provocativo_
back to the arsenal
// arsenal·Forensics & REAdvancedFOSS

Volatility

Open-source memory-forensics framework — reads RAM images and reconstructs system state.

Forensics & RE

$ volatility --help

Volatility

// what it is

Description

Volatility 3 (Python-rewrite of the original Volatility 2) parses raw memory dumps from Windows/Linux/macOS and exposes process lists, network connections, registry hives, injected code, and decrypted artifacts.

// use cases

What people use it for

  • Post-incident memory triage
  • Detect process injection / hollowing
  • Recover credentials from LSASS dumps

// commands

The commands you'll type

Process list (Windows)

$ vol -f mem.raw windows.pslist

Detect injection

$ vol -f mem.raw windows.malfind

Dump LSA secrets

$ vol -f mem.raw windows.lsadump

// facts

category
Forensics & RE
platforms
LIN · WIN · MAC
license
FOSS
difficulty
Advanced

// links

// related in Forensics & RE

Forensics & REIntermediate

Autopsy

Open-source digital-forensics GUI on top of The Sleuth Kit.

FOSS
LIN·WIN·MAC
open entry →
Forensics & REBeginner

FTK Imager

Exterro's free disk-imaging utility — the de facto standard for forensic disk capture.

Freemium
WIN·MAC
open entry →
Forensics & REAdvanced

Ghidra/ghee-druh/

NSA's open-source reverse-engineering platform with a strong decompiler.

FOSS
LIN·WIN·MAC
open entry →