Volatility Memory Forensics Quick Reference
============================================

VOLATILITY 3 (Python 3)
  vol -f dump.raw windows.info         OS info
  vol -f dump.raw windows.pslist       Process list
  vol -f dump.raw windows.pstree       Process tree
  vol -f dump.raw windows.cmdline      Command lines
  vol -f dump.raw windows.netscan      Network connections
  vol -f dump.raw windows.filescan     File objects
  vol -f dump.raw windows.dumpfiles --pid PID   Dump files
  vol -f dump.raw windows.hashdump     Password hashes
  vol -f dump.raw windows.registry.hivelist    Registry hives
  vol -f dump.raw windows.envars       Environment variables
  vol -f dump.raw windows.malfind      Injected code

VOLATILITY 2 (Python 2)
  vol.py -f dump.raw imageinfo         Identify profile
  vol.py -f dump.raw --profile=PROF pslist      Process list
  vol.py -f dump.raw --profile=PROF pstree      Process tree
  vol.py -f dump.raw --profile=PROF cmdline     Command lines
  vol.py -f dump.raw --profile=PROF netscan     Network
  vol.py -f dump.raw --profile=PROF filescan    Files
  vol.py -f dump.raw --profile=PROF dumpfiles -D ./out/    Dump files
  vol.py -f dump.raw --profile=PROF hashdump    Hashes
  vol.py -f dump.raw --profile=PROF hivelist    Registry
  vol.py -f dump.raw --profile=PROF clipboard   Clipboard
  vol.py -f dump.raw --profile=PROF screenshot -D ./out/

LINUX
  vol -f dump.raw linux.bash           Bash history
  vol -f dump.raw linux.pslist         Process list
  vol -f dump.raw linux.lsof           Open files

COMMON CTF WORKFLOW
  1. vol -f dump.raw windows.info      Identify OS
  2. vol -f dump.raw windows.pslist    Find suspicious processes
  3. vol -f dump.raw windows.cmdline   Check what was run
  4. vol -f dump.raw windows.netscan   Check connections
  5. vol -f dump.raw windows.filescan | grep -i "flag\|secret\|key"
  6. vol -f dump.raw windows.dumpfiles --pid PID
