Volatility CheatSheet - Windows Memory Dump Analysis - Forensic

--- title: 'Volatility CheatSheet - Windows Memory Dump Analysis - Forensic' --- ![Volatility](https://avatars.githubusercontent.com/u/6001145) [Volatility Foundation](https://github.com/volatilityfoundation/) Volatility CheatSheet - Windows memdump === ## OS Information **imageinfo** > Volatility 2 ``` vol.py -f "filename" imageinfo vol.py -f "filename" kdbgscan ``` > Volatility 3 ``` vol3 -f "filename" windows.info ``` ## Process Information **process list** > Volatility 2 ``` vol.py -f "filename" ‑‑profile <profile> pslist vol.py -f "filename" ‑‑profile <profile> psscan vol.py -f "filename" ‑‑profile <profile> pstree vol.py -f "filename" ‑‑profile <profile> psxview ``` > Volatility 3 ``` vol3 -f "filename" windows.pslist vol3 -f "filename" windows.psscan vol3 -f "filename" windows.pstree ``` **procdump** > Volatility 2 ``` vol.py -f "filename" ‑‑profile <profile> procdump -p <PID> ‑‑dump-dir="output/dir" ``` > Volatility 3 ``` vol3 -f "filename" -o "output/dir" windows.dumpfiles ‑‑pid <PID> ``` **memdump** > Volatility 2 ``` vol.py -f "filename" ‑‑profile <profile> memdump -p <PID> ‑‑dump-dir="output/dir" ``` > Volatility 3 ``` vol3 -f "filename" -o "output/dir" windows.memmap ‑‑dump ‑‑pid <PID> ``` **handles** > Volatility 2 ``` vol.py -f "filename" ‑‑profile <profile> handles -p <PID> ``` > Volatility 3 ``` vol3 -f "filename" windows.handles ‑‑pid <PID> ``` **dlls** > Volatility 2 ``` vol.py -f "filename" ‑‑profile <profile> dlllist -p <PID> ``` > Volatility 3 ``` vol3 -f "filename" windows.dlllist ‑‑pid <PID> ``` **cmdline** > Volatility 2 ``` vol.py -f "filename" ‑‑profile <profile> netscan vol.py -f "filename" ‑‑profile <profile> netstat XP/2003 SPECIFIC vol.py -f "filename" ‑‑profile <profile> connscan vol.py -f "filename" ‑‑profile <profile> connections vol.py -f "filename" ‑‑profile <profile> sockscan vol.py -f "filename" ‑‑profile <profile> sockets ``` > Volatility 3 ``` vol3 -f "filename" windows.netscan vol3 -f "filename" windows.netstat ``` ## Network Information **netscan** > Volatility 2 ``` vol.py -f "filename" ‑‑profile <profile> dlllist -p <PID> ``` > Volatility 3 ``` vol3 -f "filename" windows.dlllist ‑‑pid <PID> ``` ## Registry **hivelist** > Volatility 2 ``` vol.py -f "filename" ‑‑profile <profile> hivescan vol.py -f "filename" ‑‑profile <profile> hivelist ``` > Volatility 3 ``` vol3 -f "filename" windows.registry.hivescan vol3 -f "filename" windows.registry.hivelist ``` **printkey** > Volatility 2 ``` vol.py -f "filename" ‑‑profile <profile> printkey vol.py -f "filename" ‑‑profile <profile> printkey -K “Software\Microsoft\Windows\CurrentVersion” ``` > Volatility 3 ``` vol3 -f "filename" windows.registry.printkey vol3 -f "filename" windows.registry.printkey ‑‑key “Software\Microsoft\Windows\CurrentVersion” ``` **hivedump** > Volatility 2 ``` vol.py -f "filename" ‑‑profile <profile> hivedump -o <offset> ``` > Volatility 3 ``` ``` ## Files **filescan** > Volatility 2 ``` vol.py -f "filename" ‑‑profile <profile> filescan ``` > Volatility 3 ``` vol3 -f "filename" windows.filescan ``` **filedump** > Volatility 2 ``` vol.py -f "filename" ‑‑profile <profile> dumpfiles ‑‑dump-dir="output/dir" vol.py -f "filename" ‑‑profile <profile> dumpfiles ‑‑dump-dir="output/dir" -Q <offset> vol.py -f "filename" ‑‑profile <profile> dumpfiles ‑‑dump-dir="output/dir" -p <PID> ``` > Volatility 3 ``` vol3 -f -o "output/dir" "filename" windows.dumpfiles vol3 -f -o "output/dir" "filename" windows.dumpfiles ‑‑virtaddr <offset> vol3 -f -o "output/dir" "filename" windows.dumpfiles ‑‑physaddr <offset> ``` --- ## Collection links (Toolkit & Profiles) * [Volatility Plugins by superponible](https://github.com/superponible/volatility-plugins) * [Volatility Plugins by siliconblade](https://github.com/siliconblade/volatility) * [Volatility Plugins by Dutchy-](https://github.com/Dutchy-/volatility-plugins) * [Volatility Plugins by kevthehermit](https://github.com/kevthehermit/volatility_plugins) * [Volatility Plugins by jjo-sec](https://github.com/jjo-sec/volatility_plugins) * [Volatility Plugins by INTECOCERT](https://github.com/INTECOCERT/volatility_plugins) * [Volatility Plugins by carlpulley](https://github.com/carlpulley/volatility) * [Volatility Plugins by TakahiroHaruyama](https://github.com/TakahiroHaruyama/openioc_scan) * [Volatility Plugins by ymh1989](https://github.com/ymh1989/SABR_local_vol) * [Volatility Plugins by monnappa22](https://github.com/monnappa22/linux_mem_diff_tool) * [AutoVolatility](https://github.com/carlospolop/autoVolatility) * [Volatility Workbench](https://www.osforensics.com/tools/volatility-workbench.html) * [VolUtility](https://github.com/kevthehermit/VolUtility) * [VolatilityBot](https://github.com/mkorman90/VolatilityBot) * [Volatility profiles for Linux and Mac OS X](https://github.com/volatilityfoundation/profiles) * [MalConfScan](https://github.com/JPCERTCC/MalConfScan) * [VolDiff](https://github.com/H2Cyber/VolDiff) * [bitlocker plugin](https://github.com/tribalchicken/volatility-bitlocker) * [Malhunt](https://github.com/andreafortuna/malhunt) * [Chrome Ragamuffin](https://github.com/cube0x8/ChromeRagamuffin) * [Volatility 3 Symbol table packs Windows (volatility3/volatility/symbols)](https://downloads.volatilityfoundation.org/volatility3/symbols/windows.zip) * [Volatility 3 Symbol table packs Linux (volatility3/volatility/symbols)](https://downloads.volatilityfoundation.org/volatility3/symbols/mac.zip) * [Volatility 3 Symbol table packs Mac (volatility3/volatility/symbols)](https://downloads.volatilityfoundation.org/volatility3/symbols/linux.zip) * []() --- ## Sources * [Comparing commands from Vol2 > Vol3](https://blog.onfvp.com/post/volatility-cheatsheet/) * [Andrea Fortuna](https://andreafortuna.org/2017/06/25/volatility-my-own-cheatsheet-part-1-image-identification/) * [Basic Forensic Methodology > Memory Dump Analysis](https://book.hacktricks.xyz/generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-cheatsheet) * [Volatility Command Reference](https://github.com/volatilityfoundation/volatility/wiki/Command-Reference) * [Memory forensics and analysis using volatility](https://resources.infosecinstitute.com/topic/memory-forensics-and-analysis-using-volatility/) * [Tutorial - Volatility plugins & malware analysis](http://tomchop.me/2016/11/21/tutorial-volatility-plugins-malware-analysis/) ###### tags: `Volatility` `CheatSheet` `Forensic`