Volatility
Memory forensics framework for extracting data from RAM.
Evolve: Volatility Web UI
volatility-autoruns - Automates most of the tasks you would need to run when trying to find out where malware is persisting from. Once all the autostart locations are found, they are matched with running processes in memory.
Operator Handbook: Volatility - pg. 315
Volatility 3.x Basics
Note: Version 3 of Volatility was released in November 2019 which changes the Volatility usage and syntax. More information on V3 of Volatility can be found on ReadTheDocs.
A list of common plugins are:
linux.bash.Bash
linux.check_afinfo.Check_afinfo
linux.check_syscall.Check_syscall
linux.elfs.Elfs
linux.lsmod.Lsmod
linux.lsof.Lsof
linux.malfind.Malfind
linux.proc.Maps
linux.pslist.PsList
linux.pstree.PsTree
mac.bash.Bash
mac.check_syscall.Check_syscall
mac.check_sysctl.Check_sysctl
mac.check_trap_table.Check_trap_table
mac.ifconfig.Ifconfig
mac.lsmod.Lsmod
mac.lsof.lsof
mac.malfind.Malfind
mac.netstat.Netstat
mac.proc_maps.Maps
mac.psaux.Psaux
mac.pslist.PsList
mac.pstree.PsTree
mac.tasks.Tasks
mac.timers.Timers
mac.trustedbsd.trustedbsd
windows.cmdline.CmdLine
windows.dlldump.DllDump
windows.dlllist.DllList
windows.driverirp.DriverIrp
windows.driverscan.DriverScan
windows.filescan.FileScan
windows.handles.Handles
windows.info.Info
windows.malfind.Malfind
windows.moddump.ModDump
windows.modscan.ModScan
windows.modules.Modules
windows.mutantscan.MutantScan
windows.poolscanner.PoolScanner
windows.procdump.ProcDump
windows.pslist.PsList
windows.psscan.PsScan
windows.pstree.PsTree
windows.registry.certificates.Certificates
windows.registry.hivedump.HiveDump
windows.registry.hivelist.HiveList
windows.registry.hivescan.HiveScan
windows.registry.printkey.PrintKey
windows.registry.userassist.UserAssist
windows.ssdt.SSDT
windows.statistics.Statistics
windows.strings.Strings
windows.symlinkscan.SymlinkScan
windows.vaddump.VadDump
windows.vadinfo.VadInfo
windows.virtmap.VirtMap
timeliner.Timeliner
Check Memory Image Information
Check List of Kernel Drivers
Check List of Kernel Drivers (incl previously unloaded and hidden)
Dump List of Kernel Drivers to Files
Dump List of Running Processes to Files
Check Process List of Running Processes
Check Process Tree of Running Processes
Check Running Processes from EPROCESS blocks
Check Running Processes for possible shellcode/injection via PAGE_EXECUTE_READWRITE
Check processes and their command lines
Check for files which exist in memory
Last updated