killchain-compendium/forensics/volatility.md

# Volatility
* [Cheat sheet](https://downloads.volatilityfoundation.org/releases/2.4/CheatSheet_v2.4.pdf)
* [Hacktricks shee](https://book.hacktricks.xyz/forensics/volatility-examples)

* Basic Info, find OS profile
```sh
volatility -f <file.iso> imageinfo
volatility -f <file.iso> kdbgscan
```
* Process list
```sh
volatility -f <file.iso> --profile <OSprofile> pslist
```
* List dlls
```sh
volatility -f <file.iso> --profile <OSprofile> dlllist -p <PID>
```
* Last accessed dir
```sh
volatility -f <file.iso> --profile <OSprofile> shellbags
```
## Plugins 
 
* For example 
    * Truecryptpassphrase
    * cmdscan, command history
    * shutdowntime