Volatility#
Volatility is an open source memory forensics framework for incident response and malware analysis. The operator (or their defensive counterpart) parses captured RAM images, extracts artifacts that live nowhere on disk, and pivots through process trees, registry hives, and hidden injection sites. Releases ship as Python module installers, standalone executables, and zip and tar archives.
Basics#
$ vol.py -f image --profile=profileplugin # sample command format
$ vol.py -f mem.img timeliner --output-file out.body --output=body --profile=Win10x64
$ vol.py -f mem.img imageinfo # image metadata
Processes#
$ vol.py pslist # high-level view of running processes
$ vol.py pstree # parent-process relationships
$ vol.py psxview # hidden processes (cross-view)
$ vol.py procdump --dump-dir ./output -p ### # dump process to executable
$ vol.py memdump --dump-dir ./output -p ### # extract every memory section of the process
$ vol.py cmdscan # scan for COMMAND_HISTORY buffers
$ vol.py consoles # scan for CONSOLE_INFORMATION output
DLLs, drivers#
$ vol.py dlldump --dump-dir ./output -r <dll> # extract DLLs from specific processes
$ vol.py dlllist -p ### # list of loaded DLLs by process by PID
$ vol.py driverirp -r tcpip # identify I/O Request Packet (IRP) hooks
$ vol.py ldrmodules -p ### -v # detect unlinked DLLs
$ vol.py moddump --dump-dir ./output -r <driver> # extract kernel drivers
$ vol.py modscan # loaded, unloaded, and unlinked drivers
Memory#
$ vol.py malfind --dump-dir ./output_dir # find possible malicious code, dump sections
$ vol.py filescan # scan memory for FILE_OBJECT handles
$ vol.py dumpfiles -n -i -r \\.exe --dump-dir=./ # extract FILE_OBJECTs from memory
$ vol.py netscan # TCP connections and sockets
$ vol.py apihooks # find API / DLL function hooks
$ vol.py autoruns -v # map ASEPs to running processes
$ vol.py hollowfind -D ./output_dir # detect process hollowing
$ vol.py idt # display interrupt descriptor table
Registry#
$ vol.py hivelist # find and list available registry hives
$ vol.py hivedump -o 0xe1a14b60 # print all keys and subkeys in a hive
$ vol.py dumpregistry --dump-dir ./output # extract all available registry hives
$ vol.py printkey -K "Microsoft\Windows\CurrentVersion\Run" # output a registry key
$ vol.py userassist # find and parse userassist key values
Tokens#
$ vol.py getsids -p ### # print process security identifiers by PID
$ vol.py handles -p ### -t File,Key # open handles per process
$ vol.py hashdump # dump user NTLM and Lanman hashes
Convert raw#
$ vol.py imagecopy -f hiberfil.sys -O hiber.raw --profile=Win7SP1x64
$ vol.py imagecopy -f MEMORY.DMP -O crashdump.raw --profile=Win2016x64_14393
Misc#
$ vol.py ssdt # hooks in System Service Descriptor Table
$ vol.py svcscan -v # scan for Windows Service record structures
$ vol.py psxscan # scan memory for EPROCESS blocks