Skip to main content

Volatility 2


Purpose​

Use Volatility 2 or vol.py on the SIFT VM for disk image or memory dump analysis over forensic evidence artifacts.

info

Usage of this SOP is optimized for Windows 10 Build 19041 (Win10x64_19041 profile). For other profiles, follow the guidance in the Usage section

info

Usage of Volatility 2 SOP is intended for Volatility 2, which will vastly differ from Volatility 3.

Pre-requisites​

  • SANS SIFT VM on VMWare Workstation. Follow the File Shares SOP if you need the SIFT VM image.
  • Target image file (e.g. mem, dd, e01, etc)

Overview​

Expand the collapsable menus for some verbose info about Volatility usage scenarios.

tip

For each collapsable menu codeblock, hover over the top right corner to copy to clipboard, and paste it into VS Code on RHEL host for quick reference

vol.py --info : All Profiles, Plugins, Address Spaces, Scanner Checks

sansforensics@siftworkstation: ~
$ vol.py --info
Volatility Foundation Volatility Framework 2.6.1


Profiles
--------
VistaSP0x64 - A Profile for Windows Vista SP0 x64
VistaSP0x86 - A Profile for Windows Vista SP0 x86
VistaSP1x64 - A Profile for Windows Vista SP1 x64
VistaSP1x86 - A Profile for Windows Vista SP1 x86
VistaSP2x64 - A Profile for Windows Vista SP2 x64
VistaSP2x86 - A Profile for Windows Vista SP2 x86
Win10x64 - A Profile for Windows 10 x64
Win10x64_10240_17770 - A Profile for Windows 10 x64 (10.0.10240.17770 / 2018-02-10)
Win10x64_10586 - A Profile for Windows 10 x64 (10.0.10586.306 / 2016-04-23)
Win10x64_14393 - A Profile for Windows 10 x64 (10.0.14393.0 / 2016-07-16)
Win10x64_15063 - A Profile for Windows 10 x64 (10.0.15063.0 / 2017-04-04)
Win10x64_16299 - A Profile for Windows 10 x64 (10.0.16299.0 / 2017-09-22)
Win10x64_17134 - A Profile for Windows 10 x64 (10.0.17134.1 / 2018-04-11)
Win10x64_17763 - A Profile for Windows 10 x64 (10.0.17763.0 / 2018-10-12)
Win10x64_18362 - A Profile for Windows 10 x64 (10.0.18362.0 / 2019-04-23)
Win10x64_19041 - A Profile for Windows 10 x64 (10.0.19041.0 / 2020-04-17)
Win10x86 - A Profile for Windows 10 x86
Win10x86_10240_17770 - A Profile for Windows 10 x86 (10.0.10240.17770 / 2018-02-10)
Win10x86_10586 - A Profile for Windows 10 x86 (10.0.10586.420 / 2016-05-28)
Win10x86_14393 - A Profile for Windows 10 x86 (10.0.14393.0 / 2016-07-16)
Win10x86_15063 - A Profile for Windows 10 x86 (10.0.15063.0 / 2017-04-04)
Win10x86_16299 - A Profile for Windows 10 x86 (10.0.16299.15 / 2017-09-29)
Win10x86_17134 - A Profile for Windows 10 x86 (10.0.17134.1 / 2018-04-11)
Win10x86_17763 - A Profile for Windows 10 x86 (10.0.17763.0 / 2018-10-12)
Win10x86_18362 - A Profile for Windows 10 x86 (10.0.18362.0 / 2019-04-23)
Win10x86_19041 - A Profile for Windows 10 x86 (10.0.19041.0 / 2020-04-17)
Win2003SP0x86 - A Profile for Windows 2003 SP0 x86
Win2003SP1x64 - A Profile for Windows 2003 SP1 x64
Win2003SP1x86 - A Profile for Windows 2003 SP1 x86
Win2003SP2x64 - A Profile for Windows 2003 SP2 x64
Win2003SP2x86 - A Profile for Windows 2003 SP2 x86
Win2008R2SP0x64 - A Profile for Windows 2008 R2 SP0 x64
Win2008R2SP1x64 - A Profile for Windows 2008 R2 SP1 x64
Win2008R2SP1x64_23418 - A Profile for Windows 2008 R2 SP1 x64 (6.1.7601.23418 / 2016-04-09)
Win2008R2SP1x64_24000 - A Profile for Windows 2008 R2 SP1 x64 (6.1.7601.24000 / 2016-04-09)
Win2008SP1x64 - A Profile for Windows 2008 SP1 x64
Win2008SP1x86 - A Profile for Windows 2008 SP1 x86
Win2008SP2x64 - A Profile for Windows 2008 SP2 x64
Win2008SP2x86 - A Profile for Windows 2008 SP2 x86
Win2012R2x64 - A Profile for Windows Server 2012 R2 x64
Win2012R2x64_18340 - A Profile for Windows Server 2012 R2 x64 (6.3.9600.18340 / 2016-05-13)
Win2012x64 - A Profile for Windows Server 2012 x64
Win2016x64_14393 - A Profile for Windows Server 2016 x64 (10.0.14393.0 / 2016-07-16)
Win7SP0x64 - A Profile for Windows 7 SP0 x64
Win7SP0x86 - A Profile for Windows 7 SP0 x86
Win7SP1x64 - A Profile for Windows 7 SP1 x64
Win7SP1x64_23418 - A Profile for Windows 7 SP1 x64 (6.1.7601.23418 / 2016-04-09)
Win7SP1x64_24000 - A Profile for Windows 7 SP1 x64 (6.1.7601.24000 / 2018-01-09)
Win7SP1x86 - A Profile for Windows 7 SP1 x86
Win7SP1x86_23418 - A Profile for Windows 7 SP1 x86 (6.1.7601.23418 / 2016-04-09)
Win7SP1x86_24000 - A Profile for Windows 7 SP1 x86 (6.1.7601.24000 / 2018-01-09)
Win81U1x64 - A Profile for Windows 8.1 Update 1 x64
Win81U1x86 - A Profile for Windows 8.1 Update 1 x86
Win8SP0x64 - A Profile for Windows 8 x64
Win8SP0x86 - A Profile for Windows 8 x86
Win8SP1x64 - A Profile for Windows 8.1 x64
Win8SP1x64_18340 - A Profile for Windows 8.1 x64 (6.3.9600.18340 / 2016-05-13)
Win8SP1x86 - A Profile for Windows 8.1 x86
WinXPSP1x64 - A Profile for Windows XP SP1 x64
WinXPSP2x64 - A Profile for Windows XP SP2 x64
WinXPSP2x86 - A Profile for Windows XP SP2 x86
WinXPSP3x86 - A Profile for Windows XP SP3 x86


Address Spaces
--------------
AMD64PagedMemory - Standard AMD 64-bit address space.
ArmAddressSpace - Address space for ARM processors
FileAddressSpace - This is a direct file AS.
HPAKAddressSpace - This AS supports the HPAK format
IA32PagedMemory - Standard IA-32 paging address space.
IA32PagedMemoryPae - This class implements the IA-32 PAE paging address space. It is responsible
LimeAddressSpace - Address space for Lime
LinuxAMD64PagedMemory - Linux-specific AMD 64-bit address space.
MachOAddressSpace - Address space for mach-o files to support atc-ny memory reader
OSXPmemELF - This AS supports VirtualBox ELF64 coredump format
QemuCoreDumpElf - This AS supports Qemu ELF32 and ELF64 coredump format
SkipDuplicatesAMD64PagedMemory - Windows 8/10-specific AMD 64-bit address space.
VMWareAddressSpace - This AS supports VMware snapshot (VMSS) and saved state (VMSS) files
VMWareMetaAddressSpace - This AS supports the VMEM format with VMSN/VMSS metadata
VMotionMigrationAddressSpace - Address space to access memory from VMotion (ESXi 6) live migration traffic.
VirtualBoxCoreDumpElf64 - This AS supports VirtualBox ELF64 coredump format
WindowsAMD64PagedMemory - Windows-specific AMD 64-bit address space.
WindowsCrashDumpSpace32 - This AS supports windows Crash Dump format
WindowsCrashDumpSpace64 - This AS supports windows Crash Dump format
WindowsCrashDumpSpace64BitMap - This AS supports Windows BitMap Crash Dump format
WindowsHiberFileSpace32 - This is a hibernate address space for windows hibernation files.


Scanner Checks
--------------
CheckPoolSize - Check pool block size
CheckPoolType - Check the pool type
INDXRegExCheck - Checks for multiple strings per page
KPCRScannerCheck - Checks the self referential pointers to find KPCRs
MultiPrefixFinderCheck - Checks for multiple strings per page, finishing at the offset
MultiStringFinderCheck - Checks for multiple strings per page
PoolTagCheck - This scanner checks for the occurance of a pool tag
RCRDRegExCheck - Checks for multiple strings per page
RegExCheck - Checks for multiple strings per page
SignatureCheck - Looks for binary signatures
VersionCheck - Looks for linux kernel string


Plugins
-------
agtidconfig - Parse the Agtid configuration
amcache - Print AmCache information
antianalysis - No docs
apifinder - No docs
apihooks - Detect API hooks in process and kernel memory
apihooksdeep - Detect API hooks in process and kernel memory, with ssdeep for whitelisting
apt17scan - Detect processes infected with APT17 malware
atoms - Print session and window station atom tables
atomscan - Pool scanner for atom tables
attributeht - Find Hacking Team implants and attempt to attribute them using a watermark.
auditpol - Prints out the Audit Policies from HKLM\SECURITY\Policy\PolAdtEv
autoruns - Searches the registry and memory space for applications running at system startup and maps them to running processes
bigpools - Dump the big page pools using BigPagePoolScanner
bioskbd - Reads the keyboard buffer from Real Mode memory
bitlocker - Extract Bitlocker FVEK. Supports Windows 7 - 10.
cachedump - Dumps cached domain hashes from memory
callbacks - Print system-wide notification routines
callstacks - this is the plugin class for callstacks
chromecookies - Scans for and parses potential Chrome cookie data
chromedownloadchains - Scans for and parses potential Chrome download chain records
chromedownloads - Scans for and parses potential Chrome download records
chromehistory - Scans for and parses potential Chrome url history
chromesearchterms - Scans for and parses potential Chrome keyword search terms
chromevisits - Scans for and parses potential Chrome url visits data -- VERY SLOW, see -Q option
clipboard - Extract the contents of the windows clipboard
cmdline - Display process command-line arguments
cmdscan - Extract command history by scanning for _COMMAND_HISTORY
connections - Print list of open connections [Windows XP and 2003 Only]
connscan - Pool scanner for tcp connections
consoles - Extract command history by scanning for _CONSOLE_INFORMATION
crashinfo - Dump crash-dump information
derusbiconfig - Parse the Derusbi configuration
deskscan - Poolscaner for tagDESKTOP (desktops)
devicetree - Show device tree
directoryenumerator - Enumerates all unique directories from FileScan
dlldump - Dump DLLs from a process address space
dlllist - Print list of loaded dlls for each process
driverbl - Scans memory for driver objects and compares the results with the baseline image
driverirp - Driver IRP hook detection
driveritem - No docs
drivermodule - Associate driver objects to kernel modules
driverscan - Pool scanner for driver objects
dumpcerts - Dump RSA private and public SSL keys
dumpfiles - Extract memory mapped and cached files
dumpregistry - Dumps registry files out to disk
dyrescan - Extract Dyre Configuration from processes
editbox - Displays information about Edit controls. (Listbox experimental.)
envars - Display process environment variables
eventhooks - Print details on windows event hooks
evtlogs - Extract Windows Event Logs (XP/2003 only)
facebook - Retrieve facebook artifacts from a memory image
facebookcontacts - Finds possible Facebook contacts
facebookgrabinfo - Carves the memory dump for Owner's personal info JSON struct.
facebookmessages - Carves the memory for every message exchanged between the Owner and another contact
fileitem - No docs
filescan - Pool scanner for file objects
firefoxcookies - Scans for and parses potential Firefox cookies (cookies.sqlite moz_cookies table
firefoxdownloads - Scans for and parses potential Firefox download records -- downloads.sqlite moz_downloads table pre FF26 only
firefoxhistory - Scans for and parses potential Firefox url history (places.sqlite moz_places table)
fwhooks - Enumerates modules which are using Firewall Hook Drivers on Windows 2000/XP/2003
gahti - Dump the USER handle type information
gditimers - Print installed GDI timers and callbacks
gdt - Display Global Descriptor Table
getservicesids - Get the names of services in the Registry and return Calculated SID
getsids - Print the SIDs owning each process
ghostrat - Detects and decrypts Gh0stRat communication
handles - Print list of open handles for each process
hashdump - Dumps passwords hashes (LM/NTLM) from memory
hibinfo - Dump hibernation file information
hikitconfig - Parse the Hikit configuration
hivedump - Prints out a hive
hivelist - Print list of registry hives.
hivescan - Pool scanner for registry hives
hollowfind - Detects different types of Process Hollowing
hookitem - No docs
hpakextract - Extract physical memory from an HPAK file
hpakinfo - Info on an HPAK file
hpv_clipboard - Dump Virtual Machine Clipboard data
hpv_vmconnect - Virtual Machine Console data
hpv_vmwp - Display the Virtual Machine Process GUID for each running vm
idt - Display Interrupt Descriptor Table
idxparser - Scans for and parses Java IDX files
iehistory - Reconstruct Internet Explorer cache / history
imagecopy - Copies a physical address space out as a raw DD image
imageinfo - Identify information for the image
impscan - Scan for calls to imported functions
indx - Scans for and parses potential INDX entries
joblinks - Print process job link information
kdbgscan - Search for and dump potential KDBG values
kpcrscan - Search for and dump potential KPCR values
kstackps - Walk the kernel pages to discover 'task_struct' data structures.
lastpass - Extract lastpass data from process.
ldrmodules - Detect unlinked DLLs
limeinfo - Dump Lime file format information
linux_apihooks - Checks for userland apihooks
linux_arp - Print the ARP table
linux_aslr_shift - Automatically detect the Linux ASLR shift
linux_banner - Prints the Linux banner information
linux_bash - Recover bash history from bash process memory
linux_bash_env - Recover a process' dynamic environment variables
linux_bash_hash - Recover bash hash table from bash process memory
linux_check_afinfo - Verifies the operation function pointers of network protocols
linux_check_creds - Checks if any processes are sharing credential structures
linux_check_evt_arm - Checks the Exception Vector Table to look for syscall table hooking
linux_check_fop - Check file operation structures for rootkit modifications
linux_check_idt - Checks if the IDT has been altered
linux_check_inline_kernel - Check for inline kernel hooks
linux_check_modules - Compares module list to sysfs info, if available
linux_check_syscall - Checks if the system call table has been altered
linux_check_syscall_arm - Checks if the system call table has been altered
linux_check_tty - Checks tty devices for hooks
linux_cpuinfo - Prints info about each active processor
linux_dentry_cache - Gather files from the dentry cache
linux_dmesg - Gather dmesg buffer
linux_dump_map - Writes selected memory mappings to disk
linux_dynamic_env - Recover a process' dynamic environment variables
linux_elfs - Find ELF binaries in process mappings
linux_enumerate_files - Lists files referenced by the filesystem cache
linux_ffcookies - Listing Cookies in Firefox
linux_ffhis - Listing History of FireFox Browser
linux_find_file - Lists and recovers files from memory
linux_getcwd - Lists current working directory of each process
linux_hidden_modules - Carves memory to find hidden kernel modules
linux_ifconfig - Gathers active interfaces
linux_info_regs - It's like 'info registers' in GDB. It prints out all the
linux_iomem - Provides output similar to /proc/iomem
linux_kernel_opened_files - Lists files that are opened from within the kernel
linux_keyboard_notifiers - Parses the keyboard notifier call chain
linux_ldrmodules - Compares the output of proc maps with the list of libraries from libdl
linux_library_list - Lists libraries loaded into a process
linux_librarydump - Dumps shared libraries in process memory to disk
linux_list_raw - List applications with promiscuous sockets
linux_lsmod - Gather loaded kernel modules
linux_lsof - Lists file descriptors and their path
linux_malfind - Looks for suspicious process mappings
linux_memmap - Dumps the memory map for linux tasks
linux_moddump - Extract loaded kernel modules
linux_mount - Gather mounted fs/devices
linux_mount_cache - Gather mounted fs/devices from kmem_cache
linux_netfilter - Lists Netfilter hooks
linux_netscan - Carves for network connection structures
linux_netstat - Lists open sockets
linux_pidhashtable - Enumerates processes through the PID hash table
linux_pkt_queues - Writes per-process packet queues out to disk
linux_plthook - Scan ELF binaries' PLT for hooks to non-NEEDED images
linux_proc_maps - Gathers process memory maps
linux_proc_maps_rb - Gathers process maps for linux through the mappings red-black tree
linux_procdump - Dumps a process's executable image to disk
linux_process_hollow - Checks for signs of process hollowing
linux_psaux - Gathers processes along with full command line and start time
linux_psenv - Gathers processes along with their static environment variables
linux_pslist - Gather active tasks by walking the task_struct->task list
linux_pslist_cache - Gather tasks from the kmem_cache
linux_psscan - Scan physical memory for processes
linux_pstree - Shows the parent/child relationship between processes
linux_psxview - Find hidden processes with various process listings
linux_python_str_dict_entry - Pull {python-strings: python-string} dictionary entries from a process's
linux_python_strings - Pull python strings from a process's heap.
linux_recover_filesystem - Recovers the entire cached file system from memory
linux_route_cache - Recovers the routing cache from memory
linux_sk_buff_cache - Recovers packets from the sk_buff kmem_cache
linux_slabinfo - Mimics /proc/slabinfo on a running machine
linux_ssh_keys - Get SSH keys from ssh-agent process heaps - will write all found keys to
linux_strings - Match physical offsets to virtual addresses (may take a while, VERY verbose)
linux_threads - Prints threads of processes
linux_tmpfs - Recovers tmpfs filesystems from memory
linux_truecrypt_passphrase - Recovers cached Truecrypt passphrases
linux_vma_cache - Gather VMAs from the vm_area_struct cache
linux_volshell - Shell in the memory image
linux_yarascan - A shell in the Linux memory image
linuxgetprofile - Scan to try to determine the Linux profile
logfile - Scans for and parses potential $Logfile entries
lsadump - Dump (decrypted) LSA secrets from the registry
mac_adium - Lists Adium messages
mac_apihooks - Checks for API hooks in processes
mac_apihooks_kernel - Checks to see if system call and kernel functions are hooked
mac_arp - Prints the arp table
mac_bash - Recover bash history from bash process memory
mac_bash_env - Recover bash's environment variables
mac_bash_hash - Recover bash hash table from bash process memory
mac_bitcoin - Get bitcoin artifacts from OS X multibit client memory
mac_calendar - Gets calendar events from Calendar.app
mac_check_fop - Validate File Operation Pointers
mac_check_mig_table - Lists entires in the kernel's MIG table
mac_check_syscall_shadow - Looks for shadow system call tables
mac_check_syscalls - Checks to see if system call table entries are hooked
mac_check_sysctl - Checks for unknown sysctl handlers
mac_check_trap_table - Checks to see if mach trap table entries are hooked
mac_compressed_swap - Prints Mac OS X VM compressor stats and dumps all compressed pages
mac_contacts - Gets contact names from Contacts.app
mac_dead_procs - Prints terminated/de-allocated processes
mac_dead_sockets - Prints terminated/de-allocated network sockets
mac_dead_vnodes - Lists freed vnode structures
mac_devfs - Lists files in the file cache
mac_dmesg - Prints the kernel debug buffer
mac_dump_file - Dumps a specified file
mac_dump_maps - Dumps memory ranges of process(es)
mac_dyld_maps - Gets memory maps of processes from dyld data structures
mac_filevault2 - Attempts to recover FileVault 2 Volume Master Keys
mac_find_aslr_shift - Find the ASLR shift value for 10.8+ images
mac_get_profile - Automatically detect Mac profiles
mac_ifconfig - Lists network interface information for all devices
mac_interest_handlers - Lists IOKit Interest Handlers
mac_ip_filters - Reports any hooked IP filters
mac_kernel_classes - Lists loaded c++ classes in the kernel
mac_kevents - Show parent/child relationship of processes
mac_keychaindump - Recovers possbile keychain keys. Use chainbreaker to open related keychain files
mac_ldrmodules - Compares the output of proc maps with the list of libraries from libdl
mac_librarydump - Dumps the executable of a process
mac_list_files - Lists files in the file cache
mac_list_kauth_listeners - Lists Kauth Scope listeners
mac_list_kauth_scopes - Lists Kauth Scopes and their status
mac_list_raw - List applications with promiscuous sockets
mac_list_sessions - Enumerates sessions
mac_list_zones - Prints active zones
mac_lsmod - Lists loaded kernel modules
mac_lsmod_iokit - Lists loaded kernel modules through IOkit
mac_lsmod_kext_map - Lists loaded kernel modules
mac_lsof - Lists per-process opened files
mac_machine_info - Prints machine information about the sample
mac_malfind - Looks for suspicious process mappings
mac_memdump - Dump addressable memory pages to a file
mac_moddump - Writes the specified kernel extension to disk
mac_mount - Prints mounted device information
mac_netstat - Lists active per-process network connections
mac_network_conns - Lists network connections from kernel network structures
mac_notesapp - Finds contents of Notes messages
mac_notifiers - Detects rootkits that add hooks into I/O Kit (e.g. LogKext)
mac_orphan_threads - Lists threads that don't map back to known modules/processes
mac_pgrp_hash_table - Walks the process group hash table
mac_pid_hash_table - Walks the pid hash table
mac_print_boot_cmdline - Prints kernel boot arguments
mac_proc_maps - Gets memory maps of processes
mac_procdump - Dumps the executable of a process
mac_psaux - Prints processes with arguments in user land (**argv)
mac_psenv - Prints processes with environment in user land (**envp)
mac_pslist - List Running Processes
mac_pstree - Show parent/child relationship of processes
mac_psxview - Find hidden processes with various process listings
mac_recover_filesystem - Recover the cached filesystem
mac_route - Prints the routing table
mac_socket_filters - Reports socket filters
mac_strings - Match physical offsets to virtual addresses (may take a while, VERY verbose)
mac_tasks - List Active Tasks
mac_threads - List Process Threads
mac_threads_simple - Lists threads along with their start time and priority
mac_timers - Reports timers set by kernel drivers
mac_trustedbsd - Lists malicious trustedbsd policies
mac_version - Prints the Mac version
mac_vfsevents - Lists processes filtering file system events
mac_volshell - Shell in the memory image
mac_yarascan - Scan memory for yara signatures
machoinfo - Dump Mach-O file format information
malfind - Find hidden and injected code
malfinddeep - Find hidden and injected code, whitelist with ssdeep hashes
malfofind - Find indications of process hollowing/RunPE injections
malprocfind - Finds malicious processes based on discrepancies from observed, normal behavior and properties
malthfind - Find malicious threads by analyzing their callstack
mbrparser - Scans for and parses potential Master Boot Records (MBRs)
memdump - Dump the addressable memory for a process
memmap - Print the memory map
messagehooks - List desktop and thread window message hooks
mftparser - Scans for and parses potential MFT entries
mimikatz - mimikatz offline
moddump - Dump a kernel driver to an executable file sample
modscan - Pool scanner for kernel modules
modules - Print list of loaded modules
msdecompress - Carves and dumps Lznt1, Xpress and Xpress huffman Compressioned data blocks in a processes pagespace
multiscan - Scan for various objects at once
mutantscan - Pool scanner for mutex objects
ndispktscan - Extract the packets from memory
netscan - Scan a Vista (or later) image for connections and sockets
networkpackets - Carve and analyze ARP/IPv4 network packets from memory
notepad - List currently displayed notepad text
objtypescan - Scan for Windows object type objects
openioc_scan - Scan OpenIOC 1.1 based indicators
openvpn - Extract OpenVPN client credentials (username, password) cached in memory.
osint - Check Url/ip extracted from memory against opensource intelligence platforms
patcher - Patches memory based on page scans
plugxconfig - Locate and parse the PlugX configuration
plugxscan - Detect processes infected with PlugX
poolpeek - Configurable pool scanner plugin
pooltracker - Show a summary of pool tag usage
prefetchparser - Scans for and parses potential Prefetch files
printkey - Print a registry key, and its subkeys and values
privs - Display process privileges
procdump - Dump a process to an executable file sample
processbl - Scans memory for processes and loaded DLLs and compares the results with the baseline
processitem - No docs
profilescan - Scan for executables to try to determine the underlying OS
psinfo - Displays process related information and suspicious memory regions
pslist - Print all running processes by following the EPROCESS lists
psscan - Pool scanner for process objects
pstotal - Combination of pslist,psscan & pstree --output=dot gives graphical representation
pstree - Print process list as a tree
psxview - Find hidden processes with various process listings
qemuinfo - Dump Qemu information
raw2dmp - Converts a physical memory sample to a windbg crash dump
registryitem - No docs
rsakey - Extract base64/PEM encoded private RSA keys from physical memory.
screenshot - Save a pseudo-screenshot based on GDI windows
servicebl - Scans memory for service objects and compares the results with the baseline image
servicediff - List Windows services (ala Plugx)
serviceitem - No docs
sessions - List details on _MM_SESSION_SPACE (user logon sessions)
shellbags - Prints ShellBags info
shimcache - Parses the Application Compatibility Shim Cache registry key
shimcachemem - Parses the Application Compatibility Shim Cache stored in kernel memory
shutdowntime - Print ShutdownTime of machine from registry
sockets - Print list of open sockets
sockscan - Pool scanner for tcp socket objects
ssdeepscan - Scan process or kernel memory with SSDeep signatures
ssdt - Display SSDT entries
strings - Match physical offsets to virtual addresses (may take a while, VERY verbose)
svcscan - Scan for Windows services
symlinkscan - Pool scanner for symlink objects
systeminfo - Print common system details of machine from registry
thrdscan - Pool scanner for thread objects
threads - Investigate _ETHREAD and _KTHREADs
timeliner - Creates a timeline from various artifacts in memory
timers - Print kernel timers and associated module DPCs
truecryptmaster - Recover TrueCrypt 7.1a Master Keys
truecryptpassphrase - TrueCrypt Cached Passphrase Finder
truecryptsummary - TrueCrypt Summary
trustrecords - Extract MS Office TrustRecords from the Registry
twitter - Retrieve twitter artifacts from a memory image
uninstallinfo - Extract installed software info from Uninstall registry key
unloadedmodules - Print list of unloaded modules
usbstor - Parse USB Data from the Registry
userassist - Print userassist registry keys and information
userhandles - Dump the USER handle tables
usnjrnl - Scans for and parses potential USNJRNL entries
usnparser - Scans for and parses USN journal records
vaddump - Dumps out the vad sections to a file
vadinfo - Dump the VAD info
vadtree - Walk the VAD tree and display in tree format
vadwalk - Walk the VAD tree
vboxinfo - Dump virtualbox information
verinfo - Prints out the version information from PE images
vmwareinfo - Dump VMware VMSS/VMSN information
volshell - Shell in the memory image
win10cookie - Find the ObHeaderCookie value for Windows 10
windows - Print Desktop Windows (verbose details)
wintree - Print Z-Order Desktop Windows Tree
wndscan - Pool scanner for window stations
yarascan - Scan process or kernel memory with Yara signatures

vol.py --profile=Win10x64_19041 -h : Options, Plugins for Windows 10 x64 Build 19041

sansforensics@siftworkstation: ~
$ vol.py --profile=Win10x64_19041 -h
Volatility Foundation Volatility Framework 2.6.1
Usage: Volatility - A memory forensics analysis platform.

Options:
-h, --help list all available options and their default values.
Default values may be set in the configuration file
(/etc/volatilityrc)
--conf-file=/home/sansforensics/.volatilityrc
User based configuration file
-d, --debug Debug volatility
--plugins=PLUGINS Additional plugin directories to use (colon separated)
--info Print information about all registered objects
--cache-directory=/home/sansforensics/.cache/volatility
Directory where cache files are stored
--cache Use caching
--tz=TZ Sets the (Olson) timezone for displaying timestamps
using pytz (if installed) or tzset
-C 190000, --confsize=190000
Config data size
-Y YARAOFFSET, --yaraoffset=YARAOFFSET
YARA start offset
-f FILENAME, --filename=FILENAME
Filename to use when opening an image
--profile=Win10x64_19041
Name of the profile to load (use --info to see a list
of supported profiles)
-l LOCATION, --location=LOCATION
A URN location from which to load an address space
-w, --write Enable write support
--dtb=DTB DTB Address
--physical_shift=PHYSICAL_SHIFT
Linux kernel physical shift address
--virtual_shift=VIRTUAL_SHIFT
Linux kernel virtual shift address
--shift=SHIFT Mac KASLR shift address
--output=text Output in this format (support is module specific, see
the Module Output Options below)
--output-file=OUTPUT_FILE
Write output in this file
-v, --verbose Verbose information
-k KPCR, --kpcr=KPCR Specify a specific KPCR address
-g KDBG, --kdbg=KDBG Specify a KDBG virtual address (Note: for 64-bit
Windows 8 and above this is the address of
KdCopyDataBlock)
--force Force utilization of suspect profile
--cookie=COOKIE Specify the address of nt!ObHeaderCookie (valid for
Windows 10 only)

Supported Plugin Commands:

agtidconfig Parse the Agtid configuration
amcache Print AmCache information
antianalysis
apifinder
apihooks Detect API hooks in process and kernel memory
apihooksdeep Detect API hooks in process and kernel memory, with ssdeep for whitelisting
apt17scan Detect processes infected with APT17 malware
atoms Print session and window station atom tables
atomscan Pool scanner for atom tables
attributeht Find Hacking Team implants and attempt to attribute them using a watermark.
auditpol Prints out the Audit Policies from HKLM\SECURITY\Policy\PolAdtEv
autoruns Searches the registry and memory space for applications running at system startup and maps them to running processes
bigpools Dump the big page pools using BigPagePoolScanner
bioskbd Reads the keyboard buffer from Real Mode memory
bitlocker Extract Bitlocker FVEK. Supports Windows 7 - 10.
cachedump Dumps cached domain hashes from memory
callbacks Print system-wide notification routines
callstacks this is the plugin class for callstacks
chromecookies Scans for and parses potential Chrome cookie data
chromedownloadchains Scans for and parses potential Chrome download chain records
chromedownloads Scans for and parses potential Chrome download records
chromehistory Scans for and parses potential Chrome url history
chromesearchterms Scans for and parses potential Chrome keyword search terms
chromevisits Scans for and parses potential Chrome url visits data -- VERY SLOW, see -Q option
clipboard Extract the contents of the windows clipboard
cmdline Display process command-line arguments
cmdscan Extract command history by scanning for _COMMAND_HISTORY
consoles Extract command history by scanning for _CONSOLE_INFORMATION
crashinfo Dump crash-dump information
derusbiconfig Parse the Derusbi configuration
deskscan Poolscaner for tagDESKTOP (desktops)
devicetree Show device tree
directoryenumerator Enumerates all unique directories from FileScan
dlldump Dump DLLs from a process address space
dlllist Print list of loaded dlls for each process
driverbl Scans memory for driver objects and compares the results with the baseline image
driverirp Driver IRP hook detection
driveritem
drivermodule Associate driver objects to kernel modules
driverscan Pool scanner for driver objects
dumpcerts Dump RSA private and public SSL keys
dumpfiles Extract memory mapped and cached files
dumpregistry Dumps registry files out to disk
dyrescan Extract Dyre Configuration from processes
editbox Displays information about Edit controls. (Listbox experimental.)
envars Display process environment variables
eventhooks Print details on windows event hooks
facebook Retrieve facebook artifacts from a memory image
facebookcontacts Finds possible Facebook contacts
facebookgrabinfo Carves the memory dump for Owner's personal info JSON struct.
facebookmessages Carves the memory for every message exchanged between the Owner and another contact
fileitem
filescan Pool scanner for file objects
firefoxcookies Scans for and parses potential Firefox cookies (cookies.sqlite moz_cookies table
firefoxdownloads Scans for and parses potential Firefox download records -- downloads.sqlite moz_downloads table pre FF26 only
firefoxhistory Scans for and parses potential Firefox url history (places.sqlite moz_places table)
fwhooks Enumerates modules which are using Firewall Hook Drivers on Windows 2000/XP/2003
gahti Dump the USER handle type information
getservicesids Get the names of services in the Registry and return Calculated SID
getsids Print the SIDs owning each process
ghostrat Detects and decrypts Gh0stRat communication
handles Print list of open handles for each process
hashdump Dumps passwords hashes (LM/NTLM) from memory
hibinfo Dump hibernation file information
hikitconfig Parse the Hikit configuration
hivedump Prints out a hive
hivelist Print list of registry hives.
hivescan Pool scanner for registry hives
hollowfind Detects different types of Process Hollowing
hookitem
hpakextract Extract physical memory from an HPAK file
hpakinfo Info on an HPAK file
hpv_clipboard Dump Virtual Machine Clipboard data
hpv_vmconnect Virtual Machine Console data
hpv_vmwp Display the Virtual Machine Process GUID for each running vm
idxparser Scans for and parses Java IDX files
iehistory Reconstruct Internet Explorer cache / history
imagecopy Copies a physical address space out as a raw DD image
imageinfo Identify information for the image
impscan Scan for calls to imported functions
indx Scans for and parses potential INDX entries
joblinks Print process job link information
kdbgscan Search for and dump potential KDBG values
kpcrscan Search for and dump potential KPCR values
lastpass Extract lastpass data from process.
ldrmodules Detect unlinked DLLs
linuxgetprofile Scan to try to determine the Linux profile
logfile Scans for and parses potential $Logfile entries
lsadump Dump (decrypted) LSA secrets from the registry
machoinfo Dump Mach-O file format information
malfind Find hidden and injected code
malfinddeep Find hidden and injected code, whitelist with ssdeep hashes
malfofind Find indications of process hollowing/RunPE injections
malprocfind Finds malicious processes based on discrepancies from observed, normal behavior and properties
malthfind Find malicious threads by analyzing their callstack
mbrparser Scans for and parses potential Master Boot Records (MBRs)
memdump Dump the addressable memory for a process
memmap Print the memory map
messagehooks List desktop and thread window message hooks
mftparser Scans for and parses potential MFT entries
mimikatz mimikatz offline
moddump Dump a kernel driver to an executable file sample
modscan Pool scanner for kernel modules
modules Print list of loaded modules
msdecompress Carves and dumps Lznt1, Xpress and Xpress huffman Compressioned data blocks in a processes pagespace
multiscan Scan for various objects at once
mutantscan Pool scanner for mutex objects
ndispktscan Extract the packets from memory
netscan Scan a Vista (or later) image for connections and sockets
networkpackets Carve and analyze ARP/IPv4 network packets from memory
objtypescan Scan for Windows object type objects
openioc_scan Scan OpenIOC 1.1 based indicators
openvpn Extract OpenVPN client credentials (username, password) cached in memory.
osint Check Url/ip extracted from memory against opensource intelligence platforms
patcher Patches memory based on page scans
plugxconfig Locate and parse the PlugX configuration
plugxscan Detect processes infected with PlugX
poolpeek Configurable pool scanner plugin
pooltracker Show a summary of pool tag usage
prefetchparser Scans for and parses potential Prefetch files
printkey Print a registry key, and its subkeys and values
privs Display process privileges
procdump Dump a process to an executable file sample
processbl Scans memory for processes and loaded DLLs and compares the results with the baseline
processitem
profilescan Scan for executables to try to determine the underlying OS
psinfo Displays process related information and suspicious memory regions
pslist Print all running processes by following the EPROCESS lists
psscan Pool scanner for process objects
pstotal Combination of pslist,psscan & pstree --output=dot gives graphical representation
pstree Print process list as a tree
psxview Find hidden processes with various process listings
qemuinfo Dump Qemu information
raw2dmp Converts a physical memory sample to a windbg crash dump
registryitem
rsakey Extract base64/PEM encoded private RSA keys from physical memory.
screenshot Save a pseudo-screenshot based on GDI windows
servicebl Scans memory for service objects and compares the results with the baseline image
serviceitem
sessions List details on _MM_SESSION_SPACE (user logon sessions)
shellbags Prints ShellBags info
shimcache Parses the Application Compatibility Shim Cache registry key
shimcachemem Parses the Application Compatibility Shim Cache stored in kernel memory
shutdowntime Print ShutdownTime of machine from registry
ssdeepscan Scan process or kernel memory with SSDeep signatures
ssdt Display SSDT entries
strings Match physical offsets to virtual addresses (may take a while, VERY verbose)
svcscan Scan for Windows services
symlinkscan Pool scanner for symlink objects
systeminfo Print common system details of machine from registry
thrdscan Pool scanner for thread objects
threads Investigate _ETHREAD and _KTHREADs
timeliner Creates a timeline from various artifacts in memory
timers Print kernel timers and associated module DPCs
truecryptmaster Recover TrueCrypt 7.1a Master Keys
truecryptpassphrase TrueCrypt Cached Passphrase Finder
truecryptsummary TrueCrypt Summary
trustrecords Extract MS Office TrustRecords from the Registry
twitter Retrieve twitter artifacts from a memory image
uninstallinfo Extract installed software info from Uninstall registry key
unloadedmodules Print list of unloaded modules
usbstor Parse USB Data from the Registry
userassist Print userassist registry keys and information
userhandles Dump the USER handle tables
usnjrnl Scans for and parses potential USNJRNL entries
usnparser Scans for and parses USN journal records
vaddump Dumps out the vad sections to a file
vadinfo Dump the VAD info
vadtree Walk the VAD tree and display in tree format
vadwalk Walk the VAD tree
vboxinfo Dump virtualbox information
verinfo Prints out the version information from PE images
vmwareinfo Dump VMware VMSS/VMSN information
volshell Shell in the memory image
win10cookie Find the ObHeaderCookie value for Windows 10
windows Print Desktop Windows (verbose details)
wintree Print Z-Order Desktop Windows Tree
wndscan Pool scanner for window stations
yarascan Scan process or kernel memory with Yara signatures

Usage​

# 1. Use imageinfo plugin to get image profile
IMAGE=/path/to/image.e01 # e.g. image.dd, ./image.e01, /path/to/image.mem
vol.py -f "$IMAGE" imageinfo

## Output: "Suggested Profile(s) : Win10x64_19041"
# 2. List "Support Plugin Command(s)" based on identified image profile
IMAGE=/path/to/image.e01
PROFILE=Win10x64_19041
vol.py -f "$IMAGE" --profile="$PROFILE" -h
# 3. (Quickstart) Run vol.py actual w/ any supported plugin
IMAGE=/path/to/image.e01
PROFILE=Win10x64_19041
PLUGIN=pslist
OUTPUT_DIR=/path/to/evidence
vol.py -f "$IMAGE" --profile="$PROFILE" $PLUGIN > "$OUTPUT_DIR/${PLUGIN}.txt"

Plugins​

tip

For a fully comprehensive list of the target image profile, run vol.py --profile=<profile_from_imageinfo_plugin> -h and navigate to the "Supported Plugin Commands" section.

Requires Minimal Arguments​

Volatility 2 go-to plugins list that do not require additional arguments or conditions beyond the image file (-f <image>) and profile (--profile=<profile>):

Win10x64_19041

PluginPurposeCategory
imageinfoDisplays information about the memory image (e.g., profile suggestion).General Information
psinfoDisplays process-related information and suspicious memory regions.Process
pslistLists all running processes by following the EPROCESS list.Process
pstreeDisplays running processes in a tree format.Process
psscanScans for process objects in memory.Process
psxviewIdentifies hidden processes using multiple process listing techniques.Process
dlllistLists all loaded DLLs for each process.Module and DLL
handlesLists open handles for each process.Handle and Service
svcscanScans for Windows services.Handle and Service
cmdlineDisplays process command-line arguments.Current Environment
cmdscanExtracts command history by scanning for _COMMAND_HISTORY.Current Environment
consolesExtracts command history by scanning for _CONSOLE_INFORMATION.Current Environment
envarsDisplays process environment variables.Current Environment
amcachePrints AmCache information.Forensic Artifacts
prefetchparserScans for and parses potential Prefetch files.Forensic Artifacts
shimcacheParses the Application Compatibility Shim Cache registry key.Forensic Artifacts
mftparserScans for and parses potential MFT entries.Forensic Artifacts
modulesLists all loaded kernel modules.Kernel and Process Memory
vadinfoDisplays information about Virtual Address Descriptors (VADs).Memory and Virtual Address
vadtreeDisplays the VAD tree in a hierarchical format.Memory and Virtual Address
connectionsLists open connections (Windows XP/2003 only).Network
netscanScans for network connections and sockets.Network
autorunsSearches the registry and memory space for applications running at startup.Registry
systeminfoPrints common system details of the machine from the registry.Registry
hivelistLists all registry hives in memory.Registry
hivescanScans for registry hives in memory.Registry
callbacksLists system-wide notification routines.Kernel and System
timersLists kernel timers and associated module DPCs.Kernel and System
malfindDetects hidden and injected code in memory.Malware and File
filescanScans for file objects in memory.Malware and File


Requires Additional Arguments​

Volatility 2 plugins list that require additional arguments or conditions beyond the image file (-f <image>) and profile (--profile=<profile>):

tip

yarascan plugin is not available by default in Volatility 2. For usage of yarascan, you must install Volatility 3 via the official Github repo, which requires internet access.

Defer to the MEL/CL for guidance and approval for mission usage and install on a designated offline MIP (i.e. one that will never touch MPNET).

Win10x64_19041

PluginRequired Argument(s)PurposeCategory
imagecopy<output_file>Copies a physical address space out as a raw DD image.General Information
vaddump--dump-dir=<directory>Dumps VAD sections to files.Memory and Virtual Address
yarascan--yara-rules=<rule_file>Scans process or kernel memory with YARA signatures.Malware and File
dumpfiles--dump-dir=<directory>Extracts memory-mapped and cached files to a specified directory.Malware and File
indx<file_system_offset>Parses INDX entries from the file system.Malware and File
mimikatzAccess to lsass.exe processExtracts credentials offline using Mimikatz.Malware and File
stringsstrings -a -t d image.raw > strings.txt; <SNIP>--string-file==strings.txtExtracts strings from memory and maps them to virtual addresses.Malware and File
dlldump--pid=<process_id>Dumps DLLs from a specific process.Module and DLL
moddump--base=<module_base_address>Dumps a kernel driver to an executable file sample.Module and DLL
procdump--pid=<process_id>Dumps a specific process to an executable file sample.Process
printkey<registry_key_path>Prints a registry key and its subkeys/values.Registry
hashdumpAccess to SYSTEM and SAM hivesDumps password hashes (LM/NTLM) from memory.Registry
dumpregistry--dump-dir=<directory>Dumps registry files to a specified directory.Registry

Scripts​

volAutomator.sh​

Runs Volatility 2 General Plugins that requires minimal arguments (intended for Windows disk images or memory dumps) that outputs each plugin to .txt format.

volAutomator.sh

#!/bin/bash
# Author: SSgt Alex Chong
# Unit: 262 COS
# Version: 1.0.0
# Date: 30 Apr 2025
# Purpose: Runs Volatility 2 General Plugins that require minimal arguments (targeted for Windows disk images or memory dumps)

# Usage function
usage() {
echo "Volatility 2 Automator"
echo "Purpose: Runs Volatility 2 General Plugins that require minimal arguments (for Windows disk images or memory dumps)"
echo ""
echo "Usage: $0 -f <image> -p <profile> -o <output_dir> -r <mode>"
echo " -f Path to the image file"
echo " -p Volatility profile (e.g., Win7SP1x64)"
echo " -r Run mode: 'single' (one plugin at a time) or 'concurrent' (all plugins concurrently)"
echo " -o Output directory for plugin results"
echo " -h Display this help menu"
echo ""
echo "Examples:"
echo " $0 -f /path/to/image.img -p Win10x64_19041 -o ./output -r single"
echo " $0 -f /path/to/image.dd -p Win10x64_19041 -o /absolute/path/to/output -r single"
echo " $0 -f /path/to/image.mem -p Win10x64_19041 -o ./output -r concurrent"
echo " $0 -f /path/to/image.e01 -p Win10x64_19041 -o /absolute/path/to/output -r concurrent"
echo ""
exit 0
}

# Parse command-line arguments
while getopts "f:p:o:r:h" opt; do
case $opt in
f) IMAGE="$OPTARG" ;;
p) PROFILE="$OPTARG" ;;
r) RUN_MODE="$OPTARG" ;;
o) OUTPUT_DIR="$OPTARG" ;;
h) usage ;;
*) usage ;;
esac
done

# Ensure all required arguments are provided
if [ -z "$IMAGE" ] || [ -z "$PROFILE" ] || [ -z "$OUTPUT_DIR" ] || [ -z "$RUN_MODE" ]; then
usage
fi

# Validate run mode
if [[ "$RUN_MODE" != "single" && "$RUN_MODE" != "concurrent" ]]; then
echo "Error: Invalid run mode. Use 'single' or 'concurrent'."
exit 1
fi

# Create output directory if it doesn't exist
mkdir -p "$OUTPUT_DIR"

# General plugins to run (only those that do not require additional arguments)
# NOTE: Run mode: 'single' (one plugin at a time) or 'concurrent' (all plugins concurrently)"
PLUGINS=(
## Image Identification
"imageinfo"
## Process / DLLs
"psinfo"
"pslist"
"pstree"
"psscan"
"dlllist"
"handles"
"psxview"
"svcscan"
## Current environment
"cmdline"
"cmdscan"
"consoles"
"envars"
## Forensic Artifacts
"amcache"
"prefetchparser"
"shimcache"
"mftparser"
## Kernel & Process Memory
"modules"
#"memmap"
"vadinfo"
"vadtree"
## Networking
"connections" # Note: Only for Windows XP/2003
"netscan"
## Registry
"autoruns"
"systeminfo"
"hivescan"
"hivelist"
"callbacks"
"timers"
# Malware and File
"malfind"
"filescan"
)

# Function to clean up Volatility processes on script termination
cleanup() {
echo "Script interrupted. Cleaning up..."
pkill -P $$ vol.py 2>/dev/null
echo "All Volatility processes spawned by this script have been terminated."
exit 1
}

# Trap SIGINT (CTRL+C) and SIGTERM to call the cleanup function
trap cleanup SIGINT SIGTERM

# Run plugins based on the selected mode
if [ "$RUN_MODE" == "single" ]; then
echo "Running plugins in single mode (one at a time)..."
for PLUGIN in "${PLUGINS[@]}"; do
TIMESTAMP=$(date +"%Y%m%d%H%M")
echo "Running plugin: $PLUGIN"
vol.py -f "$IMAGE" --profile="$PROFILE" $PLUGIN > "$OUTPUT_DIR/${TIMESTAMP}_${PLUGIN}.txt"
done
elif [ "$RUN_MODE" == "concurrent" ]; then
echo "Running plugins in concurrent mode (all at once)..."
read -p "WARNING: Concurrent mode is CPU intensive as it runs all plugins simultaneously. Are you sure you want to proceed? (y/n): " CONFIRM
if [[ "$CONFIRM" != "y" && "$CONFIRM" != "Y" ]]; then
echo "Operation canceled by the user."
exit 0
fi
for PLUGIN in "${PLUGINS[@]}"; do
TIMESTAMP=$(date +"%Y%m%d%H%M")
echo "Running plugin: $PLUGIN"
vol.py -f "$IMAGE" --profile="$PROFILE" $PLUGIN > "$OUTPUT_DIR/${TIMESTAMP}_${PLUGIN}.txt" &
done
wait
echo "All plugins have finished running."
fi