procdump.exe

A mismatch indicates the process image in memory differs from its disk counterpart β€” common with packed malware, process hollowing, or in-memory patching.


Full Process Memory​

Purpose: Extract all memory allocated to a process β€” heap, stack, loaded DLLs, and executable code. Much larger than procdump. Useful when looking for artifacts that live in the heap (decrypted strings, C2 config, credentials) rather than just the executable image.

  1. Identify Target Process:

    vol.py -f <image> --profile=<profile> pslist
  2. Dump Full Process Memory:

    vol.py -f <image> --profile=<profile> memdump -p <PID> -D <output_dir>

    Output: <PID>.dmp β€” can be hundreds of MB.

Vol3 Equivalent
vol3 -f <image> windows.memmap --dump --pid <PID>

Output: pid.<PID>.dmp in the current directory.

Mining the Full Memory Dump
# Extract printable strings (minimum length 8)
strings -n 8 /output/<PID>.dmp > /output/<PID>_strings.txt

# Search for URLs, IPs, interesting keywords
grep -iE "(http|ftp|\\\\\\\\|cmd|powershell|password|token)" /output/<PID>_strings.txt

# Search for credentials in lsass memdump with pypykatz (offline Mimikatz)
pypykatz lsa minidump /output/<PID>.dmp

DLL Carving​

DLL Image (In-Memory)​

Purpose: Extract DLLs loaded by a process β€” useful for recovering injected or modified DLLs that may differ from their on-disk counterparts.

  1. Identify Target Process:

    vol.py -f <image> --profile=<profile> pslist
    vol.py -f <image> --profile=<profile> cmdline -p <PID>

  2. List Loaded DLLs: Identify the target DLL's base address.

    vol.py -f <image> --profile=<profile> dlllist -p <PID>

  3. Dump DLL from Memory:

    # Single DLL by base address
    vol.py -f <image> --profile=<profile> dlldump -p <PID> -b <base_address> -D <output_dir>

    # All DLLs loaded by the process
    vol.py -f <image> --profile=<profile> dlldump -p <PID> -D <output_dir>

Vol3 Equivalent
# List DLLs
vol3 -f <image> windows.dlllist --pid <PID>

# Dump all DLLs for a PID
vol3 -f <image> windows.dlllist --pid <PID> --dump

Output DLLs are written as pid.<PID>.dll_base.<addr>.dll in the current directory.


Registry Hive Carving​

Hive File (On-Disk)​

Purpose: Extract registry hive files (SAM, SYSTEM, SECURITY, NTUSER.DAT) that were loaded into memory from the filesystem.

  1. Identify Registry File Physical Address:

    vol.py -f <image> --profile=<profile> filescan | grep -iE "\\\\(windows\\\\system32\\\\config\\\\(default|sam|security|system)|(ntuser|usrclass)\.dat)$"

    Note the physical address of the target hive file.

  2. Dump Hive File from Memory:

    vol.py -f <image> --profile=<profile> dumpfiles -n -F DataSectionObject -Q <physical_address> -D <output_dir>

Dumping All Registry Hive Files
vol.py -f <image> --profile=<profile> filescan \
| grep -iE "\\\\(windows\\\\system32\\\\config\\\\(default|sam|security|system)|(ntuser|usrclass)\.dat)$" \
> filescan-reg_files
while read line; do
vol.py -f <image> --profile=<profile> dumpfiles -n -F DataSectionObject \
-Q $(echo $line | awk '{print $1}') -D <output_dir>
done < filescan-reg_files
Vol3 Equivalent
vol3 -f <image> windows.dumpfiles --filter "(sam|system|security|ntuser|usrclass)"
Offline SAM/SYSTEM Hash Extraction

Once the SAM and SYSTEM hive files are extracted, use impacket-secretsdump offline to extract password hashes without needing a live system:

impacket-secretsdump -sam /output/sam.hive -system /output/system.hive LOCAL

Hive File (In-Memory)​

Purpose: Extract registry hives from memory directly using the kernel's in-memory representation β€” may differ slightly from the on-disk version (uncommitted changes are reflected in memory).

  1. Identify Registry Virtual Address:

    vol.py -f <image> --profile=<profile> hivelist

    Note the virtual address of the target hive.

  2. Dump Hive from Memory:

    vol.py -f <image> --profile=<profile> dumpregistry -o <virtual_address> -D <output_dir>

Vol3 Equivalent
# List hives
vol3 -f <image> windows.registry.hivelist

# Dump all hives
vol3 -f <image> windows.registry.hivelist --dump

# Dump specific hive by offset
vol3 -f <image> windows.registry.hivelist --dump --filter <hive_name>