# Memory Forensice with Volatility

### Introduction

* It is open source memory forensics framework and is written in python and is multi platform compatible
* We can use it to analyze and extract important information from a memory dump
* It will help us analyze identify
  * Running processes
  * Files
  * Users information
  * hashes
  * etc
* It has 2 versions i.e volatility2 and volatility3
  * volatility2 is written in python2
    * It has large number of plugins written by community
  * volatility3 is written in python3
* It does not support memory acquisition ability

***

### Usage

`volatility -f <dump-file> <plugin-name>`

***

### Plugins

`volatility --info` can be used to display all plugins and their info.

1. `imageinfo` : Tells us about OS of the mem dump
2. `pslist` : list running processes
3. `pstree` : also list hidden processes (childs etc)
4. `cmdline -p <process_id>` : display command used to execute the process, accepts process id as parameter which can be get from previous plugin i.e pstree
5. `consoles` : extract command history by scanning for console information
6. `filescan` : scan for files present, display their permissions and location, can be used with grep to fetch information for specific file
7. `dumpfiles -Q <offset_of_file> -D <where_to_extract>` : used to dump a file based on its offset (extracted from previous plugin i.e filescan)
8. `hashdump` : used to dump the account hashes which can be cracked
9. `envvars` : used to dump all environmental variables
10. `dumpregistry -D <where_to_dump>` : used to dump the registry.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://notes.nomanaziz.me/cybersecurity/blue-teaming/digital-forensics-and-incidence-response/memory-forensice-with-volatility.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.