Commands

$ sudo apt-get install volatility -y

# which profile to use, set profile
$ volatility -f <memdump.mem> imageinfo
$ volatility -f <memdump.mem> --profile=WinXPSP2x86

# processes
pslist
pstree
psscan # includes hidden ones
psxview # pslist + psscan

# active network connections
netscan

# connections
connscan

# open sockets
sockets

# timeline of events
timeliner

# browsing history
iehistory

# identify files
filescan

# injected processes (false is bad?)
ldrmodules

# patches to system dlls (<unknown> is bad)
apihooks

# find malware, dump to directory
malfind -D <output_folder>

# dlls loaded into memory
dlllist

# dumps dlls from infected process to directory
--pid=584 dlldump -D <malware_folder>

# dump files
dumpfiles -n --dump-dir=<folder>
procdump -p <pid>

# commands
cmdscan
consoles
cmdline

# windows
windows

Cheat Sheet

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/eb4d2f4c-87f0-49ed-b94a-6989ccd5e2d3/volatility-memory-forensics-cheat-sheet.pdf

Cybrary Lab

# find connections
v -f <> connscan

# find suspicious processes
v -f <> pslist

# extract suspicious process
v -f <> -d procdump -v -p <suspicious pid> -D /tmp

# find strings
strings <> | grep -B2 -A2 <ip from connscan, suspected malware>

# handles
v -f <> handles -p <suspicious pid>

# malfind
v -f <> malfind | grep <process associated with malware>

# filescan
v -f <> filescan | grep <filename associated with malware>

Resources

https://github.com/volatilityfoundation/volatility/wiki/Command-Reference

https://book.hacktricks.xyz/forensics/volatility-examples#list-processes