GNU.WIKI: The GNU/Linux Knowledge Base

  [HOME] [PHP Manual] [HowTo] [ABS] [MAN1] [MAN2] [MAN3] [MAN4] [MAN5] [MAN6] [MAN7] [MAN8] [MAN9]

  [0-9] [Aa] [Bb] [Cc] [Dd] [Ee] [Ff] [Gg] [Hh] [Ii] [Jj] [Kk] [Ll] [Mm] [Nn] [Oo] [Pp] [Qq] [Rr] [Ss] [Tt] [Uu] [Vv] [Ww] [Xx] [Yy] [Zz]


       volatility - advanced memory forensics framework


       volatility [option]
       volatility [plugin] -f [image] --profile=[profile]


       The  Volatility  Framework is a completely open collection of tools for
       the extraction of digital artifacts from volatile memory (RAM) samples.
       It  is  useful  in  forensics  analysis.  The extraction techniques are
       performed completely independent of the system being  investigated  but
       offer unprecedented visibilty into the runtime state of the system.

       Currently,  volatility  supports  several  versions  of the MS Windows,
       Linux and MAC OS:

               32-bit Windows XP Service Pack 2 and 3
               32-bit Windows 2003 Server Service Pack 0, 1, 2
               32-bit Windows Vista Service Pack 0, 1, 2
               32-bit Windows 2008 Server Service Pack 1, 2
               32-bit Windows 7 Service Pack 0, 1
               64-bit Windows XP Service Pack 1 and 2
               64-bit Windows 2003 Server Service Pack 1 and 2
               64-bit Windows Vista Service Pack 0, 1, 2
               64-bit Windows 2008 Server Service Pack 1 and 2
               64-bit Windows 2008 R2 Server Service Pack 0 and 1
               64-bit Windows 7 Service Pack 0 and 1
               32-bit Linux kernels 2.6.11 to 3.5
               64-bit Linux kernels 2.6.11 to 3.5
               OpenSuSE, Ubuntu, Debian, CentOS, Fedora, Mandriva, etc
           Mac OSX
               32-bit 10.5.x Leopard (the only 64-bit 10.5 is Server, which isn't supported)
               32-bit 10.6.x Snow Leopard
               64-bit 10.6.x Snow Leopard
               32-bit 10.7.x Lion
               64-bit 10.7.x Lion
               64-bit 10.8.x Mountain Lion (there is no 32-bit version)

       The supported address spaces (RAM types) are:

           FileAddressSpace - This is a direct file AS
           Standard Intel x86 address spaces
           AMD64PagedMemory - This AS supports AMD 64-bit address spaces
           WindowsCrashDumpSpace32 - This AS supports windows Crash Dump format (x86)
           WindowsCrashDumpSpace64 - This AS supports windows Crash Dump format (x64)
           WindowsHiberFileSpace32 - This AS supports windows hibernation files (x86 and x64)
           EWFAddressSpace - This AS supports expert witness (EWF) files
           FirewireAddressSpace - This AS supports direct memory access over firewire
           LimeAddressSpace - This AS supports LiME (Linux Memory Extractor)
           MachOAddressSpace - This AS supports 32- and 64-bit Mac OSX memory dumps
           ArmAddressSpace - This AS supports memory dumps from 32-bit ARM (there is no 64-bit ARM yet)
           VirtualBoxCoreDumpElf64 - This AS supports memory dumps from VirtualBox virtual machines
           VMware Snapshot - This AS supports VMware saved state (.vmss) and VMware snapshot (.vmsn) files. Note: these are not raw memory dumps like the typical .vmem files.
           HPAKAddressSpace - This AS supports ".hpak" files produced by H.B. Gary's FDPro tool.

       You      can      get      RAM      images      for      tests       at


       -h, --help
              list  all  available  options and their default values.  Default
              values may be set in the configuration file (/etc/volatilityrc)

       --conf-file=/root/.volatilityrc User based configuration file

       -d, --debug
              Debug volatility

              Additional plugin directories to use (colon separated)

       --info Print  information  about  all   registered   objects   --cache-
              directory=/root/.cache/volatility  Directory  where  cache files
              are stored

              Use caching

              Sets  the  timezone  for  displaying  timestamps  -f   FILENAME,
              --filename=FILENAME  Filename  to  use  when  opening  an  image
              --profile=WinXPSP2x86 Name of the profile to load  -l  LOCATION,
              --location=LOCATION A URN location from which to load an address

       -w, --write
              Enable write support

              DTB Address

              Cache virtual to physical mappings

              Output in  this  format  (format  support  is  module  specific)
              --output-file=OUTPUT_FILE write output in this file

       -v, --verbose
              Verbose information

              Mac KASLR shift address

       -g KDBG, --kdbg=KDBG
              Specify a specific KDBG virtual address

       -k KPCR, --kpcr=KPCR
              Specify a specific KPCR address


       The supported plugins are:

               Image Identification
                   imageinfo - Identify information for the image
                   kdbgscan - Search for and dump potential KDBG values
                   kpcrscan - Search for and dump potential _KPCR values
               Process and DLLs
                   pslist - Print active processes by following the _EPROCESS list
                   pstree - Print process list as a tree
                   psscan - Scan Physical memory for _EPROCESS pool allocations
                   psdispscan - Scan Physical memory for _EPROCESS objects based on Dispatch Headers (Windows XP x86 only)
                   dlllist - Print list of loaded DLLs for each process
                   dlldump - Dump DLLs from a process address space
                   handles - Print list of open handles for each process
                   getsids - Print the SIDs owning each process
                   verinfo - Print a PE file's version information
                   enumfunc - Enumerate a PE file's imports and exports
                   envars - Display process environment variables
                   cmdscan - Extract command history by scanning for _COMMAND_HISTORY
                   consoles - Extract command history by scanning for _CONSOLE_INFORMATION
                   privs - Identify the present and/or enabled windows privileges for each process
               Process Memory
                   memmap - Print the memory map
                   memdump - Dump the addressable memory for a process
                   procexedump - Dump a process to an executable file
                   procmemdump - Dump a process to an executable memory sample
                   vadwalk - Walk the VAD tree
                   vadtree - Walk the VAD tree and display in tree format
                   vadinfo - Dump the VAD info
                   vaddump - Dumps out the vad sections to a file
                   evtlogs - Parse XP and 2003 event logs from memory
                   iehistory - Extract and parse Internet Explorer history and URL cache
               Kernel Memory and Objects
                   modules - Print list of loaded modules
                   modscan - Scan Physical memory for _LDR_DATA_TABLE_ENTRY objects
                   moddump - Extract a kernel driver to disk
                   ssdt - Print the Native and GDI System Service Descriptor Tables
                   driverscan - Scan physical memory for _DRIVER_OBJECT objects
                   filescan - Scan physical memory for _FILE_OBJECT objects
                   mutantscan - Scan physical memory for _KMUTANT objects
                   symlinkscan - Scans for symbolic link objects
                   thrdscan - Scan physical memory for _ETHREAD objects
                   dumpfiles - Reconstruct files from the windows cache manager and shared section objects
                   unloadedmodules - Show recently unloaded kernel modules (which indirectly tells you which ones recently loaded)
               Win32k / GUI Memory
                   sessions - List details on _MM_SESSION_SPACE (user logon sessions)
                   wndscan - Pool scanner for tagWINDOWSTATION (window stations)
                   deskscan - Poolscaner for tagDESKTOP (desktops)
                   atomscan - Pool scanner for _RTL_ATOM_TABLE
                   atoms - Print session and window station atom tables
                   clipboard - Extract the contents of the windows clipboard
                   eventhooks - Print details on windows event hooks
                   gathi - Dump the USER handle type information
                   messagehooks - List desktop and thread window message hooks
                   screenshot - Save a pseudo-screenshot based on GDI windows
                   userhandles - Dump the USER handle tables
                   windows - Print Desktop Windows (verbose details)
                   wintree - Print Z-Order Desktop Windows Tree
                   gditimers - Analyze GDI timer objects and their callbacks
                   connections - Print open connections (XP and 2003 only)
                   connscan - Scan Physical memory for _TCPT_OBJECT objects (XP and 2003 only)
                   sockets - Print open sockets (XP and 2003 only)
                   sockscan - Scan Physical memory for _ADDRESS_OBJECT (XP and 2003 only)
                   netscan - Scan physical memory for network objects (Vista, 2008, and 7)
                   hivescan - Scan Physical memory for _CMHIVE objects
                   hivelist - Print list of registry hives
                   printkey - Print a registry key, and its subkeys and values
                   hivedump - Recursively prints all keys and timestamps in a given hive
                   hashdump - Dumps passwords hashes (LM/NTLM) from memory (x86 only)
                   lsadump - Dump (decrypted) LSA secrets from the registry (XP and 2003 x86 only)
                   userassist - Parses and output User Assist keys from the registry
                   shimcache - Parses the Application Compatibility Shim Cache registry key
                   getservicesids - Calculate SIDs for windows services in the registry
                   shellbags - This plugin parses and prints Shellbag information obtained from the registry
               File Formats
                   crashinfo - Dump crash-dump information
                   hibinfo - Dump hibernation file information
                   imagecopy - Copies a physical address space out as a raw DD image
                   raw2dmp - Converts a physical memory sample to a windbg crash dump
                   vboxinfo - Display header and memory runs information from VirtualBox core dumps
                   vmwareinfo - Display header and memory runs information from VMware vmss or vmsn files
                   hpakinfo - Display header and memory runs information from .hpak files
                   hpakextract - Extract (and decompress if necessary) the raw physical memory dump from an .hpak file
                   malfind - Find hidden and injected code
                   svcscan - Scan for Windows services
                   ldrmodules - Detect unlinked DLLs
                   impscan - Scan for calls to imported functions
                   apihooks - Detect API hooks in process and kernel memory (x86 only)
                   idt - Dumps the Interrupt Descriptor Table (x86 only)
                   gdt - Dumps the Global Descriptor Table (x86 only)
                   threads - Investigate _ETHREAD and _KTHREADs
                   callbacks - Print system-wide notification routines (x86 only)
                   driverirp - Driver IRP hook detection
                   devicetree - Show device tree
                   psxview - Find hidden processes with various process listings
                   timers - Print kernel timers and associated module DPCs (x86 only)
               File System
                   mbrparser - Scans for and parses potential Master Boot Records (MBRs)
                   mftparser - Scans for and parses potential MFT entries
                   strings - Match physical offsets to virtual addresses
                   volshell - Shell to interactively explore a memory image
                   bioskbd - Reads the keyboard buffer from Real Mode memory
                   patcher - Patches memory based on page scans
                   timeliner - Produce timelines in body file format, excel 2007 spreadsheets, or text
                   dumpcerts - Extract SSL private and public keys/certs
                   linux_pslist - Gather active tasks by walking the task_struct->task list
                   linux_psaux - Gathers processes along with full command line and start time
                   linux_pstree - Shows the parent/child relationship between processes
                   linux_pslist_cache - Gather tasks from the kmem_cache
                   linux_pidhashtable - Enumerates processes through the PID hash table
                   linux_psxview - Find hidden processes with various process listings
                   linux_lsof - Lists open files
               Process Memory
                   linux_memmap - Dumps the memory map for linux tasks
                   linux_proc_maps - Gathers process maps for linux
                   linux_dump_map - Writes selected process memory mappings to disk
                   linux_bash - Recover bash history from bash process memory
               Kernel Memory and Objects
                   linux_lsmod - Gather loaded kernel modules
                   linux_tmpfs - Recovers tmpfs filesystems from memory
                   linux_moddump - Extract an LKM from memory to disk (.text segment only)
                   linux_arp - Print the ARP table
                   linux_ifconfig - Gathers active interfaces
                   linux_netstat - Lists open sockets
                   linux_route_cache - Recovers the routing cache from memory
                   linux_pkt_queues - Writes per-process packet queues out to disk
                   linux_sk_buff_cache - Recovers packets from the sk_buff kmem_cache
                   linux_check_afinfo - Verifies the operation function pointers of network protocols
                   linux_check_creds - Checks if any processes are sharing credential structures
                   linux_check_fop - Check file operation structures for rootkit modifications
                   linux_check_idt - Checks if the IDT has been altered
                   linux_check_modules - Compares module list to sysfs info, if available
                   linux_check_syscall - Checks if the system call table has been altered
                   linux_check_syscall_arm - Checks if the system call table has been altered (ARM)
                   linux_check_tty - Check TTY devices for rootkit hooks
                   linux_check_evt_arm - Check ARM exception vector table for hooks
               System Information
                   linux_cpuinfo - Prints info about each active processor
                   linux_dmesg - Gather dmesg buffer
                   linux_iomem - Provides output similar to /proc/iomem
                   linux_mount - Gather mounted fs/devices
                   linux_mount_cache - Gather mounted fs/devices from kmem_cache
                   linux_slabinfo - Mimics /proc/slabinfo on a running machine
                   linux_dentry_cache - Gather files from the dentry cache
                   linux_find_file - Extract cached file contents from memory via inodes
                   linux_vma_cache - Gather VMAs from the vm_area_struct cache
                   linux_keyboard_notifier - Parses the keyboard notifier call chain
                   linux_volshell - Shell to interactively explore Linux/Android memory captures
                   linux_yarascan - Scan process and kernel memory with yara signatures
           Mac OSX
                   mac_pslist - List running processes
                   mac_tasks - List active tasks
                   mac_pstree - Show parent/child relationship of processes
                   mac_lsof - Lists per-process open files
                   mac_pgrp_hash_table - Walks the process group hash table
                   mac_pid_hash_table - Walks the pid hash table
                   mac_dead_procs - List dead/terminated processes
                   mac_psaux - Prints processes with their command-line arguments (argv)
               Process Memory
                   mac_proc_maps - Print information on allocated process memory ranges
                   mac_dump_maps - Dumps memory ranges of processes
               Kernel Memory and Objects
                   mac_list_sessions - Enumerates sessions
                   mac_list_zones - Enumerates zones (allocated/freed object counts)
                   mac_lsmod - Lists loaded kernel modules
                   mac_mount - Prints mounted device information
                   mac_arp - Prints the arp table
                   mac_ifconfig - Lists network interface information for all devices
                   mac_netstat - Lists active per-process network connections
                   mac_route - Prints the routing table
                   mac_check_sysctl - Check for unknown sysctl handlers
                   mac_check_syscalls - Check for hooked syscall table entries
                   mac_check_trap_table - Checks to see if mach trap table entries are hooked
                   mac_ip_filters - Reports any hooked IP filters
                   mac_notifiers - Detects rootkits that add hooks into I/O Kit (e.g. LogKext)
                   mac_trustedbsd - List malicious trustedbsd policies
               System Information
                   mac_dmesg - Prints the kernel debug buffers
                   mac_find_aslr_shift - Find the ASLR shift value for 10.8+ images
                   mac_machine_info - Prints machine information about the sample
                   mac_version - Prints the Mac version
                   mac_print_boot_cmdline - Prints the mac boot command line
                   mac_volshell - Shell to interactively explore mac memory captures
                   machoinfo - Display header and memory runs for Mach-O memory dumps
                   mac_yarascan - Scan for Yara signatures in process or kernel memory


       Profiles  are  maps  used  by  volatility to understand the operational
       systems. The profiles provided by the volatility are:

              - A Profile for Windows Vista SP0 x64

              - A Profile for Windows Vista SP0 x86

              - A Profile for Windows Vista SP1 x64

              - A Profile for Windows Vista SP1 x86

              - A Profile for Windows Vista SP2 x64

              - A Profile for Windows Vista SP2 x86

              - A Profile for Windows 2003 SP0 x86

              - A Profile for Windows 2003 SP1 x64

              - A Profile for Windows 2003 SP1 x86

              - A Profile for Windows 2003 SP2 x64

              - A Profile for Windows 2003 SP2 x86 Win2008R2SP0x64 - A Profile
              for  Windows  2008  R2  SP0  x64 Win2008R2SP1x64 - A Profile for
              Windows 2008 R2 SP1 x64

              - A Profile for Windows 2008 SP1 x64

              - A Profile for Windows 2008 SP1 x86

              - A Profile for Windows 2008 SP2 x64

              - A Profile for Windows 2008 SP2 x86

              - A Profile for Windows 7 SP0 x64

              - A Profile for Windows 7 SP0 x86

              - A Profile for Windows 7 SP1 x64

              - A Profile for Windows 7 SP1 x86

              - A Profile for Windows XP SP1 x64

              - A Profile for Windows XP SP2 x64

              - A Profile for Windows XP SP2 x86

              - A Profile for Windows XP SP3 x86

       To determine the OS type, you can use:

       # volatility -f <image> imageinfo

       You must create your own profiles for Linux and MAC. For this,  please,



       This  manpage was based in several official documents about volatility.
       For other information and tutorials, see:


       volatility was written by several contributors. For  contact,  use  the
       mail <>.

       This   manual   page   was   written   by   Joao  Eriberto  Mota  Filho
       <> for the Debian project (but may be  used  by

  All copyrights belong to their respective owners. Other content (c) 2014-2018, GNU.WIKI. Please report site errors to
Page load time: 0.116 seconds. Last modified: November 04 2018 12:49:43.