- forensics
- memory
Market
Volatility
Overview
Volatility 3 analyzes raw memory dumps (VM snapshots, crash dumps, hibernation files) to extract forensic artifacts without a live OS. Plugins address processes, network connections, registry hives, kernel modules, and malware injection.
Architecture: layered stack (automagic layer detection) → symbol tables (JSON ISF) → plugin framework. Each plugin returns structured output (TreeGrid) rather than the monolithic profile system of Vol2.
Common workflow: identify OS layer (`windows.info`, `linux.info`) → list processes (`windows.pslist`, `windows.pstree`) → dump suspicious processes (`windows.memmap` + `windows.dumpfiles`) → scan for injection (`windows.malfind`) → extract credentials (`windows.hashdump`, `windows.lsadump`).
Symbols must match kernel build; without ISF, some plugins fail or return incomplete data. Community ISF builds exist for common Windows 10/11 builds.
Primary use cases
- IR triage: processes, cmdlines, DLLs loaded at incident time
- Detecting process hollowing and unlinked EPROCESS entries
- Recovering network connections and cached browser artifacts from RAM
- Rootkit detection via SSDT hooks and orphaned threads
- Comparing pslist vs psscan for hidden process detection
Key commands
Image info and layer detection
vol -f memory.dmp windows.infoProcess tree
vol -f memory.dmp windows.pstreeMalware injection scan
vol -f memory.dmp windows.malfindRegistry print key
vol -f memory.dmp windows.registry.printkey --key 'Software\Microsoft\Windows\CurrentVersion\Run'Notable modules / features
- Cross-platform: Windows, Linux, macOS plugins
- yarascan for in-memory YARA matching
- Custom plugins via Python API
- volshell interactive memory exploration
Detection / defense notes
- Memory capture triggers EDR telemetry; some malware clears artifacts on dump
- Live kernel patching can hide from pslist; cross-check psscan and callbacks
- Encrypt sensitive data in memory where possible; minimize credential lifetime