$ sudo apt-get install volatility -y
# which profile to use, set profile
$ volatility -f <memdump.mem> imageinfo
$ volatility -f <memdump.mem> --profile=WinXPSP2x86
# processes
pslist
pstree
psscan # includes hidden ones
psxview # pslist + psscan
# active network connections
netscan
# connections
connscan
# open sockets
sockets
# timeline of events
timeliner
# browsing history
iehistory
# identify files
filescan
# injected processes (false is bad?)
ldrmodules
# patches to system dlls (<unknown> is bad)
apihooks
# find malware, dump to directory
malfind -D <output_folder>
# dlls loaded into memory
dlllist
# dumps dlls from infected process to directory
--pid=584 dlldump -D <malware_folder>
# dump files
dumpfiles -n --dump-dir=<folder>
procdump -p <pid>
# commands
cmdscan
consoles
cmdline
# windows
windows
https://s3-us-west-2.amazonaws.com/secure.notion-static.com/eb4d2f4c-87f0-49ed-b94a-6989ccd5e2d3/volatility-memory-forensics-cheat-sheet.pdf
# find connections
v -f <> connscan
# find suspicious processes
v -f <> pslist
# extract suspicious process
v -f <> -d procdump -v -p <suspicious pid> -D /tmp
# find strings
strings <> | grep -B2 -A2 <ip from connscan, suspected malware>
# handles
v -f <> handles -p <suspicious pid>
# malfind
v -f <> malfind | grep <process associated with malware>
# filescan
v -f <> filescan | grep <filename associated with malware>
https://github.com/volatilityfoundation/volatility/wiki/Command-Reference
https://book.hacktricks.xyz/forensics/volatility-examples#list-processes