If using Windows, rename the it’ll be volatility.exe.
If using SIFT, use vol.py
List all commands
volatility -h
Get Profile of Image
volatility -f image.mem imageinfo
List Processes in Image
volatility -f image.mem –profile=x pslist
List Processes in process tree format
volatility -f image.mem –profile=x pslist
List Processes by scanning image for EPROCESS blocks
volatility -f image.mem –profile=x psscan
List Processes Command Line Arguments
volatility -f image.mem –profile=x cmdline
List Registry files in memory
volatility -f image.mem –profile=x hivelist
Dump Registry files in memory
Get Virtual Address from the hivelist command first
volatility -f image.mem –profile=x dumpregistry -o <virtual memory offset> –dump-dir=./
List specific Process DLLs and Command Line Arguments
volatility -f image.mem –profile=x dlllist -p x
-p x = specific process ID
List SIDs (primary token and user account name) used to start specific process
volatility -f image.mem –profile=x getsids -p x
-p x = specific process ID
Dump Process
volatility -f image.mem –profile=x procdump -p xx –dump-dir==.
Dump Memory Section
volatility -f image.mem –profile=x memdump-p xx –dump-dir==.
SIFT specific commands, Windows version of Volatility doesn’t have these
Identify processes with potentially wrong path, parent, cmdline
vol.py -f image.mem –profile=x malprocfind
Look for processes with most amounts of “false”
Visualize processes
vol.py -f image.mem –profile=x pstotal –cmd –output=dot –output-file=graph.dot
xdot graph.dot
Compare baseline memdump to suspect memdump, to identify processes that were present in suspect memdump, but not in baseline memdump
vol.py -f image.mem –profile=x -B baseline.img processbl -U 2>>error.log
Compare baseline memdump to suspect memdump to identify processes that were present in both baselin and suspect memdump
vol.py -f image.mem –profile=x -B baseline.img processbl 2>>error.log
2>>error.log = output error to error.log
Look at PFound column. “True” if process can be found in baseline. False if it’s not.