2 minute read

Volatility is a very powerful memory forensics tool. It is used to extract information from memory images (memory dumps) of Windows, macOS, and Linux systems. There is also a huge community writing third-party plugins for volatility. You definitely want to include memory acquisition and analysis in your investigations, and volatility should be in your forensic toolkit.

Today we show how to use Volatility 3 from installation to basic commands. When analyzing memory, basic tasks include listing processes, checking network connections, extracting files, and conducting a basic Windows Registry analysis. We cover each of these tasks. After you understand the Volatility 3 command structure and extract some basic information, advanced memory analysis just builds on those concepts.

Memory analysis - with the help of volatility 3 - is becoming easier. It is an excellent source of action-related evidence. If you are not already routinely including memory acquisitions in your investigations, I strongly recommend you do. The amount of information available that will never be written to disk is well worth the extra effort.

Volatility 3 Commands

Running Volatility 3 in Windows PowerShell.

Check version.

python vol.py -v

Get image information.

python vol.py -f [ImageName] windows.info

See process list.

python vol.py -f [ImageName] windows.pslist | more

Filter process list searching for keyword “chrome”

python vol.py -f [ImageName] windows.pslist | Select-String chrome

Find all handles open by process 1328.

python vol.py -f [ImageName] windows.handles --pid 1328

Find file handles and filter by type.

python vol.py -f [ImageName] windows.handles --pid 1328 | Select-String File | more
python vol.py -f [ImageName] windows.handles --pid 1328 | Select-String File | Select-String history | more

Dump a file from process 1328 at virtual address.

python vol.py -f [ImageName] -o "dump" windows.dumpfile --pid 1328 --virtaddr 0xbf0f6abe9740

Dump all files associated with PID 2520.

python vol.py -f [ImageName] windows.dumpfiles.DumpFiles --pid 2520

See executed programs with command option history.

python vol.py -f [ImageName] windows.cmdline.CmdLine

See active network connections and listening programs.

python vol.py -f [ImageName] windows.netstat

Dump the Windows user password hashes.

python vol.py -f [ImageName] windows.hashdump.Hashdump

Print out the Windows Registry UserAssist.

python vol.py -f [ImageName] windows.registry.userassist.UserAssist

List all available Windows Registry hives in memory.

python vol.py -f [ImageName] windows.registay.hivelist.HiveList

Dump the ntuser hive based on a keyword filter to the “dump” folder.

python vol.py -f [ImageName] -o "dump" windows.registry.hivelist --filter Doe\ntuser.dat --dump

Print a specific Windows Registry key.

python vol.py -f [ImageName] windows.registry.printkey --key "Software\Microsoft\Windows\CurrentVersion" --recurse

Print a specific Windows Registry key, subkeys and values.

python vol.py -f [ImageName] windows.registry.printkey --key "Software\Microsoft\Windows\CurrentVersion" --recurse

Volatility Community