Volatility

The Volatility Framework is the world’s most widely used, open-source memory forensics platform designed for incident response and malware analysis.
Written in Python, it enables investigators to extract digital artifacts from RAM dumps (Windows, Linux, macOS) to analyze running processes, network connections, and registry hives.

Website: https://volatilityfoundation.org/the-volatility-framework/ ↗
Volatility 3 is the current, actively developed framework.

Volatility 2#

Written in Python 2, Volatility 2 was released in 2011 with profile-based analysis and an extensive plugin ecosystem
It required users to explicitly specify a profile (e.g., WinXPSP2x86) that matches the exact operating system version of the memory image, allowing the tool to understand data structures.
Deprecated (since Python 2 reached end-of-life).

Syntax:

1. First, find the profile: python2 vol.py -f memdump.raw imageinfo
2. Then, run the plugin using that profile: python2 vol.py -f memdump.raw --profile=Win10x64_18362 pslist

Volatility 3#

Volatility 3 ↗ was rebuilt from the ground up to address limitations in Volatility 2, particularly regarding speed, Python version compatibility, and ease of use.

• Language: Python 3.
• Symbol Tables: Vol 3 completely eliminates the need to specify a profile. Instead, it uses a library of “Symbol Tables” (JSON-based ISF files). When you run a command, Vol 3 automatically scans the memory dump, identifies the exact OS kernel build, and applies the correct symbol table on the fly.
• Speed: Significantly faster than Volatility 2, especially when running multiple plugins, due to better caching and a rewritten architecture.
• Command Structure: The syntax is entirely different. You must explicitly specify the OS layer in the plugin name (e.g., windows.pslist, linux.bash, mac.netstat).

Syntax: vol -f memdump.raw windows.pslist
Installation: pip install volatility3

Plugins#

Process Analysis#

These plugins help you figure out what was running on the system when the memory dump was taken.

• pslist: Walks the standard doubly-linked list (ActiveProcessLinks) to show running processes. It provides a standard “Task Manager” view, showing Process IDs (PIDs), Parent PIDs (PPIDs), and start times.
• psscan: Instead of trusting the linked list (which malware can manipulate), this plugin scans the raw memory for _EPROCESS structures. Crucial for detecting hidden processes that use Direct Kernel Object Manipulation (DKOM) to unlink themselves from pslist, as well as finding recently terminated processes.
• pstree: Organizes the pslist output into a visual tree based on parent-child relationships. This is critical for spotting behavioral anomalies (e.g., svchost.exe should be spawned by services.exe; if it is spawned by explorer.exe, it is likely malicious).

Network Analysis#

Malware usually needs to communicate with an attacker. These plugins find that communication.

• netscan: Scans memory for network artifacts (TCP endpoints, UDP endpoints). It is highly effective because it can identify active, listening, and recently closed connections, along with the IP addresses, ports, and the specific PID responsible for the connection. Superior to netstat because it finds closed and terminated connections that persist in memory artifacts.
• netstat: Walks the active network lists (similar to running netstat on a live machine).

Malware & Code Injection#

These are the advanced plugins used to detect fileless malware, rootkits, and process hollowing.

• malfind: The go-to plugin for detecting code injection. It scans process memory looking for pages that have PAGE_EXECUTE_READWRITE (RWX) permissions but are not backed by a physical file on the disk. This usually indicates shellcode or a malicious payload injected directly into RAM.
• dlllist: Lists all the dynamic-link libraries (DLLs) loaded by a specific process. Helps identify if a legitimate process is loading a suspicious or out-of-place DLL.
• ldrmodules: Detects unlinked (hidden) DLLs. It compares the three different lists Windows uses to track loaded modules. If a DLL is in memory but missing from these lists, the malware is actively trying to hide it.
• cmdline: Recovers the exact command-line arguments used to launch a process. This is invaluable for finding malicious PowerShell scripts (e.g., powershell.exe -ExecutionPolicy Bypass -enc <Base64String>).
• yarascan: Allows you to scan the entire memory dump, or the memory space of a specific PID, using YARA rules or plain text/hex strings. If you know the specific byte sequence or string associated with a malware family, you can use this to instantly find where it is hiding in memory, even if it has injected itself into a legitimate process.
• windows.mutantscan: Scans memory for Mutexes (Mutually Exclusive objects). Malware often creates a uniquely named Mutex (e.g., \BaseNamedObjects\MalwareXYZ_Mutex) to ensure that only one instance of its payload runs on the system at a time. Finding a known malicious mutex is a massive indicator of compromise (IoC).

Registry & Credentials#

Memory captures often contain sensitive system configuration data and passwords.

• hivelist: Locates the memory addresses of loaded Registry hives (like SAM, SYSTEM, SOFTWARE, and NTUSER.DAT).
• printkey: Allows you to view the contents of a specific registry key directly from memory (often used to check Run keys for malware persistence mechanisms).
• hashdump: Extracts NTLM password hashes from the SAM registry hive currently loaded in memory, which can later be used for password cracking or Pass-the-Hash analysis.

File Recovery#

• filescan: Scans memory for _FILE_OBJECT structures. It acts like a directory search for the RAM, allowing you to find the memory offsets for files that were open or recently accessed.
• dumpfiles: Takes the memory offset found via filescan (or a specific PID) and extracts that file or executable out of the memory dump and saves it to your forensic workstation for further reverse engineering.
• procdump: Dumps a process’s executable (.exe) file directly from memory to your forensic workstation. Further analysis can be done by loading it into a disassembler like Ghidra or IDA Pro or we can also do VirusTotal checks.
• memdump: Dumps the entire addressable memory space of a specific process. If you dump the memory of a web browser or a password manager, you can run the strings command on the resulting file to find decrypted passwords, HTTP requests, or document contents that were never saved to disk.