Volatility Cheat Sheet
Memory forensics framework for extracting processes, credentials, and malware artifacts from RAM dumps.
Overview
Volatility analyzes physical memory images (Windows, Linux, macOS). Use after acquiring RAM with WinPMEM, LiME, or hypervisor snapshots to find processes, network connections, injected code, and cached credentials.
Authorized testing only. Use only on systems, networks, and accounts you own or have explicit written permission to test. Unauthorized access is illegal.
Install
Volatility 3 (recommended)
pip install volatility3vol -hVolatility 2 (legacy)
sudo apt install -y volatilityEssential commands
Vol3 — identify image
vol -f memory.raw windows.infovol -f memory.raw linux.bannerPlugin list
vol -f memory.raw -h | grep windowsCommon workflows
Windows triage (Volatility 3) —
vol -f win10.raw windows.infovol -f win10.raw windows.pslistvol -f win10.raw windows.pstreevol -f win10.raw windows.netscanvol -f win10.raw windows.cmdlinevol -f win10.raw windows.malfindvol -f win10.raw windows.hashdumpvol -f win10.raw windows.registry.hivelistLinux memory —
vol -f linux.raw linux.bashvol -f linux.raw linux.pslistvol -f linux.raw linux.check_syscallvol -f linux.raw linux.envarsProcess-specific dump —
vol -f win10.raw windows.memmap --pid 1234 --dumpvol -f win10.raw windows.vadinfo --pid 1234strings -n 8 pid.1234.dmp | grep -i passwordVolatility 2 (legacy syntax) —
volatility -f mem.raw --profile=Win10x64_19041 pslistvolatility -f mem.raw --profile=Win10x64_19041 malfindvolatility -f mem.raw --profile=Win10x64_19041 hashdumpFlags reference
-f FILE | Memory image path |
|---|---|
windows.info | OS build / layer info |
--single-location | Force layer (advanced) |
-r SYMBOLDIR | Symbol path (Vol3) |
--pid N | Target process |
-o DIR | Output directory for dumps |
--profile | Vol2 only — profile name |
Tips
- Wrong profile (Vol2) or missing symbols (Vol3) → garbage output; run windows.info first.
- Combine with YARA on dumped process segments.
- Modern Win11 builds need updated symbol packs frequently.
- For live response, prefer disk + memory acquisition before shutdown.