volatility3 cheat sheet

Posted on Edited on In Views: Disqus: Word count in article: 207 Reading time ≈ 1 mins.

General Usage

Use -f to specify the memory image and -s for symbol directories if they are not in the default path.

1
2
3
4
5
6
7
# Basic syntax
vol -f <image> <plugin>

# Common flags
-f, --file <image>          # Path to the memory dump
-s, --symbol-dirs <path>    # Custom symbol tables directory (e.g., ~/ctf/symbolTables)
-o, --output-dir <path>     # Directory to save dumped files

System Information

1
2
# Get basic OS information
vol -f image.vmem windows.info.Info

Processes & Activity

1
2
3
4
5
6
7
8
9
10
11
# List processes (EPROCESS list)
vol -f image.vmem windows.pslist.PsList

# Scan for hidden/terminated processes
vol -f image.vmem windows.psscan.PsScan

# Show process parent-child relationships
vol -f image.vmem windows.pstree.PsTree

# Show command line arguments for processes
vol -f image.vmem windows.cmdline.CmdLine

Network

1
2
# Scan for network connections and listening ports
vol -f image.vmem windows.netscan.NetScan

Files & Memory Dumping

1
2
3
4
5
6
7
8
9
10
11
12
# Scan for file objects in memory
vol -f image.vmem windows.filescan.FileScan | grep "filename"

# Dump files using various filters
vol -f image.vmem -o ./ windows.dumpfiles.DumpFiles --pid <PID>
vol -f image.vmem -o ./ windows.dumpfiles.DumpFiles --virtaddr <OFFSET>

# Dump process memory map
vol -f image.vmem -o ./ windows.memmap.Memmap --pid <PID> --dump

# Scan Master File Table (MFT)
vol -f image.vmem windows.mftscan.MFTScan

Useful Tips

1
2
3
4
5
# Combine with grep for quick searching
vol -f image.vmem windows.filescan.FileScan | grep -i "flag"

# Specify custom symbol path if needed
vol -s ~/ctf/symbolTables -f image.vmem windows.info.Info