Ashley Pearson

A Basic DFIR Blog

Volatility 3 CheatSheet

Comparing commands from Vol2 > Vol3

Ashley Pearson

4 minutes read

Volatility CheatSheet

Below are some of the more commonly used plugins from Volatility 2 and their Volatility 3 counterparts.

OS Information


vol.py -f “/path/to/file” imageinfo

vol.py -f “/path/to/file” kdbgscan

vol.py -f “/path/to/file” windows.info

Output differences:
- Volatility 2: Additional information can be gathered with kdbgscan if an appropriate profile wasn’t found with imageinfo
- Volatility 3: Includes x32/x64 determination, major and minor OS versions, and kdbg information

Note: This applies for this specific command, but also all others below, Volatility 3 was significantly faster in returning the requested information

Process Information


vol.py -f “/path/to/file” ‑‑profile <profile> pslist

vol.py -f “/path/to/file” ‑‑profile <profile> psscan

vol.py -f “/path/to/file” ‑‑profile <profile> pstree

vol.py -f “/path/to/file” ‑‑profile <profile> psxview

vol.py -f “/path/to/file” windows.pslist

vol.py -f “/path/to/file” windows.psscan

vol.py -f “/path/to/file” windows.pstree

Output differences:
- Volatility 2: Additional process lists with psxview
- Volatility 3: Does not include a direct psxview equivalent


vol.py -f “/path/to/file” ‑‑profile <profile> procdump -p <PID> ‑‑dump-dir=“/path/to/dir”

vol.py -f “/path/to/file” -o “/path/to/dir” windows.dumpfiles ‑‑pid <PID>

Output differences:
- Volatility 2: Just outputs specified PID (or all if not specified)
- Volatility 3: Dumps exe and associated DLLs


vol.py -f “/path/to/file” ‑‑profile <profile> memdump -p <PID> ‑‑dump-dir=“/path/to/dir”

vol.py -f “/path/to/file” -o “/path/to/dir” windows.memmap ‑‑dump ‑‑pid <PID>


vol.py -f “/path/to/file” ‑‑profile <profile> handles -p <PID>

vol.py -f “/path/to/file” windows.handles ‑‑pid <PID>

Output differences:
- Volatility 2: Offset(V), PID, handle, access, type, details
- Volatility 3: PID, process, offset, handlevalue, type, grantedaccess, name


vol.py -f “/path/to/file” ‑‑profile <profile> dlllist -p <PID>

vol.py -f “/path/to/file” windows.dlllist ‑‑pid <PID>

Output differences:
- Volatility 2: PID, command line, base, size, loadcount, loadtime, path
- Volatility 3: PID, process, base, size, name, path, loadtime, file output


vol.py -f “/path/to/file” ‑‑profile <profile> cmdline

vol.py -f “/path/to/file” ‑‑profile <profile> cmdscan

vol.py -f “/path/to/file” ‑‑profile <profile> consoles

vol.py -f “/path/to/file” windows.cmdline

Output differences:
- Volatility 2: process name, PID, commandline; cmdscan includes application, flags, process handle; consoles contains C:\ listing, original titles, screen position and command history information
- Volatility 3: PID, process name, args

Network Information


vol.py -f “/path/to/file” ‑‑profile <profile> netscan

vol.py -f “/path/to/file” ‑‑profile <profile> netstat


vol.py -f “/path/to/file” ‑‑profile <profile> connscan

vol.py -f “/path/to/file” ‑‑profile <profile> connections

vol.py -f “/path/to/file” ‑‑profile <profile> sockscan

vol.py -f “/path/to/file” ‑‑profile <profile> sockets

vol.py -f “/path/to/file” windows.netscan

vol.py -f “/path/to/file” windows.netstat

Note: The XP/2003 specific plugins are deprecated and therefore not available in Volatility 3



vol.py -f “/path/to/file” ‑‑profile <profile> hivescan

vol.py -f “/path/to/file” ‑‑profile <profile> hivelist

vol.py -f “/path/to/file” windows.registry.hivescan

vol.py -f “/path/to/file” windows.registry.hivelist


vol.py -f “/path/to/file” ‑‑profile <profile> printkey

vol.py -f “/path/to/file” ‑‑profile <profile> printkey -K “Software\Microsoft\Windows\CurrentVersion”

vol.py -f “/path/to/file” windows.registry.printkey

vol.py -f “/path/to/file” windows.registry.printkey ‑‑key “Software\Microsoft\Windows\CurrentVersion”


vol.py -f “/path/to/file” ‑‑profile hivedump -o <offset>

I’m not sure if this capability exists in Vol3; however, you may be able to extract registry hives using filedump with the offset



vol.py -f “/path/to/file” ‑‑profile <profile> filescan

vol.py -f “/path/to/file” windows.filescan


vol.py -f “/path/to/file” ‑‑profile <profile> dumpfiles ‑‑dump-dir=“/path/to/dir”

vol.py -f “/path/to/file” ‑‑profile <profile> dumpfiles ‑‑dump-dir=“/path/to/dir” -Q <offset>

vol.py -f “/path/to/file” ‑‑profile <profile> dumpfiles ‑‑dump-dir=“/path/to/dir” -p <PID>

vol.py -f “/path/to/file” -o “/path/to/dir” windows.dumpfiles

vol.py -f “/path/to/file” -o “/path/to/dir” windows.dumpfiles ‑‑virtaddr <offset>

vol.py -f “/path/to/file” -o “/path/to/dir” windows.dumpfiles ‑‑physaddr <offset>



vol.py -f “/path/to/file” ‑‑profile <profile> malfind

vol.py -f “/path/to/file” windows.malfind

Output differences:
- Volatility 2: PID, process name, address, VAD tags, hexdump, and shellcode
- Volatility 3: PID, process name, process start, protection, commit charge, privatememory, file output, hexdump disassembly


vol.py -f “/path/to/file” yarascan -y “/path/to/file.yar”

vol.py -f “/path/to/file” windows.vadyarascan ‑‑yara-rules <string>

vol.py -f “/path/to/file” windows.vadyarascan ‑‑yara-file “/path/to/file.yar”

vol.py -f “/path/to/file” yarascan.yarascan ‑‑yara-file “/path/to/file.yar”


If you’re looking to practice or hone your memory analysis skills, I highly recommend checking out the Art of Memory Forensics. The site links to a few different third party sources to purchase the book.

Additionally, you can download practice memory images Art of Memory Forensics. (Note: This is a direct link to the .zip download!) The Windows memory dump sample001.bin was used to test and compare the different versions of Volatility for this post.

If you’d like a more detailed version of this cheatsheet, I recommend checking out HackTricks’ post.


  1. Andrea Fortuna’s Series: “Volatility, my own cheatsheet”
  2. HackTricks Volatility CheatSheet
  3. Vol3 Github
  4. Art of Memory Forensics

Recent posts


Threat Hunter & DFIR Enthusiast