Volatility — CySA+ Tools — Thiago Teixeira

Volatility

Volatility Foundation

Memory forensics framework for analysing RAM captures across operating systems.

Digital Forensics & IR Free & Open Source CLI Learning Cross-platform

Cyber Kill Chain & Defender Lifecycle

Attacker — Kill Chain

1 Reconnaissance

2 Weaponization

3 Delivery

4 Exploitation

5 Installation

6 Command & Control

7 Actions on Objectives

Defender — IR Lifecycle

8 Detection / Monitoring

9 Containment & Eradication

10 Post-incident Forensics

Description

Volatility is the de facto memory forensics framework. Versions 2 (Python 2) and 3 (Python 3) are both still seen in the field. It parses raw memory captures (.mem, .raw, .vmem, .dmp) for Windows, Linux, and macOS.

Plugins every CySA+ candidate should know:

pslist, pstree, psscan — process listing (cross-validating user-mode list with kernel-pool scan).
netscan / netstat — open sockets and listeners.
cmdline, consoles, cmdscan — recovered command-line history.
malfind — hidden injected code.
dumpfiles, procdump — extract artefacts for further analysis.
hivelist, printkey, hashdump — registry forensics from RAM.

Use cases

Identifying injected code post-incident
Recovering cleartext credentials from RAM
Listing rootkit-hidden processes
Extracting attacker tools that lived only in memory

Example

# Volatility 3 — quick triage of a Windows memory image
vol -f memory.raw windows.pstree
vol -f memory.raw windows.netscan
vol -f memory.raw windows.malfind