# Volatility

* Open-source memory forensics framework
* Written in python and supports windows, mac and linux

Features:

* List all processes that were running.

<br>

* List active and closed network connections.

<br>

* View internet history (IE).

<br>

* Identify files on the system and retrieve them from the memory dump.

<br>

* Read the contents of notepad documents.

<br>

* Retrieve commands entered into the Windows Command Prompt (CMD).

<br>

* Scan for the presence of malware using YARA rules.

<br>

* Retrieve screenshots and clipboard contents.

<br>

* Retrieve hashed passwords.

<br>

* Retrieve SSL keys and certificates.

<br>

* And lots more!

#### Usage

* First use the command “volatility -f memdump.mem imageinfo”
* When running commands of memory images use the suggested profile which is shown in the first command
* \--profile=win..

#### Command List

volatility -f memdump.mem imageinfo // Take memory image “memdump.mem” and determine the suggested profile for analysis. The profile is the operating system, version, and architecture.

volatility -f memdump.mem --profile=PROFILE pslist // Take memory image, provide the profile, then use the pslist plugin to print a list of processes to the terminal.

volatility -f memdump.mem --profile=PROFILE pstree // Use the pstree plugin to print a process tree to the terminal.

volatility -f memdump.mem --profile=PROFILE psscan // Use the psscan plugin to print all available processes, including hidden ones often used by malware (compare this to pslist to see if there’s any differences!).

volatility -f memdump.mem --profile=PROFILE psxview // Use the plugin psxview plugin to print expected and hidden processes. This is a combination of pslist and psscan plugins.

volatility -f memdump.mem --profile=PROFILE netscan // Use the plugin netscan to identify any active or closed network connections.

volatility -f memdump.mem --profile=PROFILE timeliner // Use the timeliner plugin to create a timeline of events from the memory image.

volatility -f memdump.mem --profile=PROFILE iehistory // Use the iehistory plugin to pull internet browsing history.

volatility -f memdump.mem --profile=PROFILE filescan // Use the filescan plugin to identify any files on the system from the memory image.

volatility -f memdump.mem --profile=PROFILE dumpfiles -n --dump-dir=./ // Use the dumpfiles plugin to retrieve files from the memory image. In this case our terminal is open in the Desktop (root\@SBTLab2:\~/Desktop) and we are using the output location ./ which tells Volatility to put the files in our current location, the Desktop.