Supported file types

  • Raw linear sample (dd)
  • Hibernation file (from Windows 7 and earlier
  • Crash dump file
  • VirtualBox ELF64 core dump
  • VMware saved state and snapshot files
  • EWF format (E01)
  • LiME format
  • Mach-O file format
  • HPAK (FDPro)
  • Firewire
  • QEMU virtual machine dumps

Frequently used Volatility Modules

pslist: Shows the active processes.

cmdline: Reveals the command-line parameters for processes.

netscan: Checks for network links and available ports.

malfind: Looks for possible harmful code added to processes.

handles: Examines open resources.

svcscan: Displays services in Windows.

dlllist: Lists the dynamic-link libraries loaded in a process.

hivelist: Identifies registry hives stored in memory.

You can find documentation on Volatility here:

Volatility v2: https://github.com/volatilityfoundation/volatility/wiki/Command-Reference

Volatility v3: https://volatility3.readthedocs.io/en/latest/index.html

Good practice to pipe many of the volatility plugins into a text file |tee pluginname.out

When using the tee command the system will no longer output the text in colour. To preserve colour simply install expect Then lead commands with unbuffer.

Volatility3 Windows

There is alot of crossover between Volatility2 and Volatility3. I have recently moved to using Volatility3 mainly and thus began tracking notes seperately or directly referencing differences.

python vol -f <path to memory file> windows.module.module

if you specify the plugin name as just windows it will show all additional plugins that can be run.

windows.info - shows information about the dump and the machine

windows.pslist - shows processes running in memory

command can be piped into | more for easier processing.

if you wanna see a particular process for file pipe output to | Select-String

vol.py -f “/path/to/file” -o “/path/to/dir” windows.dumpfiles ‑‑pid <PID>

Vol 3’s ‘memmap’ with –dump maps and dumps regions, useful for detailed forensics. vol.py -f “/path/to/file” -o “/path/to/dir” windows.memmap ‑‑dump ‑‑pid <PID>

Listing DLLs helps spot injected code, like malware hiding in legit processes. Unusual DLLs might point to infection.

Both versions list loaded DLLs for a PID, but Vol 3 is profile-free and faster.

Volatility 2:

vol.py -f “/path/to/file” ‑‑profile <profile> dlllist -p <PID>

Volatility 3:

vol.py -f “/path/to/file” windows.dlllist ‑‑pid <PID>

Module Breakdowns

Registry

Hive List

You’d use hive list commands to find registry hives in memory, which store system settings malware often tweaks these for persistence. This could show changes to startup keys that launch malicious software on boot.

hivescan‘ scans for hive structures. ‘hivelist‘ lists them with virtual and physical addresses.

Volatility 2:

vol.py -f “/path/to/file” ‑‑profile <profile> hivescan

vol.py -f “/path/to/file” ‑‑profile <profile> hivelist

Volatility 3:

vol.py -f “/path/to/file” windows.registry.hivescan The scan output highlights hive locations in memory.

vol.py -f “/path/to/file” windows.registry.hivelist This lists the registry hives with their paths and offsets for further digging.

Printkey

Printkey is used for viewing specific registry keys and values..

Without a key, it shows defaults, while -K or –key targets a certain path.

Volatility 2:

vol.py -f “/path/to/file” ‑‑profile <profile> printkey

vol.py -f “/path/to/file” ‑‑profile <profile> printkey -K “Software\Microsoft\Windows\CurrentVersion”

Volatility 3:

vol.py -f “/path/to/file” windows.registry.printkey

vol.py -f “/path/to/file” windows.registry.printkey ‑‑key “Software\Microsoft\Windows\CurrentVersion”