Volatility3
An advanced memory forensics framework
00. Basic
Genraral
## ------------------| Install
pip3 install volatility3
## ------------------| Run All Relevant Plugins for Time-Based Data
vol -f "/path/to/file" timeliner.Timeliner
## ------------------| Run Plugins with Configurations
vol -c "/path/to/config.json" --parallelism processes -o "/path/to/output" windows.pslist
## ------------------| Define Specific Plugins and Symbols
vol -p "/path/to/plugins" -s "/path/to/symbols" -f "/path/to/file" windows.callbacks
## ------------------| Render Output in JSON
vol -f "/path/to/file" --renderer json windows.psscan
## ------------------| Log output to a file as well as the console
vol -f "/path/to/file" -l logs.txt windows.psscan
## ------------------| Clears out all short-term cached items
vol --clear-cache
## ------------------| Do not search online for additional JSON files
vol -f "/path/to/file" --offline windows.psscan
## ------------------| Help for plugin specific options
vol <plugin> -h
## ------------------| Plugin to list the various modular components of Volatility
vol frameworkinfo.FrameworkInfo
## ------------------| Runs the automagics and both prints and outputs configuration in the output directory.
vol -f "/path/to/file" configwriter.ConfigWriter
## ------------------| Yara Scans
vol -f "/path/to/file" windows.vadyarascan --yara-rules <string>
vol -f "/path/to/file" windows.vadyarascan --yara-file "/path/to/file.yar"
vol -f "/path/to/file" yarascan.yarascan --yara-file "/path/to/file.yar"
01 Windows
01. 1 OS Information
## ------------------| Show OS & kernel details of the memory sample being analyzed.
vol -f "/path/to/file" windows.info.Info
## ------------------| List environment variables
vol -f "/path/to/file" windows.envars
## ------------------| lists Processes with Session information extracted from Environmental Variables
vol -f "/path/to/file" windows.sessions.Sessions
## ------------------| Lists the information from a Windows crash dump.
vol -f "/path/to/file" windows.crashinfo.Crashinfo
## ------------------| Listing tree based on drivers and attached devices in a particular windows memory image.
vol -f "/path/to/file" windows.devicetree.DeviceTree
## ------------------| A generic pool scanner plugin.
vol -f "/path/to/file" windows.poolscanner.PoolScanner
01.2 Process Information
## ------------------| Process List
vol -f "/path/to/file" windows.psxview
vol -f "/path/to/file" windows.pslist
vol -f "/path/to/file" windows.psscan
vol -f "/path/to/file" windows.pstree
## ------------------| List Process Information with Command Line Arguments
vol -f "/path/to/file" windows.cmdline
vol -f "/path/to/file" windows.cmdline --pid <PID>
## ------------------| Process Dump
vol -f "/path/to/file" -o "/path/to/dir" windows.dumpfiles --pid <PID>
## ------------------| Memory Dump
vol -f "/path/to/file" -o "/path/to/dir" windows.memmap --dump --pid <PID>
## ------------------| Extracting Process Executable
vol -f "/path/to/file" windows.memmap --dump --pid <PID> --output-dir "/path/to/dir"
## ------------------| Lists process open handles
vol -f "/path/to/file" windows.handles
vol -f "/path/to/file" windows.handles --pid <PID>
## ------------------| DLLs
vol -f "/path/to/file" windows.dlllist
vol -f "/path/to/file" windows.dlllist --pid <PID>
## ------------------| Unloaded DLLs
vol -f "/path/to/file" windows.unloadedmodules
## ------------------| Print the SIDs owning each process
vol -f "/path/to/file" windows.getsids
## ------------------| List big page pools.
vol -f "/path/to/file" windows.bigpools.BigPools
## ------------------| Lists process token sids.
vol -f "/path/to/file" windows.getservicesids.GetServiceSIDs
## ------------------| Lists process token privileges
vol -f "/path/to/file" windows.privileges.Privs
## ------------------| Lists processes whose DeletePending bit is set or whose FILE_OBJECT is set to 0
vol -f "/path/to/file" windows.processghosting.ProcessGhosting
## ------------------| Lists statistics about the memory space.
vol -f "/path/to/file" windows.statistics.Statistics
## ------------------| Reads output from the strings command and indicates which process(es) each string belongs to.
vol -f "/path/to/file" windows.strings.String
01.3 Network Information
## ------------------| Connections
vol -f "/path/to/file" windows.netscan
01.4 Registry Information
## ------------------| Hive List
vol -f "/path/to/file" windows.registry.hivescan
vol -f "/path/to/file" windows.registry.hivelist
## ------------------| Printkey
vol -f "/path/to/file" windows.registry.printkey
vol -f "/path/to/file" windows.registry.printkey --key "HKEY_LOCAL_MACHINE\SAM\SAM"
## ------------------| Hive Dump
vol -f "/path/to/file" windows.joblinks
## ------------------| Lists the certificates in the registry's Certificate Store.
vol -f "/path/to/file" windows.registry.certificates.Certificates
## ------------------| Reports registry hives with a hooked GetCellRoutine handler
vol -f "/path/to/file" windows.registry.getcellroutine.GetCellRoutine
01.5 File System Information
## ------------------| File Scan
vol -f "/path/to/file" windows.filescan
## ------------------| File Dump
vol -f "/path/to/file" -o "/path/to/dir" windows.dumpfiles
vol -f "/path/to/file" -o "/path/to/dir" windows.dumpfiles --virtaddr <offset>
vol -f "/path/to/file" -o "/path/to/dir" windows.dumpfiles --physaddr <offset>
## ------------------| Scans for drivers present in a particular windows memory image.
vol -f "/path/to/file" windows.driverscan.DriverScan
## ------------------| Scans for and parses potential Master Boot Records (MBRs)
vol -f "/path/to/file" windows.mbrscan.MBRScan
## ------------------| Allows extracting PE Files from a specific address in a specific address space
vol -f "/path/to/file" windows.pedump.PEDump --pid <PID>
## ------------------| TrueCrypt Cached Passphrase Finder
vol -f "/path/to/file" windows.truecrypt.Passphrase
## ------------------| Lists version information from PE files.
vol -f "/path/to/file" windows.verinfo.VerInfo
01.6 Malware Analysis
## ------------------| Check for Potentially Injected Code (Malfind)
vol -f "/path/to/file" windows.malfind
vol -f "/path/to/file" windows.malfind --pid <PID>
## ------------------| Driver Scan
vol -f "/path/to/file" windows.driverscan
## ------------------| Find Suspicious Userland Threads
vol -f "/path/to/file" windows.suspicious_threads
## ------------------| List SSDT (System Service Descriptor Table)
vol -f "/path/to/file" windows.ssdt.SSDT
## ------------------| Lists hollowed processes
vol -f "/path/to/file" windows.hollowprocesses
## ------------------| Determines if any loaded drivers were hidden by a rootkit
vol -f "/path/to/file" windows.drivermodule.DriverModule
## ------------------| Looks for signs of Skeleton Key malware
vol -f "/path/to/file" windows.skeleton_key_check.Skeleton_Key_Check
01.7 Other
## ------------------| Shim Cache
vol -f "/path/to/file" windows.shimcache
## ------------------| Timeliner
vol -f "/path/to/file" timeliner
## ------------------| Detect Hidden Kernel Modules
vol -f "/path/to/file" windows.modscan
## ------------------| Lists kernel callbacks and notification routines.
vol -f "/path/to/file" windows.callbacks.Callbacks
## ------------------| List IRPs for drivers in a particular windows memory image.
vol -f "/path/to/file" windows.driverirp.DriverIrp
## ------------------| Print KPCR structure for each processor
vol -f "/path/to/file" windows.kpcrs.KPCRs
## ------------------| Lists the loaded modules in a particular windows memory image.
vol -f "/path/to/file" windows.ldrmodules.LdrModules
## ------------------| Scans for mutexes present in a particular windows memory image.
vol -f "/path/to/file" windows.mutantscan.MutantScan
## ------------------| Reads Shimcache entries from the ahcache.sys AVL tree
vol -f "/path/to/file" windows.shimcachemem.ShimcacheMem
02. Linux
02.1 OS Information
## ------------------| Attempts to identify potential linux banners
vol -f "/path/to/file" banners.Banners
## ------------------| Determines information about the currently available ISF files, or a specific one
vol -f "/path/to/file" isfinfo.IsfInfo
## ------------------| Kernel Modules
vol -f "/path/to/file" linux.lsmod.Lsmod
vol -f "/path/to/file" linux.check_modules.Check_modules
## ------------------| List Loaded Kernel Modules (Lsmod)
vol -f "/path/to/file" linux.lsmod.Lsmod
## ------------------| Kernel log buffer reader
vol -f "/path/to/file" linux.kmsg.Kmsg
## ------------------| Bash History
vol -f "/path/to/file" linux.bash.Bash
## ------------------| Lists processes with their environment variables
vol -f "/path/to/file" linux.envars.Envars
## ------------------| Mount Information
vol -f "/path/to/file" linux.mountinfo.MountInfo
02.2 Process Information
## ------------------| Lists the processes present in a particular linux memory image.
vol -f "/path/to/file" linux.pslist.PsList
## ------------------| Scans for processes present in a particular linux image.
vol -f "/path/to/file" linux.psscan.PsScan
## ------------------| Plugin for listing processes in a tree based on their parent process ID.
vol -f "/path/to/file" linux.pstree.PsTree
## ------------------| Lists processes with their command line arguments
vol -f "/path/to/file" linux.psaux.PsAux
## ------------------| Check_syscall Check system call table for hooks.
vol -f "/path/to/file" linux.check_syscall.Check_syscall
## ------------------| Lists all memory mapped ELF files for all processes.
vol -f "/path/to/file" linux.elfs.Elfs
## ------------------| Generates an output similar to /proc/iomem on a running system.
vol -f "/path/to/file" linux.iomem.IOMem
## ------------------| Enumerate libraries loaded into processes
vol -f "/path/to/file" linux.library_list.LibraryList
## ------------------| Lists all memory maps for all processes.
vol -f "/path/to/file" linux.proc.Maps
02.3 Network Information
## ------------------| Analyze Open Network Connections (Sockstat)
vol -f "/path/to/file" linux.sockstat.Sockstat
vol -f "/path/to/file" linux.netfilter.Netfilter
## ------------------| Checks tty devices for hooks
vol -f "/path/to/file" linux.tty_check.tty_check
02.4 Malware Analysis
## ------------------| Check for Potentially Injected Code (Malfind)
vol -f "/path/to/file" linux.malfind.Malfind
## ------------------| Enumerate Memory Mapped ELF Files
vol -f "/path/to/file" linux.elfs.Elfs
02.5 Others
## ------------------| Parses the keyboard notifier call chain
vol -f "/path/to/file" linux.keyboard_notifiers.Keyboard_notifiers
03. macOS
03.1 OS Information
## ------------------| Bash History
vol -f "/path/to/file" mac.bash.Bash
## ------------------| Mount Information
vol -f "/path/to/file" mac.mount.Mount
## ------------------| Lists loaded kernel modules.
vol -f "/path/to/file" mac.lsmod.Lsmod
## ------------------| Lists all open file descriptors for all processes.
vol -f "/path/to/file" mac.lsof.Lsof
## ------------------| Kernel Log Buffer (Dmesg)
vol -f "/path/to/file" mac.dmesg.Dmesg
## ------------------| Environment Variables
vol -f "/path/to/file" mac.envars.Envars
## ------------------| Determines information about the currently available ISF files, or a specific one
vol -f "/path/to/file" isfinfo.IsfInfo
## ------------------| Check_syscall Check system call table for hooks.
vol -f "/path/to/file" mac.check_syscall.Check_syscall
## ------------------| Lists kauth listeners and their status
vol -f "/path/to/file" mac.kauth_listeners.Kauth_listeners
## ------------------| Lists kauth scopes and their status
vol -f "/path/to/file" mac.kauth_scopes.Kauth_scopes
03.2 Process Information
## ------------------| Process List
vol -f "/path/to/file" mac.pslist.PsList
vol -f "/path/to/file" mac.pstree.PsTree
## ------------------| List All Process Command-Line Arguments
vol -f "/path/to/file" mac.psaux.Psaux
## ------------------| Lists event handlers registered by processes
vol -f "/path/to/file" mac.kevents.Kevents
## ------------------| Lists all open file descriptors for all processes.
vol -f "/path/to/file" mac.list_files.List_Files
## ------------------| Lists processes that are filtering file system events
vol -f "/path/to/file" mac.vfsevents.VFSevents
03.3 Network Information
## ------------------| Lists all network connections for all processes.
vol -f "/path/to/file" mac.netstat.Netstat
## ------------------| Lists network interface information for all devices
vol -f "/path/to/file" mac.ifconfig.Ifconfig
## ------------------| Lists kauth listeners and their status
vol -f "/path/to/file" mac.kauth_listeners.Kauth_listeners
03.4 File System Information
## ------------------| List Open File Descriptors
vol -f "/path/to/file" mac.lsof.Lsof
03.5 Malware Analysis
## ------------------| Lists process memory ranges that potentially contain injected code.
vol -f "/path/to/file" mac.malfind.Malfind
## ------------------| Check for Malicious Kernel Timers
vol -f "/path/to/file" mac.timers.Timers
## ------------------| Lists process memory ranges that potentially contain injected code.
vol -f "/path/to/file" mac.proc_maps.Maps
## ------------------| Check for malicious kernel timers.
vol -f "/path/to/file" mac.timers.Timers
## ------------------| Checks for malicious trustedbsd modules
vol -f "/path/to/file" mac.trustedbsd.Trustedbsd
03.6 Others
## ------------------| Enumerates kernel socket filters.
vol -f "/path/to/file" mac.socket_filters.Socket_filters
## ------------------| Runs all relevant plugins that provide time related information and orders the results by time.
vol -f "/path/to/file" timeliner.Timeliner
## ------------------| Scans for Intel VT-d structues and generates VM volatility configs for them
vol -f "/path/to/file" vmscan.Vmscan
Last updated