Volatility v3 Memory Forensics
Overview
Volatility 3 is an open-source memory forensics framework for analysing RAM dumps from Windows, Linux, and macOS systems. It extracts digital artifacts including running processes, network connections, loaded modules, registry data, and evidence of malicious activity.
Core Syntax
vol -f <memory_image> <plugin> [options]
python3 vol.py -f <memory_image> <plugin> [options]Note: Volatility 3 auto-detects the OS profile—no manual profile selection required (unlike Volatility 2).
Learning Workflow
Phase 1: Orientation — Image info, process listing, basic triage Phase 2: Process Analysis — Deep dive into process artifacts Phase 3: Memory Extraction — Dump processes, DLLs, and memory regions Phase 4: Artifact Hunting — Registry, network, malware indicators Phase 5: Advanced Analysis — Rootkit detection, timeline, and correlation
Installation & Setup
Installation
# Clone repository
git clone https://github.com/volatilityfoundation/volatility3.git
cd volatility3
# Install dependencies
pip3 install -r requirements.txt
# Install as package (optional)
pip3 install -e .
# Verify installation
python3 vol.py -hSymbol Tables
Volatility 3 requires symbol tables for accurate analysis. Download from:
Windows: https://downloads.volatilityfoundation.org/volatility3/symbols/windows.zip
Linux: https://downloads.volatilityfoundation.org/volatility3/symbols/linux.zip
macOS: https://downloads.volatilityfoundation.org/volatility3/symbols/mac.zip
Memory Acquisition Tools
WinPMEM
Windows
Free, reliable
FTK Imager
Windows
GUI-based
DumpIt
Windows
Single executable
LiME
Linux
Loadable kernel module
AVML
Linux
Microsoft's acquisition tool
OSXPmem
macOS
Mac memory acquisition
Phase 1: Orientation & Triage
Image Information
List Available Plugins
Initial Process Listing
Quick Triage Commands
Phase 2: Process Analysis
Process Listing Plugins
windows.pslist
List processes from EPROCESS linked list
windows.pstree
Display process parent/child hierarchy
windows.psscan
Scan for EPROCESS structures (finds hidden)
windows.psxview
Cross-reference multiple process sources
Process Details
DLL Analysis
Handle Analysis
Phase 3: Memory Extraction
Process Memory Dumps
DLL Extraction
Driver Extraction
Memory Regions
File Extraction
Phase 4: Artifact Hunting
Network Analysis
Network Output Fields
Offset
Memory address of structure
Proto
Protocol (TCP/UDP)
LocalAddr
Local IP:Port
ForeignAddr
Remote IP:Port
State
Connection state
PID
Associated process ID
Owner
Process name
Registry Analysis
Key Registry Locations
Service Analysis
Scheduled Tasks
User Information
Phase 5: Advanced Analysis
Malware Detection
Rootkit Detection
Timeline Analysis
String Analysis
Windows-Specific Plugins
Core Plugins
windows.info
OS and kernel information
windows.pslist
Process list (active)
windows.pstree
Process tree hierarchy
windows.psscan
Scan for processes (hidden)
windows.cmdline
Process command lines
windows.envars
Environment variables
windows.dlllist
Loaded DLLs
windows.handles
Open handles
windows.modules
Loaded kernel modules
windows.driverscan
Scan for drivers
Memory & Extraction
windows.memmap
Process memory map
windows.vadinfo
VAD information
windows.vadwalk
Walk VAD tree
windows.dumpfiles
Extract cached files
windows.filescan
Scan for file objects
windows.moddump
Dump kernel modules
Registry & Credentials
windows.registry.hivelist
List registry hives
windows.registry.printkey
Print registry key
windows.registry.userassist
UserAssist data
windows.hashdump
Dump password hashes
windows.lsadump
LSA secrets
windows.cachedump
Cached credentials
Network & Services
windows.netstat
Active connections
windows.netscan
Scan network connections
windows.svcscan
Windows services
windows.scheduled_tasks
Scheduled tasks
Malware Analysis
windows.malfind
Find injected code
windows.yarascan
YARA rule scanning
windows.ssdt
SSDT hooks
windows.callbacks
Kernel callbacks
windows.ldrmodules
DLL load analysis
Linux-Specific Plugins
linux.info
System information
linux.pslist
Process listing
linux.pstree
Process tree
linux.bash
Bash history
linux.check_afinfo
Network protocol hooks
linux.check_creds
Process credentials
linux.check_idt
IDT hooks
linux.check_modules
Module verification
linux.check_syscall
System call hooks
linux.elfs
ELF binaries in memory
linux.keyboard_notifiers
Keyboard hooks
linux.lsmod
Loaded modules
linux.lsof
Open files
linux.malfind
Malicious memory regions
linux.proc.maps
Process memory maps
linux.psaux
Process with arguments
linux.sockstat
Network connections
linux.tty_check
TTY hooks
Linux Workflow
macOS-Specific Plugins
mac.info
System information
mac.pslist
Process listing
mac.pstree
Process tree
mac.bash
Bash history
mac.check_syscall
System call hooks
mac.check_sysctl
Sysctl hooks
mac.check_trap_table
Trap table hooks
mac.ifconfig
Network interfaces
mac.kauth_listeners
Kauth listeners
mac.kevents
Kevents
mac.lsmod
Loaded modules
mac.lsof
Open files
mac.malfind
Injected code
mac.mount
Mounted filesystems
mac.netstat
Network connections
mac.proc_maps
Process memory maps
mac.psaux
Process arguments
mac.socket_filters
Socket filters
mac.timers
Kernel timers
mac.trustedbsd
TrustedBSD hooks
Investigation Workflows
Malware Triage Workflow
Process Investigation Workflow
Credential Extraction Workflow
Rootkit Detection Workflow
Lateral Movement Investigation
Data Exfiltration Investigation
Output Options
YARA Integration
Basic YARA Scanning
Useful YARA Rules Sources
https://github.com/Yara-Rules/rules
https://github.com/Neo23x0/signature-base
https://github.com/reversinglabs/reversinglabs-yara-rules
Quick Reference Card
System info
vol -f mem.dmp windows.info
Process list
vol -f mem.dmp windows.pslist
Process tree
vol -f mem.dmp windows.pstree
Hidden processes
vol -f mem.dmp windows.psscan
Command lines
vol -f mem.dmp windows.cmdline
DLL list
vol -f mem.dmp windows.dlllist
Network connections
vol -f mem.dmp windows.netscan
Open handles
vol -f mem.dmp windows.handles
Services
vol -f mem.dmp windows.svcscan
Registry hives
vol -f mem.dmp windows.registry.hivelist
Registry key
vol -f mem.dmp windows.registry.printkey --key "path"
Password hashes
vol -f mem.dmp windows.hashdump
Injected code
vol -f mem.dmp windows.malfind
YARA scan
vol -f mem.dmp windows.yarascan --yara-rules file.yar
Kernel modules
vol -f mem.dmp windows.modules
File scan
vol -f mem.dmp windows.filescan
Dump files
vol -f mem.dmp windows.dumpfiles
Dump process
vol -f mem.dmp windows.pslist --dump --pid 1234
JSON output
vol -f mem.dmp -r json windows.pslist
Common Issues & Fixes
No suitable symbol table
Download symbols from Volatility Foundation
Unsupported layer type
Ensure memory image isn't corrupted
Plugin not found
Check plugin name spelling; use --help
Slow analysis
Use SSD, increase RAM, or analyze specific PIDs
Missing processes
Try psscan instead of pslist
Incomplete results
Memory may be corrupted; try different plugins
Python errors
Ensure Python 3.7+ and all dependencies installed
Volatility 2 vs 3 Command Mapping
imageinfo
windows.info
pslist
windows.pslist
pstree
windows.pstree
psscan
windows.psscan
dlllist
windows.dlllist
handles
windows.handles
netscan
windows.netscan
hivelist
windows.registry.hivelist
printkey
windows.registry.printkey
hashdump
windows.hashdump
malfind
windows.malfind
svcscan
windows.svcscan
modules
windows.modules
modscan
windows.modscan
filescan
windows.filescan
dumpfiles
windows.dumpfiles
Key Differences:
Vol3: No manual profile selection (auto-detection)
Vol3: Plugin names prefixed with OS (windows., linux., mac.)
Vol3: Python 3 only
Vol3: Symbol tables instead of profiles
Last updated