Volatility 3 CheatSheet
Comparing commands from Vol2 > Vol3
Volatility CheatSheet
Below are some of the more commonly used plugins from Volatility 2 and their Volatility 3 counterparts.
OS Information
imageinfo
vol.py -f “/path/to/file” imageinfo
vol.py -f “/path/to/file” kdbgscan
vol.py -f “/path/to/file” windows.info
Output differences:
- Volatility 2: Additional information can be gathered with kdbgscan if an appropriate profile wasn’t found with imageinfo
- Volatility 3: Includes x32/x64 determination, major and minor OS versions, and kdbg information
Note: This applies for this specific command, but also all others below, Volatility 3 was significantly faster in returning the requested information
Process Information
pslist
vol.py -f “/path/to/file” ‑‑profile <profile> pslist
vol.py -f “/path/to/file” ‑‑profile <profile> psscan
vol.py -f “/path/to/file” ‑‑profile <profile> pstree
vol.py -f “/path/to/file” ‑‑profile <profile> psxview
vol.py -f “/path/to/file” windows.pslist
vol.py -f “/path/to/file” windows.psscan
vol.py -f “/path/to/file” windows.pstree
Output differences:
- Volatility 2: Additional process lists with psxview
- Volatility 3: Does not include a direct psxview equivalent
procdump
vol.py -f “/path/to/file” ‑‑profile <profile> procdump -p <PID> ‑‑dump-dir=“/path/to/dir”
vol.py -f “/path/to/file” -o “/path/to/dir” windows.dumpfiles ‑‑pid <PID>
Output differences:
- Volatility 2: Just outputs specified PID (or all if not specified)
- Volatility 3: Dumps exe and associated DLLs
memdump
vol.py -f “/path/to/file” ‑‑profile <profile> memdump -p <PID> ‑‑dump-dir=“/path/to/dir”
vol.py -f “/path/to/file” -o “/path/to/dir” windows.memmap ‑‑dump ‑‑pid <PID>
handles
vol.py -f “/path/to/file” ‑‑profile <profile> handles -p <PID>
vol.py -f “/path/to/file” windows.handles ‑‑pid <PID>
Output differences:
- Volatility 2: Offset(V), PID, handle, access, type, details
- Volatility 3: PID, process, offset, handlevalue, type, grantedaccess, name
dlls
vol.py -f “/path/to/file” ‑‑profile <profile> dlllist -p <PID>
vol.py -f “/path/to/file” windows.dlllist ‑‑pid <PID>
Output differences:
- Volatility 2: PID, command line, base, size, loadcount, loadtime, path
- Volatility 3: PID, process, base, size, name, path, loadtime, file output
cmdline
vol.py -f “/path/to/file” ‑‑profile <profile> cmdline
vol.py -f “/path/to/file” ‑‑profile <profile> cmdscan
vol.py -f “/path/to/file” ‑‑profile <profile> consoles
vol.py -f “/path/to/file” windows.cmdline
Output differences:
- Volatility 2: process name, PID, commandline; cmdscan includes application, flags, process handle; consoles contains C:\ listing, original titles, screen position and command history information
- Volatility 3: PID, process name, args
Network Information
netscan
vol.py -f “/path/to/file” ‑‑profile <profile> netscan
vol.py -f “/path/to/file” ‑‑profile <profile> netstat
XP/2003 SPECIFIC
vol.py -f “/path/to/file” ‑‑profile <profile> connscan
vol.py -f “/path/to/file” ‑‑profile <profile> connections
vol.py -f “/path/to/file” ‑‑profile <profile> sockscan
vol.py -f “/path/to/file” ‑‑profile <profile> sockets
vol.py -f “/path/to/file” windows.netscan
vol.py -f “/path/to/file” windows.netstat
Note: The XP/2003 specific plugins are deprecated and therefore not available in Volatility 3
Registry
hivelist
vol.py -f “/path/to/file” ‑‑profile <profile> hivescan
vol.py -f “/path/to/file” ‑‑profile <profile> hivelist
vol.py -f “/path/to/file” windows.registry.hivescan
vol.py -f “/path/to/file” windows.registry.hivelist
printkey
vol.py -f “/path/to/file” ‑‑profile <profile> printkey
vol.py -f “/path/to/file” ‑‑profile <profile> printkey -K “Software\Microsoft\Windows\CurrentVersion”
vol.py -f “/path/to/file” windows.registry.printkey
vol.py -f “/path/to/file” windows.registry.printkey ‑‑key “Software\Microsoft\Windows\CurrentVersion”
hivedump
vol.py -f “/path/to/file” ‑‑profile hivedump -o <offset>
I’m not sure if this capability exists in Vol3; however, you may be able to extract registry hives using filedump with the offset
files
filescan
vol.py -f “/path/to/file” ‑‑profile <profile> filescan
vol.py -f “/path/to/file” windows.filescan
filedump
vol.py -f “/path/to/file” ‑‑profile <profile> dumpfiles ‑‑dump-dir=“/path/to/dir”
vol.py -f “/path/to/file” ‑‑profile <profile> dumpfiles ‑‑dump-dir=“/path/to/dir” -Q <offset>
vol.py -f “/path/to/file” ‑‑profile <profile> dumpfiles ‑‑dump-dir=“/path/to/dir” -p <PID>
vol.py -f “/path/to/file” -o “/path/to/dir” windows.dumpfiles
vol.py -f “/path/to/file” -o “/path/to/dir” windows.dumpfiles ‑‑virtaddr <offset>
vol.py -f “/path/to/file” -o “/path/to/dir” windows.dumpfiles ‑‑physaddr <offset>
Miscellaneous
malfind
vol.py -f “/path/to/file” ‑‑profile <profile> malfind
vol.py -f “/path/to/file” windows.malfind
Output differences:
- Volatility 2: PID, process name, address, VAD tags, hexdump, and shellcode
- Volatility 3: PID, process name, process start, protection, commit charge, privatememory, file output, hexdump disassembly
yarascan
vol.py -f “/path/to/file” yarascan -y “/path/to/file.yar”
vol.py -f “/path/to/file” windows.vadyarascan ‑‑yara-rules <string>
vol.py -f “/path/to/file” windows.vadyarascan ‑‑yara-file “/path/to/file.yar”
vol.py -f “/path/to/file” yarascan.yarascan ‑‑yara-file “/path/to/file.yar”
Practice
If you’re looking to practice or hone your memory analysis skills, I highly recommend checking out the Art of Memory Forensics. The site links to a few different third party sources to purchase the book.
Additionally, you can download practice memory images Art of Memory Forensics. (Note: This is a direct link to the .zip download!) The Windows memory dump sample001.bin was used to test and compare the different versions of Volatility for this post.
If you’d like a more detailed version of this cheatsheet, I recommend checking out HackTricks’ post.
Sources
- Andrea Fortuna’s Series: “Volatility, my own cheatsheet”
- HackTricks Volatility CheatSheet
- Vol3 Github
- Art of Memory Forensics
