Volatility Usage
Volatility Image Profile
$ volatility -f <example.raw> imageinfo
Volatility Process List
$ volatility -f <example.raw> —profile=
pslist
Volatility Process Tree
$ volatility -f <example.raw> —profile=
pstree
Volatility Process Scan
$ volatility -f <example.raw> —profile=
psscan
$ volatility -f <example.raw> —profile=
psscan —output=dot —output-file=<filename.dot> (You Can Open it in Dot Viewer)
Volatility Process Dump
$ volatility -f <example.raw> —profile=
procdump -p -D
Volatility Executed Commands
$ volatility -f <example.raw> —profile=
cmdscan
Volatility Console Outputs
$ volatility -f <example.raw> —profile=
consoles
Volatility CMDline
$ volatility -f <example.raw> —profile=
cmdline
or
$ volatility -f <example.raw> —profile=
cmdline -p
Volatility enviroment variables
$ volatility -f <example.raw> —profile=
envars
Volatility NTLM Password Hashes
$ volatility -f <example.raw> —profile=
hashdump
Volatility Network Scan
$ volatility -f <example.raw> —profile=
netscan
Volatility Yara Scan
$ volatility -f <example.raw> —profile=
yarascan -Y “<yara_rule>”
Volatility DLL Listing
$ volatility -f <example.raw> —profile=
dlllist -p
Volatility DLL Dumping
$ volatility -f <example.raw> —profile=
dlldump -p -b <base_address> -D <output_directory>
Volatility Dumping Registry
$ volatility -f <example.raw> —profile=
dumpregistry -D <output_directory>
Volatility Data Extracting
$ volatility -f <example.raw> —profile=
memdump -p -D
(change file extension to .data after extracting)
Volatility Psychical Offset of file
$ volatility -f <example.raw> —profile=
flescan |
Volatility Handles Listing
$ volatility -f <example.raw> —profile=
handles -p -t <type (mutant, process etc.)>
Volatility File Extract from Memory
$ volatility -f <example.raw> —profile=
dumpfiles -Q -D
(change file extension after extracting)
Volatility suspicious Memory Allocations
$ volatility -f <example.raw> —profile=
malfind -p
Volatility Dumping Memory Written
$ volatility -f <example.raw> —profile=
vaddump -b <base_address> -D <output_directory>
Volatility Chrome History (Download https://github.com/superponible/volatility-plugins)
$ volaility —plugins=plugins/ -f <example.raw> —profile=
chromehistory > <output_file>
or
extract browser history file and open it in SQLite
Volatility Internet Explorer History
$ volatility -f <example.raw> —profile=
iehistory