Assuming you have a Hyper-V image with Win7x64 and you want to use
Volatility to do
memory forensic analysis.
1. Set _NT_SYMBOL_PATH=srv*c:\symbols*https://msdl.microsoft.com/download/symbols
2. Install
debugging tools for Windows
Microsoft make it hard to just get the debugging tools by itself, you will need to download
the SDK setup, run it, and from the component selection menu select only the debugging
tools option. You may also get it from this site,
CodeMachine downloads.
3. Install SysInternals
LiveKD
We will use LiveKD to dump memory from RAM for analysis
4. Run your Hyper-V VM
5. List currently running VMs (Administrative privilege required)
>livekd.exe -hvl
6. Use previous listed name to dump memory
>livekd.exe -hv name -p -o c:\memory.dmp
If you get any errors about kdversionblock or cannot resolve symbols for ntoskrnl, make sure your
symbols are correct. You may also have to start up livekd in debugging mode and force
downloading of symbols
>livekd.exe -hv name
>>.reload /f
Verify your symbols folder contain the symbol files.
7. Convert from memory to raw dump (OPTIONAL, try if first with the memory dump)
>volatility-X.X.standalone.exe -f c:\memory.dmp --profile=Win7SP1x64 imagecopy
-O c:\memory.dd
8. Run Volatility commands
>volatility-X.X.standalone.exe -f c:\memory.dd --profile=Win7SP1x64 psscan
References
www.wyattroersma.com
Good blog with various post on Volatility and VMs