What Volatility is capable of

  • List all processes that were running.
  • List active and closed network connections.
  • View internet history (IE).
  • Identify files on the system and retrieve them from the memory dump.
  • Read the contents of notepad documents.
  • Retrieve commands entered into the Windows Command Prompt (CMD).
  • Scan for the presence of malware using YARA rules.
  • Retrieve screenshots and clipboard contents.
  • Retrieve hashed passwords.
  • Retrieve SSL keys and certificates.


How it works

It needs profiles to work

volatility -f memdump.mem imageinfo — This will identify the system the memory image was taken from.

–profile=WinXPSP2x86 — this will need to be run when running memory image



volatility -f memdump.mem imageinfo

  • PSlist – lists processes
  • Volatility -f memdump.mem –profile=<profile image> pslist
  • PStree – This lists processes i na process tree
  • Volatility -f memdump.mem –profile=<profile image> pstree
  • PSscan – idendifies hidden processes (oftem used by malware)
  • Volatility -f memdump.mem –profile=<profile image> psscan
  • psxview – combination of pslist and psscan
  • Volatility -f memdump.mem –profile=<profile image> psxview
  • netscan – Can view network connections
  • Volatility -f memdump.mem –profile=<profile image> Netscan
  • timeliner – uses timestamps from activity within memory dump in time order. Can be useful for incident response.
  • Volatility -f memdump.mem –profile=<profile image>timeliner
  • iehistory – view browser history
  • filescan – lists every file mention in the memory dump
  • Volatility -f memdump.mem –profile=<profile image> filescan
  • dumpfiles – retrieves files from capture memory — needs to select dump location. Files will be located on the desktop
  • Volatility -f memdump.mem –profile=<profile image> dumpfiles -n –dump-dir=<file directory>
  • cmdline
  • This will locate command line commands
  • procdump
  • dumps processes (use -p <processID> for one process