Below is a list of the most frequently used modules and commands in Volatility 2
System Information
Image info
volatility -f /path/image imageinfo
volatility -f <image> kdbgscan
Hostname
volatility -f "/path/to/image" --profile <profile> envars | grep -o -E 'COMPUTERNAME .*' | sort -u
Users
volatility -f "/path/to/image" --profile <profile> hashdump
Show registers
volatility -f "/path/to/image" --profile <profile> hivescan
List roots :
volatility -f "/path/to/image" --profile <profile> hivelist
List roots and get initial subkeys :
volatility -f "/path/to/image" --profile <profile> printkey
List key’s values :
volatility -f "/path/to/image" --profile <profile> printkey -K "<key-path>"
System activity
Find executed commands
Display process command-line arguments :
volatility -f "/path/to/image" --profile <profile> cmdline
volatility -f "/path/to/image" --profile <profile> cmdline -p <PID>
Extract command history :
volatility -f "/path/to/image" --profile <profile> cmdscan
volatility -f "/path/to/image" --profile <profile> consoles
Commands entered in cmd.exe are processed by conhost.exe (csrss.exe before Windows 7). So even if an attacker has managed to kill cmd.exe before we get a memory dump, there’s still a chance of recovering the command line history from conhost.exe’s memory. If you find something odd, try dumping the memory of the process associated with conhost.exe and look for strings inside to extract the command lines
List services
volatility -f "/path/to/image" --profile <profile> svcscan
User activity
Clipboard
volatility -f "/path/to/image" --profile <profile> clipboard
Executed programs
Userassist
volatility -f "/path/to/image" --profile <profile> userassist
Prefetch
volatility -f "/path/to/image" --profile <profile> mftparser | grep \.pf$
Screen
volatility -f "/path/to/image" --profile <profile> screenshot
Shares
volatility -f "/path/to/image" --profile <profile> handles -t File | grep -E '\\Device\\(LanmanRedirector|Mup)'
Processes / Programs
List processes
volatility -f "/path/to/image" --profile <profile> pslist
volatility -f "/path/to/image" --profile <profile> psscan
volatility -f "/path/to/image" --profile <profile> pstree
Find hidden processes with various process listings
volatility -f "/path/to/image" --profile <profile> psxview
Dump a process as an executable file sample
volatility -f "/path/to/image" --profile <profile> procdump -p <PID> ‑‑dump-dir "/output/path"
Extract the handles of a process
volatility -f "/path/to/image" --profile <profile> handles ‑p <PID>
A handle is a structure that lets you define an object (file, socket, pipe, shared memory area, etc. ) and then manipulate it. Handles can be shared by several processes.
Extract memory mapped and cached file of a process
volatility -f "/path/to/image" --profile <profile> dumpfiles -p <PID> ‑‑dump-dir "/output/path"
Extract DLLs loaded by a process
volatility -f "/path/to/image" --profile <profile> dlllist -p <PID>
volatility -f "/path/to/image" --profile <profile> dlldump -p <PID> ‑‑dump-dir "/output/path"
Dump the addressable memory for a process
volatility -f "/path/to/image" --profile <profile> memdump -p <PID> ‑‑dump-dir "/output/path"
Network
Show network connections
volatility -f "/path/to/image" --profile <profile> netscan
volatility -f "/path/to/image" --profile <profile> netstat
XP/2003 :
volatility -f "/path/to/image" --profile <profile> connscan
volatility -f "/path/to/image" --profile <profile> connections
volatility -f "/path/to/image" --profile <profile> sockscan
volatility -f "/path/to/image" --profile <profile> sockets
Files
List memory mapped and cached files
volatility -f "/path/to/image" --profile <profile> filescan
Extract memory mapped and cached files
All files found :
volatility -f "/path/to/image" --profile <profile> dumpfiles
All files associated to a process :
volatility -f "/path/to/image" --profile <profile> dumpfiles -p <PID>
One file from its memory offset :
volatility -f "/path/to/image" --profile <profile> dumpfiles -Q <offset>
Malware analysis
Find hidden and injected code
(PID, process name, address, VAD tags, hexdump, and shellcode)
volatility -f "/path/to/image" --profile <profile> malfind
Yarascan
volatility -f "/path/to/image" --profile <profile> yarascan -y "/path/to/rules.yar"
API Hooks
volatility -f "/path/to/image" --profile <profile> apihooks -p <PID>
volatility -f "/path/to/image" --profile <profile> apihooks -p <PID> | grep -oE 'Function:.*|Hook address:.*|\**'
Hook analysis :
volatility -f "/path/to/image" --profile <profile> volshell -p <PID>
>>> dis(<hook-address>, length=512)
echo "dis(<hook-address>, length=512)" | volatility -f "/path/to/image" --profile <profile> volshell -p <PID> 2> /dev/null | sed 's/^[>]*\s*0x\([abcdef0-9]*\s*\)\{2\}//g' | head -n -1
Display SSDT entries
volatility -f "/path/to/image" --profile <profile> ssdt
Extract secrets
Dumps passwords hashes (LM/NTLM) from memory (x86 only)
volatility -f "/path/to/image" --profile <profile> hashdump
Dump (decrypted) LSA secrets from the registry
volatility -f "/path/to/image" --profile <profile> lsadump
Extract RSA private keys and certificates
volatility -f "/path/to/image" --profile <profile> dumpcerts
Dumps cached domain hashes from memory
volatility -f "/path/to/image" --profile <profile> cachedump
Recover cached TrueCrypt secrets
volatility -f "/path/to/image" --profile <profile> truecryptmaster
volatility -f "/path/to/image" --profile <profile> truecryptpassphrase
volatility -f "/path/to/image" --profile <profile> truecryptsummary
String search
strings -n <min-string-size> <binary>
Sources
- https://book.hacktricks.xyz/forensics/basic-forensic-methodology/memory-dump-analysis/volatility-examples
- https://blog.onfvp.com/post/volatility-cheatsheet/
- https://book.hacktricks.xyz/generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-cheatsheet?q=volatility+
- Convert Markdown to mindmap with Markdown-map.com