Volatility

Volatility 2

Image Identification:

• imageinfo: Retrieve information about the memory image.

Process Analysis:

• pslist: List running processes.
• pstree: Display process tree.
• cmdline: Extract command-line arguments of a process.
• dlllist: List loaded DLLs for a process.
• handles: List open handles for a process.

Memory Dumping:

• memdump: Dump the memory of a specific process.

Registry Analysis:

• hivelist: List registry hive offsets.
• printkey: Print registry key values.
• hashdump: Dump password hashes from the SAM database.

File Analysis:

• filescan: Scan for file objects in memory.
• mftparser: Parse the Master File Table (MFT) for file metadata.
• dumpfiles: Extract files from memory.

Network Analysis:

• connections: List network connections.
• sockets: List open sockets.

Malware Analysis:

• malfind: Find hidden or injected code.
• malthfind: Find hidden processes.
• ldrmodules: List loaded modules.

Timeline Analysis:

• timeliner: Generate a timeline of system activity.
• filescan: Scan for file objects with timestamps.

Volatility Configuration:

• --plugins: Specify additional plugin directories.
• --profile: Specify the profile of the memory image.

Volatility 3

Image Identification:

• windows.info.Info: Retrieve information about the memory image.

Process Analysis:

• windows.pslist.PsList: List running processes.
• windows.pstree.PsTree: Display process tree.
• windows.cmdline.CmdLine: Extract command-line arguments of a process.
• windows.dlllist.DllList: List loaded DLLs for a process.
• windows.handles.Handles: List open handles for a process.

Memory Dumping:

• windows.memdump.MemDump: Dump the memory of a specific process.

Registry Analysis:

• windows.registry.hivelist.HiveList: List registry hive offsets.
• windows.registry.printkey.PrintKey: Print registry key values.
• windows.registry.hive.Hive: Extract registry hive.

File Analysis:

• windows.filescan.FileScan: Scan for file objects in memory.
• windows.mftparser.MFTParser: Parse the Master File Table (MFT) for file metadata.
• windows.dumpfiles.DumpFiles: Extract files from memory.

Network Analysis:

• windows.netstat.Netstat: List network connections.
• windows.sockets.Sockets: List open sockets.

Malware Analysis:

• windows.malfind.Malfind: Find hidden or injected code.
• windows.malthfind.Malthfind: Find hidden processes.
• windows.modules.Modules: List loaded modules.

Timeline Analysis:

• windows.timeline.Timeline: Generate a timeline of system activity.
• windows.filescan.FileScan: Scan for file objects with timestamps.

Volatility Configuration:

• --plugin-dirs: Specify additional plugin directories.
• --profile: Specify the profile of the memory image.

Resources

• https://github.com/volatilityfoundation/volatility3

• https://github.com/volatilityfoundation/volatility/wiki/Command-Reference#imageinfo

• https://volatility3.readthedocs.io/en/latest/

• https://samsclass.info/121/proj/p5-Vol.htm

• https://downloads.volatilityfoundation.org/releases/2.4/CheatSheet_v2.4.pdf

• https://book.hacktricks.xyz/generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-examples

• https://www.varonis.com/blog/how-to-use-volatility

• https://www.sans.org/blog/for408-windows-forensic-analysis-has-been-renumbered-to-for500-windows-forensics-analysis/

• https://github.com/stuxnet999/MemLabs

• SecIC January 2018: "Memory Forensics with Vol(a|u)tility" - Matt Brenton / @chupath1ngee

• https://github.com/kevthehermit/VolUtility

• https://dfir.science/2022/02/Introduction-to-Memory-Forensics-with-Volatility-3