← All Cheatsheets

forensics

Volatility — Memory Forensics

Volatility 3 framework for memory forensics — process analysis, credential extraction, and malware investigation.

15 views Apr 2026 lazyhackers

Core Analysis (8)

python3 vol.py -f memory.dmp windows.info

Get OS info from Windows memory dump

info windows

python3 vol.py -f memory.dmp linux.banner

Get kernel banner from Linux dump

info linux

python3 vol.py -f memory.dmp windows.pslist

List running processes (Windows)

processes list

python3 vol.py -f memory.dmp windows.pstree

Process tree (parent-child relationships)

processes tree

python3 vol.py -f memory.dmp windows.psscan

Scan for process structures (finds hidden procs)

processes scan hidden

python3 vol.py -f memory.dmp windows.cmdline

Show command line args for each process

processes cmdline

python3 vol.py -f memory.dmp windows.dlllist --pid 1234

List DLLs loaded by process 1234

dll process

python3 vol.py -f memory.dmp windows.handles --pid 1234

List handles for process 1234

handles process

Network & Connections (2)

python3 vol.py -f memory.dmp windows.netstat

Network connections and sockets

network connections

python3 vol.py -f memory.dmp windows.netscan

Scan for network artifacts (more complete)

network scan

Credentials & Hashes (3)

python3 vol.py -f memory.dmp windows.hashdump

Dump NTLM password hashes from memory

hashes creds ntlm

python3 vol.py -f memory.dmp windows.lsadump

Dump LSA secrets from memory

lsa creds dump

python3 vol.py -f memory.dmp windows.cachedump

Dump cached domain credentials

cache creds domain

Registry & Files (4)

python3 vol.py -f memory.dmp windows.registry.hivelist

List registry hives in memory

registry hives

python3 vol.py -f memory.dmp windows.registry.printkey --key "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"

Read registry autorun key

registry autorun persistence

python3 vol.py -f memory.dmp windows.filescan

Scan for file objects in memory

files scan

python3 vol.py -f memory.dmp windows.dumpfiles --pid 1234 --virtaddr 0xaddr

Extract file from process memory

files extract dump

Malware Analysis (6)

python3 vol.py -f memory.dmp windows.malfind

Find injected code / memory anomalies

malware injection malfind

python3 vol.py -f memory.dmp windows.malfind --dump

Dump suspicious memory regions to disk

malware dump

python3 vol.py -f memory.dmp windows.hollowprocesses

Detect process hollowing

malware hollow detection

python3 vol.py -f memory.dmp windows.vadinfo --pid 1234

Virtual address descriptor info for process

vad memory process

python3 vol.py -f memory.dmp windows.memmap --pid 1234 --dump

Dump full process memory map

memdump process

python3 vol.py -f memory.dmp windows.strings --pid 1234 -s strings.txt

Search strings within process memory

strings process search