volatility3::memory

tool volatility3 memory forensics
SetupIdentifyProcesses Malware DetectionNetworkFiles RegistryCredentialsLinux Strings & YARACommunity Plugins
01Setup & Identify
Install & run
# Install
pip install volatility3
# or
git clone https://github.com/volatilityfoundation/volatility3
cd volatility3 && pip install -e .

# Basic syntax (vol3)
vol -f memory.dmp windows.info
python3 vol.py -f memory.dmp plugin.name

# Output formats
vol -f mem.dmp -r json windows.pslist   # JSON
vol -f mem.dmp -r csv  windows.pslist   # CSV
vol -f mem.dmp -r pretty windows.pslist # colored

# Global options MUST come before the plugin name
vol -f mem.dmp -r csv -o ./output/ windows.pslist

# Symbols (needed for Linux/Mac)
# https://downloads.volatilityfoundation.org/volatility3/symbols/
# Place .json.xz in volatility3/symbols/
# Windows symbols are auto-downloaded and cached
Identify the image
# Get OS, version, architecture
vol -f mem.dmp windows.info
vol -f mem.dmp banners        # Linux banner string
vol -f mem.dmp isfinfo        # ISF symbol info

# vol3 doesn't have imageinfo — use windows.info
# or check strings for OS version:
strings mem.dmp | grep "Windows" | head -20
strings mem.dmp | grep "Linux version"

# Memory image types supported:
# .raw .dmp .vmem .mem .bin .img .lime .e01
02Processes (Windows)
List & inspect
# Process list
vol -f mem.dmp windows.pslist       # EPROCESS linked list
vol -f mem.dmp windows.pstree       # tree view (parent→child)
vol -f mem.dmp windows.psscan       # pool scan (hidden/terminated)

# ⚠ windows.psxview does NOT exist in Vol3
# Workaround: diff pslist vs psscan manually
vol -f mem.dmp windows.pslist -r csv > pslist.csv
vol -f mem.dmp windows.psscan -r csv > psscan.csv
# PIDs in psscan but not pslist → hidden

# Suspicious processes
vol -f mem.dmp windows.cmdline      # command lines
vol -f mem.dmp windows.dlllist      # loaded DLLs
vol -f mem.dmp windows.handles      # open handles
vol -f mem.dmp windows.getsids      # SIDs per process
vol -f mem.dmp windows.privileges   # process privileges

# Filter by PID
vol -f mem.dmp windows.dlllist --pid 1234
VAD & threads
# Virtual address descriptors
vol -f mem.dmp windows.vadinfo      # memory regions
vol -f mem.dmp windows.vadinfo --pid 1234
vol -f mem.dmp windows.vadwalk

# Threads
vol -f mem.dmp windows.threads
vol -f mem.dmp windows.threads --pid 1234

# Suspicious process tells:
# - misspelled names (svchost → scvhost)
# - wrong parent (svchost parent != services.exe)
# - unusual paths
# - cmd/powershell spawned by Office
03Malware Detection
⚠ NAMESPACE CHANGE   As of Vol3 v2.11+, malware plugins move under windows.malware.*. Old names (e.g. windows.malfind) are deprecated but still work for now.
Code injection & hollowing
# Injected code: RWX regions with PE headers
vol -f mem.dmp windows.malfind
vol -f mem.dmp windows.malfind --pid 1234
# New namespace:
vol -f mem.dmp windows.malware.malfind

# Process hollowing detection
vol -f mem.dmp windows.hollowprocesses
# New namespace:
vol -f mem.dmp windows.malware.hollowprocesses
# Compares on-disk PE vs in-memory PE

# DLL path anomalies
vol -f mem.dmp windows.dlllist --pid 1234
# Look for: DLLs from temp dirs, user paths
SSDT & kernel
# Service table hooks
vol -f mem.dmp windows.ssdt

# Driver scan
vol -f mem.dmp windows.driverscan
vol -f mem.dmp windows.driverirp

# Loaded modules
vol -f mem.dmp windows.modules
vol -f mem.dmp windows.modscan       # finds unloaded/hidden
04Network
Connections & sockets
# Scan-based (most reliable, works on all versions)
vol -f mem.dmp windows.netscan

# Walk-based (requires recent vol3)
vol -f mem.dmp windows.netstat

# Output: PID, proto, local, remote, state
# Look for: unusual ports, foreign IPs, ESTABLISHED

# Filter for specific state
vol -f mem.dmp windows.netscan | grep ESTABLISHED
vol -f mem.dmp windows.netscan | grep LISTEN
vol -f mem.dmp windows.netscan | grep ":4444\|:8080\|:1337"

# Which process owns a connection
vol -f mem.dmp windows.netscan | grep ":443"
05Files & Artifacts
File system
# List cached files in memory
vol -f mem.dmp windows.filescan
vol -f mem.dmp windows.filescan | grep -i "flag\|secret\|pass\|key"
vol -f mem.dmp windows.filescan | grep -i ".txt\|.doc\|.pdf\|.kdbx"

# Dump file by offset (from filescan)
vol -f mem.dmp -o ./output/ windows.dumpfiles --virtaddr 0xfffffa8...
vol -f mem.dmp -o ./output/ windows.dumpfiles --physaddr 0x1234000
vol -f mem.dmp -o ./output/ windows.dumpfiles --pid 1234
Process dump & strings
# Dump process memory (full address space)
vol -f mem.dmp -o ./output/ windows.memmap --pid 1234 --dump

# Dump process executable
vol -f mem.dmp -o ./output/ windows.procdump --pid 1234

# Dump DLL / kernel module
vol -f mem.dmp -o ./output/ windows.moddump --base 0x77400000

# Strings from process dump
strings ./output/pid.1234.dmp | grep -i "flag\|picoCTF"

# Strings from entire image
strings mem.dmp | grep "picoCTF"        # ASCII
strings -el mem.dmp | grep "picoCTF"   # UTF-16LE (Windows)
06Registry (Windows)
Registry hives
# List registry hives in memory
vol -f mem.dmp windows.registry.hivelist

# Print a specific registry key
vol -f mem.dmp windows.registry.printkey \
    --key "Software\Microsoft\Windows\CurrentVersion\Run"

# Services (persistence)
vol -f mem.dmp windows.registry.printkey \
    --key "SYSTEM\CurrentControlSet\Services"

# UserAssist (ROT13 encoded!)
vol -f mem.dmp windows.registry.printkey \
    --key "Software\...\Explorer\UserAssist"

# Dump user hashes (SAM)
vol -f mem.dmp windows.hashdump

# LSA secrets
vol -f mem.dmp windows.lsadump

# Cached domain credentials
vol -f mem.dmp windows.cachedump
Credentials & console history
# Dump NTLM hashes
vol -f mem.dmp windows.hashdump
# Format: user:RID:LM:NTLM
# Crack: hashcat -m 1000 ntlm.txt rockyou.txt

# Console history (Vol3 v2.26+ — unreliable
# on Win 7/10, may throw "not implemented")
vol -f mem.dmp windows.cmdscan
vol -f mem.dmp windows.consoles

# ⚠ If cmdscan/consoles fail, fall back to:
vol -f mem.dmp -o ./out/ windows.memmap --pid <cmd_pid> --dump
strings ./out/pid.*.dmp | grep -i "flag\|command"

# ⚠ Vol2-only — NO Vol3 equivalent:
#   windows.clipboard  → dump explorer.exe + strings
#   windows.iehistory  → community browser plugins
#   windows.screenshot → no workaround
07Linux Plugins
Linux-specific
# Processes
vol -f mem.dmp linux.pslist
vol -f mem.dmp linux.pstree
vol -f mem.dmp linux.psscan

# Network
vol -f mem.dmp linux.netstat

# Files (linux.filescan does NOT exist)
vol -f mem.dmp linux.pagecache.Files
vol -f mem.dmp linux.find_file -F /etc/passwd

# bash history / environment
vol -f mem.dmp linux.bash
vol -f mem.dmp linux.envars

# Kernel modules (deprecated → malware.*)
vol -f mem.dmp linux.lsmod
vol -f mem.dmp linux.malware.check_modules

# System / hooks / mounts
vol -f mem.dmp linux.check_syscall
vol -f mem.dmp linux.tty_check
vol -f mem.dmp linux.mountinfo
vol -f mem.dmp linux.elfs
Build Linux symbols
# Linux REQUIRES ISF symbol file matching exact kernel

# Option 1: dwarf2json (if you have debug kernel)
dwarf2json linux \
    --system-map /boot/System.map-$(uname -r) \
    --elf /usr/lib/debug/vmlinux-$(uname -r) \
    > output.json.xz
# Place in: volatility3/symbols/linux/

# Option 2: Download pre-built
# https://isf-server.techanarchy.net/
# Match EXACTLY: distro + kernel version + arch

# Check banner for kernel version
vol -f mem.dmp banners
strings mem.dmp | grep "Linux version"
08Strings & YARA Search
Quick flag hunting
# Fast: strings the whole image first
strings mem.dmp | grep -i "picoCTF{\|CTF{\|flag{"
strings -el mem.dmp | grep -i "picoCTF"    # UTF-16LE (Windows)

# Hex search
grep -boa "picoCTF" mem.dmp               # byte offset
xxd mem.dmp | grep -i "7069636f"          # hex of 'pico'

# YARA scan across all process memory
vol -f mem.dmp windows.vadyarascan --yara-rules "picoCTF"
vol -f mem.dmp windows.vadyarascan --yara-file rules.yar

# Search specific process
vol -f mem.dmp windows.vadyarascan --pid 1234 --yara-rules "flag"

# Kernel-space YARA scan
vol -f mem.dmp yarascan --yara-rules "picoCTF"
09Community Plugins (CTF Gold)
Install & available plugins
# Install community plugins
git clone https://github.com/volatilityfoundation/community3
cp -r community3/*/plugins/* volatility3/volatility3/plugins/

# Or individual plugins
git clone https://github.com/forensicxlab/volatility3_plugins
cp volatility3_plugins/*.py volatility3/volatility3/plugins/windows/

# pypykatz (mimikatz-style credential extraction)
pip install pypykatz
# Then: vol -f mem.dmp windows.pypykatz
PluginAuthorWhat it does
windows.prefetchforensicxlabParse Prefetch files from memory (XP→Win11)
chromehistorysuperponibleBrowser history, cookies, downloads. Replaces iehistory
pypykatzskelsecMimikatz-style credential extraction
windows.notepadits5QDump Notepad text (Win 7/10, not Win 11 UWP)
bitlockertriCKSecExtract BitLocker FVEK from memory
evtxlogspitfirerxfExtract Event Log entries from memory
autorunstomchopFind persistence ASEPs (Run keys, services, tasks)
10Plugin Reference
Core Vol3 — confirmed
PluginWhat it does
windows.pslistEPROCESS list — active processes
windows.pstreeProcess tree (parent→child)
windows.psscanPool scan — finds hidden/terminated
windows.cmdlineCommand line arguments per process
windows.dlllistLoaded DLLs per process
windows.handlesOpen handles (files, reg, mutexes)
windows.netscanNetwork connections (scan-based)
windows.netstatNetwork connections (walk-based)
windows.filescanFile objects in memory
windows.dumpfilesExtract file by offset
windows.malfindRWX + PE headers → injection ⟶ malware.malfind
windows.hollowprocessesDetect hollowing ⟶ malware.hollowprocesses
windows.ssdtSystem Service Descriptor Table hooks
windows.hashdumpDump SAM NTLM hashes
windows.lsadumpLSA secrets
windows.vadyarascanYARA scan across VAD regions
windows.cmdscanCommand history v2.26+ UNRELIABLE
windows.consolesConsole output v2.26+ UNRELIABLE
Vol2-only — NOT in Vol3
Vol2 pluginWorkaround
psxviewDiff pslist vs psscan output manually
clipboardDump rdpclip.exe / explorer.exe + strings
iehistoryCommunity chrome/firefox plugins
screenshotNo easy workaround
prefetchCommunity plugin (forensicxlab)
Hidden process detection (replaces psxview)
# Export both lists
vol -f mem.dmp windows.pslist -r csv \
  | awk -F',' '{print $1}' | sort > pslist.txt
vol -f mem.dmp windows.psscan -r csv \
  | awk -F',' '{print $1}' | sort > psscan.txt

# PIDs in psscan but not pslist → hidden
comm -13 pslist.txt psscan.txt

# Investigate hidden PID
vol -f mem.dmp windows.psscan | grep <pid>
MEMORY CTF CHECKLIST →  ① strings mem.dmp | grep "picoCTF{" — fastest check  ② strings -el mem.dmp | grep "picoCTF" — UTF-16LE (Windows wide strings)  ③ windows.info identify OS  ④ windows.pstree suspicious processes (wrong parent, misspelled)  ⑤ windows.cmdline see what was run (powershell -enc, certutil)  ⑥ windows.netscan unusual connections (C2, exfil)  ⑦ windows.malfind injected code in memory  ⑧ windows.filescan | grep flag find interesting files  ⑨ windows.dumpfiles --virtaddr extract them  ⑩ windows.hashdump crack NTLM → pivot  ⑪ windows.registry.printkey --key "...\Run" persistence  ⑫ Diff pslist vs psscan → hidden processes (replaces psxview)