diff --git a/forensics/volatility.md b/forensics/volatility.md
index c2ddf10..3809f95 100644
--- a/forensics/volatility.md
+++ b/forensics/volatility.md
@@ -1,6 +1,14 @@
 # Volatility
+
+Search through collected volatile memory dumps, volume and VM images.
+Volatility and Volatility 3 have a different syntax. The older one has  
+higher malware hunting abilities.
+
 * [Cheat sheet](https://downloads.volatilityfoundation.org/releases/2.4/CheatSheet_v2.4.pdf)
 * [Hacktricks shee](https://book.hacktricks.xyz/forensics/volatility-examples)
+* [Symbol table for Linux and macOS](https://github.com/volatilityfoundation/volatility3#symbol-tables)
+
+## Basic Commands
 
 * Basic Info, find OS profile
 ```sh
@@ -19,9 +27,65 @@ volatility -f <file.iso> --profile <OSprofile> dlllist -p <PID>
 ```sh
 volatility -f <file.iso> --profile <OSprofile> shellbags
 ```
+
+### Volatility3 
+
+* Basic Info works too, but you have to know the kind of OS anyway
+```sh
+volatility -f <file.iso> windows.info
+```
+
+* Process list, but processes can be hidden. Therefore use ` psscan `
+```sh
+volatility -f <file.iso> windows.pslist
+volatility -f <file.iso> windows.psscan
+volatility -f <file.iso> windows.pstree
+```
+
+* List dlls, this includes the path of the file
+```sh
+volatility -f <file.iso> windows.dlllist
+```
+
+* Find malicious files, fileless and including files, respectively
+```sh
+volatility -f <file.iso> windows.malfind 
+volatility -f <file.iso> windows.vadyarascan
+```
+
+* Dump memory map
+```sh
+volatility -f <file.iso> windows.memmap.Memmap --pid <pid> --dump
+```
+
+* Dump and scan files 
+```sh
+windows.dumpfiles.DumpFiles   Dumps cached file contents from Windows memory
+windows.filescan.FileScan   Scans for file objects present in a particular windows. Lists version information from PE files.
+```
+
+* Find file handles or mutex
+```sh
+volatility -f <file.iso> windows.mutex
+```
+
+* Malware hunting through hooking
+```sh
+windows.ssdt.SSDT   Lists the system call table. # System Service Descriptor Table
+windows.driverirp.DriverIrp   List IRPs for drivers in a particular windows memory image.
+windows.modules.Modules   Lists the loaded kernel modules.
+windows.driverscan.DriverScan   Scans for drivers present in a particular windows
+```
+
+
 ## Plugins 
- 
+
+Volatility 3 plugins are named after the specific profile they are used for.   
+For the most part these are (` macOS.*, windows.*, linux.* `)
+
 * For example 
     * Truecryptpassphrase
     * cmdscan, command history
     * shutdowntime
+
+