Volatility3 cheatsheet

imageinfo

vol.py -f file.dmp windows.info

 

Process information

list all processus

vol.py -f file.dmp windows.pslist
vol.py -f file.dmp windows.psscan
vol.py -f file.dmp windows.pstree

procdump

vol.py -f file.dmp -o “/path/to/dir” windows.dumpfiles ‑‑pid <PID>

memdump

vol.py -f file.dmp -o “/path/to/dir” windows.memmap ‑‑dump ‑‑pid <PID>

handles

vol.py -f file.dmp windows.handles ‑‑pid <PID>

DLLS

vol.py -f file.dmp windows.dlllist ‑-pid <PID>

CMD

vol.py -f file.dmp windows.cmdline

environment

vol.py -f file.dmp windows.envars --pid <PID> #Display process environment variables

 

Network information

netscan

vol.py -f file.dmp windows.netscan
vol.py -f file.dmp windows.netstat

 

Registry

hivelist

vol.py -f file.dmp windows.registry.hivescan
vol.py -f file.dmp windows.registry.hivelist

dump a hive

vol.py --profile=Win7SP1x86_23418 hivedump -o 0x9aad6148 -f file.dmp #Offset extracted by hivelist
vol.py --profile=Win7SP1x86_23418 hivedump -f file.dmp #Dump all hives

printkey

vol.py -f file.dmp windows.registry.printkey
vol.py -f file.dmp windows.registry.printkey ‑‑key “Software\Microsoft\Windows\CurrentVersion”

DFIR CheatSheet

hivedump

vol.py -f file.dmp ‑‑profile <profile> printkey

 

Files

filescan

vol.py -f file.dmp windows.filescan

filedump

vol.py -f file.dmp -o “/path/to/dir” windows.dumpfiles
vol.py -f file.dmp -o “/path/to/dir” windows.dumpfiles ‑‑virtaddr <offset>
vol.py -f file.dmp -o “/path/to/dir” windows.dumpfiles ‑‑physaddr <offset>

 

Misc

malfind

vol.py -f file.dmp windows.malfind

yarascan

vol.py -f file.dmp yarascan -y “/path/to/file.yar”

hashes/passwords

vol.py -f file.dmp windows.hashdump #Grab common windows hashes (SAM+SYSTEM)
vol.py -f file.dmp windows.cachedump #Grab domain cache hashes inside the registry
vol.py -f file.dmp windows.lsadump #Grab lsa secrets

external plugins

vol.py --plugin-dirs "/tmp/plugins" "[...]" 

drivers

vol.py -f file.dmp windows.driverscan