diff --git a/.gitmodules b/.gitmodules
index cd415b1..e09a84c 100644
--- a/.gitmodules
+++ b/.gitmodules
@@ -61,3 +61,9 @@
 [submodule "hashes/wordlistctl"]
 	path = hashes/wordlistctl
 	url = https://github.com/BlackArch/wordlistctl.git
+[submodule "forensics/volatility3"]
+	path = forensics/volatility3
+	url = https://github.com/volatilityfoundation/volatility3.git
+[submodule "forensics/volatility"]
+	path = forensics/volatility
+	url = https://github.com/volatilityfoundation/volatility.git
diff --git a/forensics/volatility b/forensics/volatility
new file mode 160000
index 0000000..a438e76
--- /dev/null
+++ b/forensics/volatility
@@ -0,0 +1 @@
+Subproject commit a438e768194a9e05eb4d9ee9338b881c0fa25937
diff --git a/forensics/volatility3 b/forensics/volatility3
new file mode 160000
index 0000000..23453f5
--- /dev/null
+++ b/forensics/volatility3
@@ -0,0 +1 @@
+Subproject commit 23453f5d8c56030acf1fea72f2b9d0c9dfda85c6
diff --git a/stego/docs/remnux.md b/stego/docs/remnux.md
index c1cd0db..434dff2 100644
--- a/stego/docs/remnux.md
+++ b/stego/docs/remnux.md
@@ -27,6 +27,7 @@ vmonkey <file.doc>
 * Basic Info, find OS profile
 ```sh
 volatility -f <file.iso> imageinfo
+volatility -f <file.iso> kdbgscan
 ```
 * Process list
 ```sh
@@ -36,4 +37,8 @@ volatility -f <file.iso> --profile <OSprofile> pslist
 ```sh
 volatility -f <file.iso> --profile <OSprofile> dlllist -p <PID>
 ```
+* Last accessed dir
+```sh
+volatility -f <file.iso> --profile <OSprofile> shellbags
+```