# Volatility Search through collected volatile memory dumps, volume and VM images. Volatility and Volatility 3 have a different syntax. The older one has higher malware hunting abilities. Always check both of the versions if you are not sure about how the file was dumped. * [Cheat sheet](https://downloads.volatilityfoundation.org/releases/2.4/CheatSheet_v2.4.pdf) * [Hacktricks shee](https://book.hacktricks.xyz/forensics/volatility-examples) * [Symbol table for Linux and macOS](https://github.com/volatilityfoundation/volatility3#symbol-tables) ## Volatility2 Basic Info, find OS profile ```sh volatility -f imageinfo volatility -f kdbgscan ``` Take a look at what can be done with a specific profile ```sh volatility -f --profile -h ``` Process list ```sh volatility -f --profile pslist ``` List dlls ```sh volatility -f --profile dlllist -p ``` Last accessed dir ```sh volatility -f --profile shellbags ``` Scan network ```sh volatility -f --profile netscan ``` Scan files ```sh volatility -f --profile filescan | grep ``` Dump files ```sh volatility -f --profile dumpfiles -Q -D . ``` ### Plugins Bash history ```sh volatility -f --profile linux_bash ``` Linux process list includes process ID as well as parent process ID ```sh volatility -f --profile linux_pslist ``` Dump Process binaries using the `linux_procdump` plugin to a target directory by using the PID. The result is an elf file ```sh volatility -f --profile linux_procdump -D -p ``` File listing under Linux may be done via the `linux_enumerate_files` and filtered via grep ```sh volatility -f --profile linux_enumerate_files ``` Dump files and directories via `linux_find_file` plugin after listing the files to gather memory address ```sh volatility -f --profile linux_find_file -i -O ``` ### Creating Profiles Usable profiles are visible via `volatility --info`. There are only Windows profiles per default. To create Linux profiles follow the guide [Security Post-it #3 Volatility Linux Profiles](https://beguier.eu/nicolas/articles/security-tips-3-volatility-linux-profiles.html) ## Volatility3 Basic Info works too, but you have to know the kind of OS anyway ```sh volatility -f windows.info ``` Process list, but processes can be hidden. Therefore use ` psscan ` ```sh volatility -f windows.pslist volatility -f windows.psscan volatility -f windows.pstree ``` List dlls, this includes the path of the file ```sh volatility -f windows.dlllist ``` Find malicious files, fileless and including files, respectively ```sh volatility -f windows.malfind volatility -f windows.vadyarascan ``` Dump memory map ```sh volatility -f windows.memmap.Memmap --pid --dump volatility -f windows.dumpfiles --pid ``` Dump and scan files ```sh windows.dumpfiles.DumpFiles Dumps cached file contents from Windows memory windows.filescan.FileScan Scans for file objects present in a particular windows. Lists version information from PE files. ``` Find file handles or mutex ```sh volatility -f windows.mutex ``` Malware hunting through hooking ```sh windows.ssdt.SSDT Lists the system call table. # System Service Descriptor Table windows.driverirp.DriverIrp List IRPs for drivers in a particular windows memory image. windows.modules.Modules Lists the loaded kernel modules. windows.driverscan.DriverScan Scans for drivers present in a particular windows ``` ### Plugins Volatility 3 plugins are named after the specific profile they are used for. For the most part these are (` macOS.*, windows.*, linux.* `) * For example * Truecryptpassphrase * shutdowntime * cmdscan, the command history is missing from volatility 3