onfvp

Ashley Pearson

A Basic DFIR Blog

Volatility 3 CheatSheet

Comparing commands from Vol2 > Vol3

Ashley Pearson

4 minutes read

Volatility CheatSheet

Below are some of the more commonly used plugins from Volatility 2 and their Volatility 3 counterparts.

OS Information

imageinfo


vol.py -f “/path/to/file” imageinfo

vol.py -f “/path/to/file” kdbgscan


vol.py -f “/path/to/file” windows.info


Output differences:
- Volatility 2: Additional information can be gathered with kdbgscan if an appropriate profile wasn’t found with imageinfo
- Volatility 3: Includes x32/x64 determination, major and minor OS versions, and kdbg information

Note: This applies for this specific command, but also all others below, Volatility 3 was significantly faster in returning the requested information


Process Information

pslist


vol.py -f “/path/to/file” ‑‑profile <profile> pslist

vol.py -f “/path/to/file” ‑‑profile <profile> psscan

vol.py -f “/path/to/file” ‑‑profile <profile> pstree

vol.py -f “/path/to/file” ‑‑profile <profile> psxview


vol.py -f “/path/to/file” windows.pslist

vol.py -f “/path/to/file” windows.psscan

vol.py -f “/path/to/file” windows.pstree


Output differences:
- Volatility 2: Additional process lists with psxview
- Volatility 3: Does not include a direct psxview equivalent


procdump


vol.py -f “/path/to/file” ‑‑profile <profile> procdump -p <PID> ‑‑dump-dir=“/path/to/dir”


vol.py -f “/path/to/file” -o “/path/to/dir” windows.dumpfiles ‑‑pid <PID>


Output differences:
- Volatility 2: Just outputs specified PID (or all if not specified)
- Volatility 3: Dumps exe and associated DLLs


memdump


vol.py -f “/path/to/file” ‑‑profile <profile> memdump -p <PID> ‑‑dump-dir=“/path/to/dir”


vol.py -f “/path/to/file” -o “/path/to/dir” windows.memmap ‑‑dump ‑‑pid <PID>


handles


vol.py -f “/path/to/file” ‑‑profile <profile> handles -p <PID>


vol.py -f “/path/to/file” windows.handles ‑‑pid <PID>


Output differences:
- Volatility 2: Offset(V), PID, handle, access, type, details
- Volatility 3: PID, process, offset, handlevalue, type, grantedaccess, name


dlls


vol.py -f “/path/to/file” ‑‑profile <profile> dlllist -p <PID>


vol.py -f “/path/to/file” windows.dlllist ‑‑pid <PID>


Output differences:
- Volatility 2: PID, command line, base, size, loadcount, loadtime, path
- Volatility 3: PID, process, base, size, name, path, loadtime, file output


cmdline


vol.py -f “/path/to/file” ‑‑profile <profile> cmdline

vol.py -f “/path/to/file” ‑‑profile <profile> cmdscan

vol.py -f “/path/to/file” ‑‑profile <profile> consoles


vol.py -f “/path/to/file” windows.cmdline

Output differences:
- Volatility 2: process name, PID, commandline; cmdscan includes application, flags, process handle; consoles contains C:\ listing, original titles, screen position and command history information
- Volatility 3: PID, process name, args



Network Information

netscan


vol.py -f “/path/to/file” ‑‑profile <profile> netscan

vol.py -f “/path/to/file” ‑‑profile <profile> netstat


XP/2003 SPECIFIC

vol.py -f “/path/to/file” ‑‑profile <profile> connscan

vol.py -f “/path/to/file” ‑‑profile <profile> connections

vol.py -f “/path/to/file” ‑‑profile <profile> sockscan

vol.py -f “/path/to/file” ‑‑profile <profile> sockets


vol.py -f “/path/to/file” windows.netscan

vol.py -f “/path/to/file” windows.netstat


Note: The XP/2003 specific plugins are deprecated and therefore not available in Volatility 3



Registry

hivelist


vol.py -f “/path/to/file” ‑‑profile <profile> hivescan

vol.py -f “/path/to/file” ‑‑profile <profile> hivelist


vol.py -f “/path/to/file” windows.registry.hivescan

vol.py -f “/path/to/file” windows.registry.hivelist


printkey


vol.py -f “/path/to/file” ‑‑profile <profile> printkey

vol.py -f “/path/to/file” ‑‑profile <profile> printkey -K “Software\Microsoft\Windows\CurrentVersion”


vol.py -f “/path/to/file” windows.registry.printkey

vol.py -f “/path/to/file” windows.registry.printkey ‑‑key “Software\Microsoft\Windows\CurrentVersion”


hivedump


vol.py -f “/path/to/file” ‑‑profile <profile> printkey


vol.py -f “/path/to/file” ‑‑profile <profile> printkey



files

filescan


vol.py -f “/path/to/file” ‑‑profile <profile> filescan


vol.py -f “/path/to/file” windows.filescan


filedump


vol.py -f “/path/to/file” ‑‑profile <profile> dumpfiles ‑‑dump-dir=“/path/to/dir”

vol.py -f “/path/to/file” ‑‑profile <profile> dumpfiles ‑‑dump-dir=“/path/to/dir” -Q <offset>

vol.py -f “/path/to/file” ‑‑profile <profile> dumpfiles ‑‑dump-dir=“/path/to/dir” -p <PID>


vol.py -f “/path/to/file” -o “/path/to/dir” windows.dumpfiles

vol.py -f “/path/to/file” -o “/path/to/dir” windows.dumpfiles ‑‑virtaddr <offset>

vol.py -f “/path/to/file” -o “/path/to/dir” windows.dumpfiles ‑‑physaddr <offset>



Miscellaneous

malfind


vol.py -f “/path/to/file” ‑‑profile <profile> malfind


vol.py -f “/path/to/file” windows.malfind


Output differences:
- Volatility 2: PID, process name, address, VAD tags, hexdump, and shellcode
- Volatility 3: PID, process name, process start, protection, commit charge, privatememory, file output, hexdump disassembly


yarascan


vol.py -f “/path/to/file” yarascan -y “/path/to/file.yar”


vol.py -f “/path/to/file” windows.vadyarascan ‑‑yara-rules <string>

vol.py -f “/path/to/file” windows.vadyarascan ‑‑yara-file “/path/to/file.yar”

vol.py -f “/path/to/file” yarascan.yarascan ‑‑yara-file “/path/to/file.yar”



Practice

If you’re looking to practice or hone your memory analysis skills, I highly recommend checking out the Art of Memory Forensics. The site links to a few different third party sources to purchase the book.

Additionally, you can download practice memory images Art of Memory Forensics. (Note: This is a direct link to the .zip download!) The Windows memory dump sample001.bin was used to test and compare the different versions of Volatility for this post.

If you’d like a more detailed version of this cheatsheet, I recommend checking out HackTricks’ post.


Sources

  1. Andrea Fortuna’s Series: “Volatility, my own cheatsheet”
  2. HackTricks Volatility CheatSheet
  3. Vol3 Github
  4. Art of Memory Forensics

Recent posts

About

Threat Hunter & DFIR Enthusiast