Skip to content

Volatility

Volatility is a memory forensics framework that is used to extract digital artifacts from volatile memory (RAM) samples. It is used to analyze memory dumps and extract information about running processes, network connections, open files, and much more. Volatility is an open-source project and is widely used by the cybersecurity community.

Installation

Volatility3 is the latest version of the Volatility framework. It is written in Python and supports Windows, Linux, and macOS. To install Volatility3, you can use the following command:

git clone https://github.com/volatilityfoundation/volatility3.git
cd volatility3
python3 setup.py build 
python3 setup.py install

# To check if the installation was successful
vol --help

OS Information

Volatility can be used to extract information about the operating system from a memory dump. The imageinfo plugin is used to determine the profile of the memory dump. The profile is essential for analyzing the memory dump. To get the OS information, use the following command:

vol -f memory_dump.raw windows.info.Info

Process Listing

The pslist plugin is used to list all the running processes in the memory dump. The psscan plugin is used to scan the memory for processes. The pstree plugin is used to display the process tree. To list the processes, use the following commands:

vol -f memory_dump.raw  windows.pslist
vol -f memory_dump.raw  windows.psscan
vol -f memory_dump.raw  windows.pstree

File Listing

The filescan plugin is used to scan the memory for file objects. The filescan plugin is used to list the file objects. To list the file objects, use the following commands:

vol -f memory_dump.raw  windows.filescan

File Extraction

The dumpfiles plugin is used to extract files from the memory dump. To extract files, use the following command:

vol3 -f -o "output/dir"  memory_dump.raw windows.dumpfiles
vol3 -f -o "output/dir"  memory_dump.raw windows.dumpfiles ‑‑virtaddr <offset>
vol3 -f -o "output/dir"  memory_dump.raw windows.dumpfiles ‑‑physaddr <offset>

CMD History

The cmdline plugin is used to extract the command-line history from the memory dump. To extract the command-line history, use the following command: 

vol -f memory_dump.raw windows.cmdline

Extract Windows Hashes/Passwords

The hashdump plugin is used to extract password hashes from the memory dump. To extract the password hashes, use the following command:

vol -f memory_dump.raw windows.hashdump.Hashdump #Grab common windows hashes (SAM+SYSTEM)
vol -f memory_dump.raw windows.cachedump.Cachedump #Grab domain cache hashes inside the registry
vol -f memory_dump.raw windows.lsadump.Lsadump #Grab lsa secrets