2025-06-28 19:25:29 -06:00
|
|
|
# vol.py
|
|
|
|
|
|
|
|
|
|
> Forensics framework used to analyze volatile memory (RAM) dumps.
|
|
|
|
|
> With volatility3, plugins are now based on operating system. Examples below will use Windows.
|
|
|
|
|
> More information: <https://volatility3.readthedocs.io/en/latest/index.html>.
|
|
|
|
|
|
|
|
|
|
- Get information about a memory dump file:
|
|
|
|
|
|
2026-02-18 06:55:01 -07:00
|
|
|
`python3 vol.py {{[-f|--filename]}} {{path\to\memory_dump_file}} windows.info`
|
2025-06-28 19:25:29 -06:00
|
|
|
|
|
|
|
|
- List active processes:
|
|
|
|
|
|
2026-02-18 06:55:01 -07:00
|
|
|
`python3 vol.py {{[-f|--filename]}} {{path\to\memory_dump_file}} windows.pslist`
|
2025-06-28 19:25:29 -06:00
|
|
|
|
|
|
|
|
- List hashes of users on system:
|
|
|
|
|
|
2026-02-18 06:55:01 -07:00
|
|
|
`python3 vol.py {{[-f|--filename]}} {{path\to\memory_dump_file}} windows.hashdump`
|
2025-06-28 19:25:29 -06:00
|
|
|
|
|
|
|
|
- List active network connections:
|
|
|
|
|
|
2026-02-18 06:55:01 -07:00
|
|
|
`python3 vol.py {{[-f|--filename]}} {{path\to\memory_dump_file}} windows.netstat`
|
2025-06-28 19:25:29 -06:00
|
|
|
|
|
|
|
|
- Display help:
|
|
|
|
|
|
|
|
|
|
`python3 vol.py {{[-h|--help]}}`
|
