# Volatility3 ## 00. Basic * Genraral ```bash ## ------------------| Install pip3 install volatility3 ## ------------------| Run All Relevant Plugins for Time-Based Data vol -f "/path/to/file" timeliner.Timeliner ## ------------------| Run Plugins with Configurations vol -c "/path/to/config.json" --parallelism processes -o "/path/to/output" windows.pslist ## ------------------| Define Specific Plugins and Symbols vol -p "/path/to/plugins" -s "/path/to/symbols" -f "/path/to/file" windows.callbacks ## ------------------| Render Output in JSON vol -f "/path/to/file" --renderer json windows.psscan ## ------------------| Log output to a file as well as the console vol -f "/path/to/file" -l logs.txt windows.psscan ## ------------------| Clears out all short-term cached items vol --clear-cache ## ------------------| Do not search online for additional JSON files vol -f "/path/to/file" --offline windows.psscan ## ------------------| Help for plugin specific options vol -h ## ------------------| Plugin to list the various modular components of Volatility vol frameworkinfo.FrameworkInfo ## ------------------| Runs the automagics and both prints and outputs configuration in the output directory. vol -f "/path/to/file" configwriter.ConfigWriter ## ------------------| Yara Scans vol -f "/path/to/file" windows.vadyarascan --yara-rules vol -f "/path/to/file" windows.vadyarascan --yara-file "/path/to/file.yar" vol -f "/path/to/file" yarascan.yarascan --yara-file "/path/to/file.yar" ``` ## 01 Windows ### 01. 1 OS Information ```bash ## ------------------| Show OS & kernel details of the memory sample being analyzed. vol -f "/path/to/file" windows.info.Info ## ------------------| List environment variables vol -f "/path/to/file" windows.envars ## ------------------| lists Processes with Session information extracted from Environmental Variables vol -f "/path/to/file" windows.sessions.Sessions ## ------------------| Lists the information from a Windows crash dump. vol -f "/path/to/file" windows.crashinfo.Crashinfo ## ------------------| Listing tree based on drivers and attached devices in a particular windows memory image. vol -f "/path/to/file" windows.devicetree.DeviceTree ## ------------------| A generic pool scanner plugin. vol -f "/path/to/file" windows.poolscanner.PoolScanner ``` ### 01.2 Process Information ```bash ## ------------------| Process List vol -f "/path/to/file" windows.psxview vol -f "/path/to/file" windows.pslist vol -f "/path/to/file" windows.psscan vol -f "/path/to/file" windows.pstree ## ------------------| List Process Information with Command Line Arguments vol -f "/path/to/file" windows.cmdline vol -f "/path/to/file" windows.cmdline --pid ## ------------------| Process Dump vol -f "/path/to/file" -o "/path/to/dir" windows.dumpfiles --pid ## ------------------| Memory Dump vol -f "/path/to/file" -o "/path/to/dir" windows.memmap --dump --pid ## ------------------| Extracting Process Executable vol -f "/path/to/file" windows.memmap --dump --pid --output-dir "/path/to/dir" ## ------------------| Lists process open handles vol -f "/path/to/file" windows.handles vol -f "/path/to/file" windows.handles --pid ## ------------------| DLLs vol -f "/path/to/file" windows.dlllist vol -f "/path/to/file" windows.dlllist --pid ## ------------------| Unloaded DLLs vol -f "/path/to/file" windows.unloadedmodules ## ------------------| Print the SIDs owning each process vol -f "/path/to/file" windows.getsids ## ------------------| List big page pools. vol -f "/path/to/file" windows.bigpools.BigPools ## ------------------| Lists process token sids. vol -f "/path/to/file" windows.getservicesids.GetServiceSIDs ## ------------------| Lists process token privileges vol -f "/path/to/file" windows.privileges.Privs ## ------------------| Lists processes whose DeletePending bit is set or whose FILE_OBJECT is set to 0 vol -f "/path/to/file" windows.processghosting.ProcessGhosting ## ------------------| Lists statistics about the memory space. vol -f "/path/to/file" windows.statistics.Statistics ## ------------------| Reads output from the strings command and indicates which process(es) each string belongs to. vol -f "/path/to/file" windows.strings.String ``` ### 01.3 Network Information 
## ------------------| Connections
vol -f "/path/to/file" windows.netscan
### 01.4 Registry Information 
## ------------------| Hive List
vol -f "/path/to/file" windows.registry.hivescan
vol -f "/path/to/file" windows.registry.hivelist

## ------------------| Printkey
vol -f "/path/to/file" windows.registry.printkey
vol -f "/path/to/file" windows.registry.printkey --key "HKEY_LOCAL_MACHINE\SAM\SAM"

## ------------------| Hive Dump
vol -f "/path/to/file" windows.joblinks

## ------------------| Lists the certificates in the registry's Certificate Store.
vol -f "/path/to/file" windows.registry.certificates.Certificates

## ------------------| Reports registry hives with a hooked GetCellRoutine handler
vol -f "/path/to/file" windows.registry.getcellroutine.GetCellRoutine
### 01.5 File System Information ```bash ## ------------------| File Scan vol -f "/path/to/file" windows.filescan ## ------------------| File Dump vol -f "/path/to/file" -o "/path/to/dir" windows.dumpfiles vol -f "/path/to/file" -o "/path/to/dir" windows.dumpfiles --virtaddr vol -f "/path/to/file" -o "/path/to/dir" windows.dumpfiles --physaddr ## ------------------| Scans for drivers present in a particular windows memory image. vol -f "/path/to/file" windows.driverscan.DriverScan ## ------------------| Scans for and parses potential Master Boot Records (MBRs) vol -f "/path/to/file" windows.mbrscan.MBRScan ## ------------------| Allows extracting PE Files from a specific address in a specific address space vol -f "/path/to/file" windows.pedump.PEDump --pid ## ------------------| TrueCrypt Cached Passphrase Finder vol -f "/path/to/file" windows.truecrypt.Passphrase ## ------------------| Lists version information from PE files. vol -f "/path/to/file" windows.verinfo.VerInfo ``` ### 01.6 Malware Analysis ```bash ## ------------------| Check for Potentially Injected Code (Malfind) vol -f "/path/to/file" windows.malfind vol -f "/path/to/file" windows.malfind --pid ## ------------------| Driver Scan vol -f "/path/to/file" windows.driverscan ## ------------------| Find Suspicious Userland Threads vol -f "/path/to/file" windows.suspicious_threads ## ------------------| List SSDT (System Service Descriptor Table) vol -f "/path/to/file" windows.ssdt.SSDT ## ------------------| Lists hollowed processes vol -f "/path/to/file" windows.hollowprocesses ## ------------------| Determines if any loaded drivers were hidden by a rootkit vol -f "/path/to/file" windows.drivermodule.DriverModule ## ------------------| Looks for signs of Skeleton Key malware vol -f "/path/to/file" windows.skeleton_key_check.Skeleton_Key_Check ``` ### 01.7 Other ```bash ## ------------------| Shim Cache vol -f "/path/to/file" windows.shimcache ## ------------------| Timeliner vol -f "/path/to/file" timeliner ## ------------------| Detect Hidden Kernel Modules vol -f "/path/to/file" windows.modscan ## ------------------| Lists kernel callbacks and notification routines. vol -f "/path/to/file" windows.callbacks.Callbacks ## ------------------| List IRPs for drivers in a particular windows memory image. vol -f "/path/to/file" windows.driverirp.DriverIrp ## ------------------| Print KPCR structure for each processor vol -f "/path/to/file" windows.kpcrs.KPCRs ## ------------------| Lists the loaded modules in a particular windows memory image. vol -f "/path/to/file" windows.ldrmodules.LdrModules ## ------------------| Scans for mutexes present in a particular windows memory image. vol -f "/path/to/file" windows.mutantscan.MutantScan ## ------------------| Reads Shimcache entries from the ahcache.sys AVL tree vol -f "/path/to/file" windows.shimcachemem.ShimcacheMem ``` ## 02. Linux ### 02.1 OS Information ```bash ## ------------------| Attempts to identify potential linux banners vol -f "/path/to/file" banners.Banners ## ------------------| Determines information about the currently available ISF files, or a specific one vol -f "/path/to/file" isfinfo.IsfInfo ## ------------------| Kernel Modules vol -f "/path/to/file" linux.lsmod.Lsmod vol -f "/path/to/file" linux.check_modules.Check_modules ## ------------------| List Loaded Kernel Modules (Lsmod) vol -f "/path/to/file" linux.lsmod.Lsmod ## ------------------| Kernel log buffer reader vol -f "/path/to/file" linux.kmsg.Kmsg ## ------------------| Bash History vol -f "/path/to/file" linux.bash.Bash ## ------------------| Lists processes with their environment variables vol -f "/path/to/file" linux.envars.Envars ## ------------------| Mount Information vol -f "/path/to/file" linux.mountinfo.MountInfo ``` ### 02.2 Process Information ```bash ## ------------------| Lists the processes present in a particular linux memory image. vol -f "/path/to/file" linux.pslist.PsList ## ------------------| Scans for processes present in a particular linux image. vol -f "/path/to/file" linux.psscan.PsScan ## ------------------| Plugin for listing processes in a tree based on their parent process ID. vol -f "/path/to/file" linux.pstree.PsTree ## ------------------| Lists processes with their command line arguments vol -f "/path/to/file" linux.psaux.PsAux ## ------------------| Check_syscall Check system call table for hooks. vol -f "/path/to/file" linux.check_syscall.Check_syscall ## ------------------| Lists all memory mapped ELF files for all processes. vol -f "/path/to/file" linux.elfs.Elfs ## ------------------| Generates an output similar to /proc/iomem on a running system. vol -f "/path/to/file" linux.iomem.IOMem ## ------------------| Enumerate libraries loaded into processes vol -f "/path/to/file" linux.library_list.LibraryList ## ------------------| Lists all memory maps for all processes. vol -f "/path/to/file" linux.proc.Maps ``` ### 02.3 Network Information ```bash ## ------------------| Analyze Open Network Connections (Sockstat) vol -f "/path/to/file" linux.sockstat.Sockstat vol -f "/path/to/file" linux.netfilter.Netfilter ## ------------------| Checks tty devices for hooks vol -f "/path/to/file" linux.tty_check.tty_check ``` ### 02.4 Malware Analysis ```bash ## ------------------| Check for Potentially Injected Code (Malfind) vol -f "/path/to/file" linux.malfind.Malfind ## ------------------| Enumerate Memory Mapped ELF Files vol -f "/path/to/file" linux.elfs.Elfs ``` ### 02.5 Others ```bash ## ------------------| Parses the keyboard notifier call chain vol -f "/path/to/file" linux.keyboard_notifiers.Keyboard_notifiers ``` ## 03. macOS ### 03.1 OS Information ```bash ## ------------------| Bash History vol -f "/path/to/file" mac.bash.Bash ## ------------------| Mount Information vol -f "/path/to/file" mac.mount.Mount ## ------------------| Lists loaded kernel modules. vol -f "/path/to/file" mac.lsmod.Lsmod ## ------------------| Lists all open file descriptors for all processes. vol -f "/path/to/file" mac.lsof.Lsof ## ------------------| Kernel Log Buffer (Dmesg) vol -f "/path/to/file" mac.dmesg.Dmesg ## ------------------| Environment Variables vol -f "/path/to/file" mac.envars.Envars ## ------------------| Determines information about the currently available ISF files, or a specific one vol -f "/path/to/file" isfinfo.IsfInfo ## ------------------| Check_syscall Check system call table for hooks. vol -f "/path/to/file" mac.check_syscall.Check_syscall ## ------------------| Lists kauth listeners and their status vol -f "/path/to/file" mac.kauth_listeners.Kauth_listeners ## ------------------| Lists kauth scopes and their status vol -f "/path/to/file" mac.kauth_scopes.Kauth_scopes ``` ### 03.2 Process Information ```bash ## ------------------| Process List vol -f "/path/to/file" mac.pslist.PsList vol -f "/path/to/file" mac.pstree.PsTree ## ------------------| List All Process Command-Line Arguments vol -f "/path/to/file" mac.psaux.Psaux ## ------------------| Lists event handlers registered by processes vol -f "/path/to/file" mac.kevents.Kevents ## ------------------| Lists all open file descriptors for all processes. vol -f "/path/to/file" mac.list_files.List_Files ## ------------------| Lists processes that are filtering file system events vol -f "/path/to/file" mac.vfsevents.VFSevents ``` ### 03.3 Network Information ```bash ## ------------------| Lists all network connections for all processes. vol -f "/path/to/file" mac.netstat.Netstat ## ------------------| Lists network interface information for all devices vol -f "/path/to/file" mac.ifconfig.Ifconfig ## ------------------| Lists kauth listeners and their status vol -f "/path/to/file" mac.kauth_listeners.Kauth_listeners ``` ### 03.4 File System Information ```bash ## ------------------| List Open File Descriptors vol -f "/path/to/file" mac.lsof.Lsof ``` ### 03.5 Malware Analysis ```bash ## ------------------| Lists process memory ranges that potentially contain injected code. vol -f "/path/to/file" mac.malfind.Malfind ## ------------------| Check for Malicious Kernel Timers vol -f "/path/to/file" mac.timers.Timers ## ------------------| Lists process memory ranges that potentially contain injected code. vol -f "/path/to/file" mac.proc_maps.Maps ## ------------------| Check for malicious kernel timers. vol -f "/path/to/file" mac.timers.Timers ## ------------------| Checks for malicious trustedbsd modules vol -f "/path/to/file" mac.trustedbsd.Trustedbsd ``` ### 03.6 Others ```bash ## ------------------| Enumerates kernel socket filters. vol -f "/path/to/file" mac.socket_filters.Socket_filters ## ------------------| Runs all relevant plugins that provide time related information and orders the results by time. vol -f "/path/to/file" timeliner.Timeliner ## ------------------| Scans for Intel VT-d structues and generates VM volatility configs for them vol -f "/path/to/file" vmscan.Vmscan ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.h4rithd.com/forensic/volatility3.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.