Skip to content

Volatility

Advanced memory forensics framework for incident response

PythonGitHubWebsite

Description

Volatility is the world's most widely used memory forensics framework. It analyzes RAM dumps to extract running processes, network connections, registry hives, passwords, encryption keys, and malware artifacts.

Installation

BASH 
# Volatility 3 (recommended)
pip install volatility3
# Or from source
git clone https://github.com/volatilityfoundation/volatility3
cd volatility3 && pip install -r requirements.txt

# Download symbol tables
python3 vol.py -h  # Auto-downloads on first run

Basic Usage

BASH 
# Identify OS profile
vol -f memory.dmp windows.info
vol -f memory.dmp linux.info

# List processes
vol -f memory.dmp windows.pslist
vol -f memory.dmp windows.pstree

# Network connections
vol -f memory.dmp windows.netscan

# Command history
vol -f memory.dmp windows.cmdline

# Registry hives
vol -f memory.dmp windows.registry.hivelist

Advanced Usage

BASH 
# Extract password hashes
vol -f memory.dmp windows.hashdump

# Dump suspicious process memory
vol -f memory.dmp windows.memmap --pid 1234 --dump

# Find injected code
vol -f memory.dmp windows.malfind

# Scan for DLLs
vol -f memory.dmp windows.dlllist --pid 1234

# File extraction
vol -f memory.dmp windows.filescan
vol -f memory.dmp windows.dumpfiles --virtaddr 0xFA8001234

# Detect rootkits
vol -f memory.dmp windows.ssdt
vol -f memory.dmp windows.callbacks

# Timeline
vol -f memory.dmp timeliner.Timeliner

Common Workflows

BASH 
# Incident response triage
vol -f memory.dmp windows.info          # System info
vol -f memory.dmp windows.pslist        # Running processes
vol -f memory.dmp windows.netscan       # Network activity
vol -f memory.dmp windows.malfind       # Injected code
vol -f memory.dmp windows.hashdump      # Password hashes
Back to Forensics