> For the complete documentation index, see [llms.txt](https://root-acch.gitbook.io/hedgenotes/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://root-acch.gitbook.io/hedgenotes/digital-forensics-and-incident-response/memory-dump-analysis/volatility-cheat-sheet.md). # Volatility Cheat Sheet ## Installation ### Volatility 2 #### Linux ```bash # Step 1: Install Requirements and Dependencies sudo apt update sudo apt install python2.7 python2.7-dev git -y curl https://bootstrap.pypa.io/pip/2.7/get-pip.py --output get-pip.py sudo python2.7 get-pip.py pip2 install distorm3 yara-python pycrypto # Step 2: Clone Volatility 2 Repository git clone https://github.com/volatilityfoundation/volatility.git # Step 3: Verify Installation cd volatility/ python2.7 vol.py -h ``` #### Windows To download **Volatility 2** for Windows, you can download the standalone file under the releases on the tool's repository at: .
### Volatility 3 #### Linux ```bash # Step 1: Install Requirements sudo apt update sudo apt install python3 python3.13-venv git -y # Step 2: Clone Volatility 3 Repository git clone https://github.com/volatilityfoundation/volatility3.git # Step 3: Create a Virtual Environment and Install Requirements cd volatility3/ python3 -m venv venv && source venv/bin/activate pip install -e ".[dev]" ``` #### Windows To install **Volatility 3** on Windows, download the latest Python version at . Once you get to the installer, make sure to select the "***Add python.exe to PATH***" and finally click on *Install Now*.
After installing **Python 3** on the machine, download the latest **Volatility 3** `volatility3-2.11.0-py3-none-any.whl` file on the GitHub repository's releases at .
Once downloaded, run the following `pip` command on your terminal to install **Volatility 3**, where `X.Y.Z` being the version of the tool downloaded. ```bash pip install \\path\to\volatility3-X.Y.Z-py3-none-any.whl ``` When the installation is completed, make sure to run the following command on your terminal to verify the installation ```bash vol -h ``` ## Volatility Commands ### Volatility 2 Documentation and Cheatsheet For a better documentation and information about the commands for **Volatility 2**, check the official documentation and usage here: Also check the official cheatsheet PDF for more details on the commands mentioned below here: ### Volatility 3 Symbols **Volatility 3** requires the usage of **symbols**, which map the memory addresses to meaningful symbols, such as function or variable names withing the operating system's kernel. These mappings allows the tool to analyze memory dumps accurately, making it easy to perform an effective memory forensics. To download the symbols check the links below: * Windows: * Linux: * MacOS: ### OS Information {% tabs %} {% tab title="Volatility2" %} In **Volatility 2**, to obtain information on the operating system and the correct profile to use during the memory dump analysis, we can utilize the **imageinfo** or the **kdbgscan** plugin ```bash python2.7 vol.py -f dump.vmem imageinfo python2.7 vol.py -f dump.vmem --profile=profile kdbgscan ``` {% endtab %} {% tab title="Volatility3" %} ```bash # Windows python3 vol.py -f dump.vmem windows.info.Info # Linux & MacOS python3 vol.py -f dump.vmem banners.Banners ``` {% endtab %} {% endtabs %} ### List Processes {% tabs %} {% tab title="Volatility2" %} ```bash # Windows python2.7 vol.py -f dump.vmem --profile=profile pslist # Basic active process listing python2.7 vol.py -f dump.vmem --profile=profile psscan # Scan hidden or terminated processes python2.7 vol.py -f dump.vmem --profile=profile psxview # Cross reference processes with various lists python2.7 vol.py -f dump.vmem --profile=profile pstree # Show processes in parent/child tree # Linux python2.7 vol.py -f dump.vmem --profile=profile linux_pslist # Basic active process listing python2.7 vol.py -f dump.vmem --profile=profile linux_pidhashtable # List processes and threads python2.7 vol.py -f dump.vmem --profile=profile linux_psxview # Cross reference processes with various lists python2.7 vol.py -f dump.vmem --profile=profile linux_pstree # Show processes in parent/child tree # MacOS python2.7 vol.py -f dump.vmem --profile=profile mac_pslist # Basic active process listing python2.7 vol.py -f dump.vmem --profile=profile mac_pid_hash_table # List PID hash table python2.7 vol.py -f dump.vmem --profile=profile mac_tasks # List tasks python2.7 vol.py -f dump.vmem --profile=profile mac_psxview # Cross reference processes with various lists python2.7 vol.py -f dump.vmem --profile=profile mac_pstree # Show processes in parent/child tree ``` {% endtab %} {% tab title="Volatility3" %} ```bash # Windows python3 vol.py -f dump.vmem windows.pslist.PsList python3 vol.py -f dump.vmem windows.psscan.PsScan python3 vol.py -f dump.vmem windows.pstree.PsTree python3 vol.py -f dump.vmem windows.psxview.PsXView python3 vol.py -f dump.vmem windows.processghosting.ProcessGhosting # Linux python3 vol.py -f dump.vmem linux.pslist.PsList python3 vol.py -f dump.vmem linux.pstree.PsTree python3 vol.py -f dump.vmem linux.psaux.PsAux python3 vol.py -f dump.vmem linux.psscan.PsScan # MacOS python3 vol.py -f dump.vmem mac.psaux.Psaux python3 vol.py -f dump.vmem mac.pslist.PsList python3 vol.py -f dump.vmem mac.pstree.PsTree ``` {% endtab %} {% endtabs %} ### Process Information {% tabs %} {% tab title="Volatility2" %} 
# Windows
python2.7 vol.py -f dump.vmem --profile=profile cmdline -o offset/-p pid # Show command line arguments
python2.7 vol.py -f dump.vmem --profile=profile dlllist -o offset/-p pid # Display DLLs
python2.7 vol.py -f dump.vmem --profile=profile envars -o offset/-p pid # Display environment variables
python2.7 vol.py -f dump.vmem --profile=profile privs -o offset/-p pid -r REGEX # Display process privileges. Regex for the privielges to search
python2.7 vol.py -f dump.vmem --profile=profile memdump -p pid -D dumpdir/ # Dump all valid pages to a single file
# Linux
python2.7 vol.py -f dump.vmem --profile=profile linux_psaux -p pid # Show command line arguments
python2.7 vol.py -f dump.vmem --profile=profile linux_library_list -p pid # Display shared libraries
python2.7 vol.py -f dump.vmem --profile=profile linux_psenv -p pid # Display environment variables
python2.7 vol.py -f dump.vmem --profile=profile linux_bash_env -p pid # Alternative to display environment variables
# MacOS
python2.7 vol.py -f dump.vmem --profile=profile mac_psaux -p pid # Show command line arguments
python2.7 vol.py -f dump.vmem  --profile=profile mac_dyld_maps -p pid # Display shared libraries
python2.7 vol.py -f dump.vmem --profile=profile mac_psenv -p pid # Display environment variables
python2.7 vol.py -f dump.vmem --profile=profile mac_bash_env -p pid # Alternative to display environment variables
python2.7 vol.py -f dump.vmem --profile=profile mac_list_sessions -p pid # Display login sessions
{% endtab %} {% tab title="Volatility3" %} ```bash # Windows python3 vol.py -f dump.vmem windows.cmdline.CmdLine --pid pid python3 vol.py -f dump.vmem windows.dlllist.DllList --pid pid python3 vol.py -f dump.vmem windows.envars.Envars --pid pid python3 vol.py -f dump.vmem windows.privileges.Privs --pid pid python3 vol.py -f dump.vmem windows.privileges.Privs --pid pid # Linux python3 vol.py -f dump.vmem linux.psaux.PsAux --pid pid python3 vol.py -f dump.vmem linux.capabilities.Capabilities --pids pids python3 vol.py -f dump.vmem linux.library_list.LibraryList --pid pid python3 vol.py -f dump.vmem linux.envars.Envars --pid pid python3 vol.py -f dump.vmem linux.lsof.Lsof --pid pid # MacOS python3 vol.py -f dump.vmem mac.psaux.Psaux --pid pid ``` {% endtab %} {% endtabs %} ### File Extraction {% tabs %} {% tab title="Volatility2" %} ```bash # Windows python2.7 vol.py -f dump.vmem --profile=profile procdump -o offset/-p pid -D dumpdir/ # Dump a process python2.7 vol.py -f dump.vmem --profile=profile dlldump -o offset/-p pid -r REGEX/-b ADDRESS -D dumpdir/ # Dump DLLs from a process. Regex for module name or Base address of the module # Linux python2.7 vol.py -f dump.vmem --profile=profile linux_procdump -o offset/-p pid -D dumpdir/ # Dump a process python2.7 vol.py -f dump.vmem --profile=profile linux_librarydump -o offset/-p pid -r REGEX/-b ADDRESS -D dumpdir/ # Dump Shared Libraries from a process. Regex for module name or Base addre # MacOS python2.7 vol.py -f dump.vmem --profile=profile mac_procdump -o offset/-p pid -D dumpdir/ # Dump a process python2.7 vol.py -f dump.vmem --profile=profile mac_librarydump -o offset/-p pid -b ADDRESS -D dumpdir/ # Dump Shared Libraries from a process. Base address of the module you want to dump ``` {% endtab %} {% tab title="Volatility3" %} ```bash # Windows python3 vol.py -f dump.vmem windows.pedump.PEDump --pid pid # Linux python3 vol.py -f dump.vmem linux.elfs.Elfs --pid pid --dump ``` {% endtab %} {% endtabs %} ### Logs & History {% tabs %} {% tab title="Volatility2" %} ```bash # Windows python2.7 vol.py -f dump.vmem --profile=profile cmdscan # Recover command history python2.7 vol.py -f dump.vmem --profile=profile consoles # Alternative for command history python2.7 vol.py -f dump.vmem --profile=profile iehistory # Internet Explorer history python2.7 vol.py -f dump.vmem --profile=profile evtlogs -D dumpdir/ # Recover Event Logs (XP/2003) # Linux python2.7 vol.py -f dump.vmem --profile=profile linux_bash # Recover command history python2.7 vol.py -f dump.vmem --profile=profile linux_bash_hash # Recover executed binaries # MacOS python2.7 vol.py -f dump.vmem --profile=profile mac_bash # Recover command history python2.7 vol.py -f dump.vmem --profile=profile mac_bash_hash # Recover executed binaries ``` {% endtab %} {% tab title="Volatility3" %} ```bash # Windows python3 vol.py -f dump.vmem windows.cmdscan.CmdScan python3 vol.py -f dump.vmem windows.consoles.Consoles # Linux python3 vol.py -f dump.vmem linux.bash.Bash # MacOS python3 vol.py -f dump.vmem mac.bash.Bash ``` {% endtab %} {% endtabs %} ### Networking Information {% tabs %} {% tab title="Volatility2" %} ```bash # Windows python2.7 vol.py -f dump.vmem --profile=profile connections # Active Sockets (XP/2003) python2.7 vol.py -f dump.vmem --profile=profile sockets # Alternative to view active sockets (XP/2003) python2.7 vol.py -f dump.vmem --profile=profile connscan # Scan for residual info (XP/2003) python2.7 vol.py -f dump.vmem --profile=profile sockscan # Alternative to scan for residual info (XP/2003) python2.7 vol.py -f dump.vmem --profile=profile netscan # Network Info (Windows Vista, 2008 & 7) # Linux python2.7 vol.py -f dump.vmem --profile=profile linux_ifconfig # Interface Information python2.7 vol.py -f dump.vmem --profile=profile linux_netstat # Active connections information python2.7 vol.py -f dump.vmem --profile=profile linux_list_raw # Raw Sockets python2.7 vol.py -f dump.vmem --profile=profile linux_route_cache -R address # DNS Resolve destination IPs python2.7 vol.py -f dump.vmem --profile=profile linux_arp # ARP cache python2.7 vol.py -f dump.vmem --profile=profile linux_netfilter # Netfilter entries # MacOS python2.7 vol.py -f dump.vmem --profile=profile mac_ifconfig # Interface Information python2.7 vol.py -f dump.vmem --profile=profile mac_network_conns # Active infofrom network stack python2.7 vol.py -f dump.vmem --profile=profile mac_route # Route cache python2.7 vol.py -f dump.vmem --profile=profile mac_arp # ARP cache python2.7 vol.py -f dump.vmem --profile=profile mac_socket_filters # Socket filters python2.7 vol.py -f dump.vmem --profile=profile mac_ip_filters # IP filters ``` {% endtab %} {% tab title="Volatility3" %} ```bash # Windows python3 vol.py -f dump.vmem windows.netscan.NetScan python3 vol.py -f dump.vmem windows.netstat.NetStat # Linux python3 vol.py -f dump.vmem linux.ip.Addr # Lists network interface information for all devices python3 vol.py -f dump.vmem linux.ip.Link # Lists information about network interfaces similar to `ip link show` python3 vol.py -f dump.vmem linux.netstat.NetStat # Lists Netfilter hooks. python3 vol.py -f dump.vmem linux.sockstat.Sockstat # Lists all network connections for all processes. # MacOS python3 vol.py -f dump.vmem mac.socket_filters.Socket_filters python3 vol.py -f dump.vmem mac.ifconfig.Ifconfig python3 vol.py -f dump.vmem mac.netstat.Netstat ``` {% endtab %} {% endtabs %} ### File System Resources {% tabs %} {% tab title="Volatility2" %} ```bash # Windows python2.7 vol.py -f dump.vmem --profile=profile mftparser --ouput=body,dot,greptext,html,json,sqlite,text,xlsx -D dumpdir/ # Scan for MFT records python2.7 vol.py -f dump.vmem --profile=profile dumpfiles -r REGEX -D dumpdir/ # Extract cached files (Regex for file name) # Linux python2.7 vol.py -f dump.vmem --profile=profile linux_mount # List mount points python2.7 vol.py -f dump.vmem --profile=profile linux_enumerate_files # Enumerate files python2.7 vol.py -f dump.vmem --profile=profile linux_find_file --find=FILE -O output # Extract cached file # MacOS python2.7 vol.py -f dump.vmem --profile=profile mac_mount # List mount points python2.7 vol.py -f dump.vmem --profile=profile mac_list_files # Enumerate files python2.7 vol.py -f dump.vmem --profile=profile mac_dump_file -q file_offset -O output # Extract cached file ``` {% endtab %} {% tab title="Volatility3" %} 
# Windows
python3 vol.py -f dump.vmem windows.dumpfiles.DumpFiles --filter FILTER # Filter works the same as regex
python3 vol.py -f dump.vmem windows.mbrscan.MBRScan # Scans for and parses potential Master Boot Records (MBRs)
python3 vol.py -f dump.vmem windows.filescan.FileScan # Scans for file objects present in a particular windows memory image.
python3 vol.py -f dump.vmem windows.mftscan.MFTScan # Scans for MFT FILE objects present in a particular windows memory image.
python3 vol.py -f dump.vmem windows.mftscan.ADS # Scans for Alternate Data Stream
python3 vol.py -f dump.vmem windows.mftscan.ResidentData # Scans for MFT Records with Resident Data
# Linux
python3 vol.py -f dump.vmem linux.mountinfo.MountInfo # Lists mount points on processes mount namespaces
python3 vol.py -f dump.vmem linux.pagecache.Files --find filename # Lists files from memory
python3 vol.py -f dump.vmem linux.pagecache.InodePages --find filename/--inode address # Lists and recovers cached inode pages
python3 vol.py -f dump.vmem linux.pagecache.RecoverFs # Recovers the cached filesystem (directories, files, symlinks) into a compressed tarball.
# MacOS
python3 vol.py -f dump.vmem mac.mount.Mount # Lists mount points on processes mount namespaces
python3 vol.py -f dump.vmem mac.list_files.List_Files # Lists files from memory
{% endtab %} {% endtabs %} ### Injected Code & Yara Scanning {% tabs %} {% tab title="Volatility2" %} ```bash # Windows python2.7 vol.py -f dump.vmem --profile=profile malfind --pid pid/--offset=address -D dumpdir/ # Find and extract injected code blocks python2.7 vol.py -f dump.vmem --profile=profile yarascan --pid pid -Y yararule/-y yararulefile # Scan for Yara signatures # Linux python2.7 vol.py -f dump.vmem --profile=profile linux_malfind --pid pid/--offset=address -D dumpdir/ # Find and extract injected code blocks python2.7 vol.py -f dump.vmem --profile=profile linux_yarascan --pid pid -Y yararule/-y yararulefile # Scan for Yara signatures # MacOS python2.7 vol.py -f dump.vmem --profile=profile mac_malfind --pid pid/--offset=address -D dumpdir/ # Find and extract injected code blocks python2.7 vol.py -f dump.vmem --profile=profile mac_yarascan --pid pid -Y yararule/-y yararulefile # Scan for Yara signatures ``` {% endtab %} {% tab title="Volatility3" %} ```bash # Windows python3 vol.py -f dump.vmem windows.malfind.Malfind --pid pid --dump python3 vol.py -f dump.vmem windows.vadyarascan.VadYaraScan --yara-string YARA_STRING/--yara-file YARA_FILE --pid pid # Scans all the Virtual Address Descriptor memory maps using yara. # Linux python3 vol.py -f dump.vmem linux.malfind.Malfind python3 vol.py -f dump.vmem linux.vmayarascan.VmaYaraScan --yara-string YARA_STRING/--yara-file YARA_FILE --pid pid # MacOS python3 vol.py -f dump.vmem mac.malfind.Malfind # Yara Scan python3 vol.py -f dump.vmem yarascan.YaraScan --yara-string YARA_STRING/--yara-file YARA_FILE # Scans kernel memory using yara rules (string or file). ``` {% endtab %} {% endtabs %} ### Windows Registry {% tabs %} {% tab title="Volatility2" %} ```bash python2.7 vol.py -f dump.vmem --profile=profile hivelist # Display cached hives python2.7 vol.py -f dump.vmem --profile=profile hivescan # Pool scanner for registry hives python2.7 vol.py -f dump.vmem --profile=profile printhive -K KEY # Print a key's values and data python2.7 vol.py -f dump.vmem --profile=profile userassist # Dump userassist data python2.7 vol.py -f dump.vmem --profile=profile shellbags # Dump shellbags information python2.7 vol.py -f dump.vmem --profile=profile shimcache # Dump the shimcache ``` {% endtab %} {% tab title="Volatility3" %} ```bash python3 vol.py -f dump.vmem windows.registry.hivelist.HiveList python3 vol.py -f dump.vmem windows.registry.hivescan.HiveScan python3 vol.py -f dump.vmem windows.registry.printkey.PrintKey --key KEY python3 vol.py -f dump.vmem windows.registry.userassist.UserAssist python3 vol.py -f dump.vmem windows.registry.certificates.Certificates # Lists the certificates in the registry's Certificate store python3 vol.py -f dump.vmem windows.registry.getcellroutine.GetCellRoutine # Reports registry hives with a hooked GetCellRoutine handler ``` {% endtab %} {% endtabs %} ### Windows Password Recovery {% tabs %} {% tab title="Volatility2" %} ```bash python2.7 vol.py -f dump.vmem --profile=profile lsadump # Dump (decrypted) LSA secrets from the registry python2.7 vol.py -f dump.vmem --profile=profile hashdump # Dumps passwords hashes (LM/NTLM) from memory ``` {% endtab %} {% tab title="Volatility3" %} ```bash python3 vol.py -f dump.vmem windows.hashdump.Hashdump python3 vol.py -f dump.vmem windows.lsadump.Lsadump ``` {% endtab %} {% endtabs %} ## References * * --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://root-acch.gitbook.io/hedgenotes/digital-forensics-and-incident-response/memory-dump-analysis/volatility-cheat-sheet.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.