# Volatility

Search through collected volatile memory dumps, volume and VM images.
Volatility and Volatility 3 have a different syntax. The older one has  
higher malware hunting abilities.  
Always check both of the versions if you are not sure about how the file was dumped.

* [Cheat sheet](https://downloads.volatilityfoundation.org/releases/2.4/CheatSheet_v2.4.pdf)
* [Hacktricks shee](https://book.hacktricks.xyz/forensics/volatility-examples)
* [Symbol table for Linux and macOS](https://github.com/volatilityfoundation/volatility3#symbol-tables)

## Basic Commands

* Basic Info, find OS profile
```sh
volatility -f <file.iso> imageinfo
volatility -f <file.iso> kdbgscan
```
* Process list
```sh
volatility -f <file.iso> --profile <OSprofile> pslist
```
* List dlls
```sh
volatility -f <file.iso> --profile <OSprofile> dlllist -p <PID>
```
* Last accessed dir
```sh
volatility -f <file.iso> --profile <OSprofile> shellbags
```
* Scan network
```sh
volatility -f <file.iso> --profile <OSprofile> netscan
```
* Scan files
```sh
volatility -f <file.iso> --profile <OSprofile> filescan | grep <fileToLookFor>
```
* Dump files
```sh
volatility -f <file.iso> --profile <OSprofile> dumpfiles -Q <addressFromfilescan> -D .
```

### Volatility3 

* Basic Info works too, but you have to know the kind of OS anyway
```sh
volatility -f <file.iso> windows.info
```

* Process list, but processes can be hidden. Therefore use ` psscan `
```sh
volatility -f <file.iso> windows.pslist
volatility -f <file.iso> windows.psscan
volatility -f <file.iso> windows.pstree
```

* List dlls, this includes the path of the file
```sh
volatility -f <file.iso> windows.dlllist
```

* Find malicious files, fileless and including files, respectively
```sh
volatility -f <file.iso> windows.malfind 
volatility -f <file.iso> windows.vadyarascan
```

* Dump memory map
```sh
volatility -f <file.iso> windows.memmap.Memmap --pid <pid> --dump
volatility -f <file.iso> windows.dumpfiles --pid <pid>
```

* Dump and scan files 
```sh
windows.dumpfiles.DumpFiles   Dumps cached file contents from Windows memory
windows.filescan.FileScan   Scans for file objects present in a particular windows. Lists version information from PE files.
```

* Find file handles or mutex
```sh
volatility -f <file.iso> windows.mutex
```

* Malware hunting through hooking
```sh
windows.ssdt.SSDT   Lists the system call table. # System Service Descriptor Table
windows.driverirp.DriverIrp   List IRPs for drivers in a particular windows memory image.
windows.modules.Modules   Lists the loaded kernel modules.
windows.driverscan.DriverScan   Scans for drivers present in a particular windows
```


## Plugins 

Volatility 3 plugins are named after the specific profile they are used for.   
For the most part these are (` macOS.*, windows.*, linux.* `)

* For example 
    * Truecryptpassphrase
    * cmdscan, command history
    * shutdowntime