{"id":13475857,"url":"https://github.com/volatilityfoundation/volatility","last_synced_at":"2025-05-14T03:11:18.291Z","repository":{"id":16364098,"uuid":"19114225","full_name":"volatilityfoundation/volatility","owner":"volatilityfoundation","description":"An advanced memory forensics framework","archived":false,"fork":false,"pushed_at":"2023-06-14T06:39:09.000Z","size":21655,"stargazers_count":7629,"open_issues_count":225,"forks_count":1317,"subscribers_count":307,"default_branch":"master","last_synced_at":"2025-04-11T00:43:49.571Z","etag":null,"topics":["malware","memory","python","ram","volatility-framework"],"latest_commit_sha":null,"homepage":"http://volatilityfoundation.org/","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/volatilityfoundation.png","metadata":{"files":{"readme":"README.txt","changelog":"CHANGELOG.txt","contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2014-04-24T15:45:26.000Z","updated_at":"2025-04-10T22:50:26.000Z","dependencies_parsed_at":"2023-01-14T00:30:20.869Z","dependency_job_id":"e2181a19-c04b-4579-8517-aa110ad6e21a","html_url":"https://github.com/volatilityfoundation/volatility","commit_stats":null,"previous_names":[],"tags_count":10,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/volatilityfoundation%2Fvolatility","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/volatilityfoundation%2Fvolatility/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/volatilityfoundation%2Fvolatility/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/volatilityfoundation%2Fvolatility/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/volatilityfoundation","download_url":"https://codeload.github.com/volatilityfoundation/volatility/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254059518,"owners_count":22007771,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["malware","memory","python","ram","volatility-framework"],"created_at":"2024-07-31T16:01:24.157Z","updated_at":"2025-05-14T03:11:13.281Z","avatar_url":"https://github.com/volatilityfoundation.png","language":"Python","readme":"============================================================================\nVolatility Framework - Volatile memory extraction utility framework\n============================================================================\n\nThe Volatility Framework is a completely open collection of tools,\nimplemented in Python under the GNU General Public License, for the\nextraction of digital artifacts from volatile memory (RAM) samples.\nThe extraction techniques are performed completely independent of the\nsystem being investigated but offer visibilty into the runtime state\nof the system. The framework is intended to introduce people to the\ntechniques and complexities associated with extracting digital artifacts\nfrom volatile memory samples and provide a platform for further work into\nthis exciting area of research.\n\nThe Volatility distribution is available from: \nhttp://www.volatilityfoundation.org/#!releases/component_71401\n\nVolatility should run on any platform that supports \nPython (http://www.python.org)\n\nVolatility supports investigations of the following memory images:\n\nWindows:\n* 32-bit Windows XP Service Pack 2 and 3\n* 32-bit Windows 2003 Server Service Pack 0, 1, 2\n* 32-bit Windows Vista Service Pack 0, 1, 2\n* 32-bit Windows 2008 Server Service Pack 1, 2 (there is no SP0)\n* 32-bit Windows 7 Service Pack 0, 1\n* 32-bit Windows 8, 8.1, and 8.1 Update 1\n* 32-bit Windows 10 (initial support)\n* 64-bit Windows XP Service Pack 1 and 2 (there is no SP0)\n* 64-bit Windows 2003 Server Service Pack 1 and 2 (there is no SP0)\n* 64-bit Windows Vista Service Pack 0, 1, 2\n* 64-bit Windows 2008 Server Service Pack 1 and 2 (there is no SP0)\n* 64-bit Windows 2008 R2 Server Service Pack 0 and 1\n* 64-bit Windows 7 Service Pack 0 and 1\n* 64-bit Windows 8, 8.1, and 8.1 Update 1\n* 64-bit Windows Server 2012 and 2012 R2 \n* 64-bit Windows 10 (including at least 10.0.19041)\n* 64-bit Windows Server 2016 (including at least 10.0.19041)\n\nNote: Please see the guidelines at the following link for notes on \ncompatibility with recently patched Windows 7 (or later) memory samples:\n\n https://github.com/volatilityfoundation/volatility/wiki/2.6-Win-Profiles\n\nLinux: \n* 32-bit Linux kernels 2.6.11 to 5.5\n* 64-bit Linux kernels 2.6.11 to 5.5\n* OpenSuSE, Ubuntu, Debian, CentOS, Fedora, Mandriva, etc\n\nMac OSX:\n* 32-bit 10.5.x Leopard (the only 64-bit 10.5 is Server, which isn't supported)\n* 32-bit 10.6.x Snow Leopard\n* 64-bit 10.6.x Snow Leopard\n* 32-bit 10.7.x Lion\n* 64-bit 10.7.x Lion\n* 64-bit 10.8.x Mountain Lion (there is no 32-bit version)\n* 64-bit 10.9.x Mavericks (there is no 32-bit version)\n* 64-bit 10.10.x Yosemite (there is no 32-bit version)\n* 64-bit 10.11.x El Capitan (there is no 32-bit version)\n* 64-bit 10.12.x Sierra (there is no 32-bit version)\n* 64-bit 10.13.x High Sierra (there is no 32-bit version))\n* 64-bit 10.14.x Mojave (there is no 32-bit version)\n* 64-bit 10.15.x Catalina (there is no 32-bit version)\n\nVolatility does not provide memory sample acquisition\ncapabilities. For acquisition, there are both free and commercial\nsolutions available. If you would like suggestions about suitable \nacquisition solutions, please contact us at:\n\nvolatility (at) volatilityfoundation (dot) org\n\nVolatility supports a variety of sample file formats and the\nability to convert between these formats:\n\n - Raw linear sample (dd)\n - Hibernation file (from Windows 7 and earlier)\n - Crash dump file\n - VirtualBox ELF64 core dump\n - VMware saved state and snapshot files\n - EWF format (E01) \n - LiME format\n - Mach-O file format\n - QEMU virtual machine dumps\n - Firewire \n - HPAK (FDPro)\n\nFor a more detailed list of capabilities, see the following:\n\n https://github.com/volatilityfoundation/volatility/wiki\n \nAlso see the community plugins repository:\n\n https://github.com/volatilityfoundation/community\n\nExample Data\n============\n\nIf you want to give Volatility a try, you can download exemplar\nmemory images from the following url:\n\n https://github.com/volatilityfoundation/volatility/wiki/Memory-Samples\n\nMailing Lists\n=============\n\nMailing lists to support the users and developers of Volatility\ncan be found at the following address:\n\n http://lists.volatilesystems.com/mailman/listinfo\n\nContact\n=======\nFor information or requests, contact:\n\nVolatility Foundation\n\nWeb: http://www.volatilityfoundation.org\n http://volatility-labs.blogspot.com\n http://volatility.tumblr.com\n \nEmail: volatility (at) volatilityfoundation (dot) org\n\nIRC: #volatility on freenode\n\nTwitter: @volatility \n\nRequirements\n============\n- Python 2.6 or later, but not 3.0. http://www.python.org\n\nSome plugins may have other requirements which can be found at: \n https://github.com/volatilityfoundation/volatility/wiki/Installation\n\nQuick Start\n===========\n1. Unpack the latest version of Volatility from\n volatilityfoundation.org\n \n2. To see available options, run \"python vol.py -h\" or \"python vol.py --info\"\n\n Example:\n\n$ python vol.py --info\nVolatility Foundation Volatility Framework 2.6\n\nAddress Spaces\n--------------\nAMD64PagedMemory - Standard AMD 64-bit address space.\nArmAddressSpace - Address space for ARM processors\nFileAddressSpace - This is a direct file AS.\nHPAKAddressSpace - This AS supports the HPAK format\nIA32PagedMemory - Standard IA-32 paging address space.\nIA32PagedMemoryPae - This class implements the IA-32 PAE paging address space. It is responsible\nLimeAddressSpace - Address space for Lime\nLinuxAMD64PagedMemory - Linux-specific AMD 64-bit address space.\nMachOAddressSpace - Address space for mach-o files to support atc-ny memory reader\nOSXPmemELF - This AS supports VirtualBox ELF64 coredump format\nQemuCoreDumpElf - This AS supports Qemu ELF32 and ELF64 coredump format\nVMWareAddressSpace - This AS supports VMware snapshot (VMSS) and saved state (VMSS) files\nVMWareMetaAddressSpace - This AS supports the VMEM format with VMSN/VMSS metadata\nVirtualBoxCoreDumpElf64 - This AS supports VirtualBox ELF64 coredump format\nWin10AMD64PagedMemory - Windows 10-specific AMD 64-bit address space.\nWindowsAMD64PagedMemory - Windows-specific AMD 64-bit address space.\nWindowsCrashDumpSpace32 - This AS supports windows Crash Dump format\nWindowsCrashDumpSpace64 - This AS supports windows Crash Dump format\nWindowsCrashDumpSpace64BitMap - This AS supports Windows BitMap Crash Dump format\nWindowsHiberFileSpace32 - This is a hibernate address space for windows hibernation files.\n\nProfiles\n--------\nVistaSP0x64 - A Profile for Windows Vista SP0 x64\nVistaSP0x86 - A Profile for Windows Vista SP0 x86\nVistaSP1x64 - A Profile for Windows Vista SP1 x64\nVistaSP1x86 - A Profile for Windows Vista SP1 x86\nVistaSP2x64 - A Profile for Windows Vista SP2 x64\nVistaSP2x86 - A Profile for Windows Vista SP2 x86\nWin10x64 - A Profile for Windows 10 x64\nWin10x64_10586 - A Profile for Windows 10 x64 (10.0.10586.306 / 2016-04-23)\nWin10x64_14393 - A Profile for Windows 10 x64 (10.0.14393.0 / 2016-07-16)\nWin10x86 - A Profile for Windows 10 x86\nWin10x86_10586 - A Profile for Windows 10 x86 (10.0.10586.420 / 2016-05-28)\nWin10x86_14393 - A Profile for Windows 10 x86 (10.0.14393.0 / 2016-07-16)\nWin2003SP0x86 - A Profile for Windows 2003 SP0 x86\nWin2003SP1x64 - A Profile for Windows 2003 SP1 x64\nWin2003SP1x86 - A Profile for Windows 2003 SP1 x86\nWin2003SP2x64 - A Profile for Windows 2003 SP2 x64\nWin2003SP2x86 - A Profile for Windows 2003 SP2 x86\nWin2008R2SP0x64 - A Profile for Windows 2008 R2 SP0 x64\nWin2008R2SP1x64 - A Profile for Windows 2008 R2 SP1 x64\nWin2008R2SP1x64_23418 - A Profile for Windows 2008 R2 SP1 x64 (6.1.7601.23418 / 2016-04-09)\nWin2008SP1x64 - A Profile for Windows 2008 SP1 x64\nWin2008SP1x86 - A Profile for Windows 2008 SP1 x86\nWin2008SP2x64 - A Profile for Windows 2008 SP2 x64\nWin2008SP2x86 - A Profile for Windows 2008 SP2 x86\nWin2012R2x64 - A Profile for Windows Server 2012 R2 x64\nWin2012R2x64_18340 - A Profile for Windows Server 2012 R2 x64 (6.3.9600.18340 / 2016-05-13)\nWin2012x64 - A Profile for Windows Server 2012 x64\nWin2016x64_14393 - A Profile for Windows Server 2016 x64 (10.0.14393.0 / 2016-07-16)\nWin7SP0x64 - A Profile for Windows 7 SP0 x64\nWin7SP0x86 - A Profile for Windows 7 SP0 x86\nWin7SP1x64 - A Profile for Windows 7 SP1 x64\nWin7SP1x64_23418 - A Profile for Windows 7 SP1 x64 (6.1.7601.23418 / 2016-04-09)\nWin7SP1x86 - A Profile for Windows 7 SP1 x86\nWin7SP1x86_23418 - A Profile for Windows 7 SP1 x86 (6.1.7601.23418 / 2016-04-09)\nWin81U1x64 - A Profile for Windows 8.1 Update 1 x64\nWin81U1x86 - A Profile for Windows 8.1 Update 1 x86\nWin8SP0x64 - A Profile for Windows 8 x64\nWin8SP0x86 - A Profile for Windows 8 x86\nWin8SP1x64 - A Profile for Windows 8.1 x64\nWin8SP1x64_18340 - A Profile for Windows 8.1 x64 (6.3.9600.18340 / 2016-05-13)\nWin8SP1x86 - A Profile for Windows 8.1 x86\nWinXPSP1x64 - A Profile for Windows XP SP1 x64\nWinXPSP2x64 - A Profile for Windows XP SP2 x64\nWinXPSP2x86 - A Profile for Windows XP SP2 x86\nWinXPSP3x86 - A Profile for Windows XP SP3 x86\n\nPlugins\n-------\namcache - Print AmCache information\napihooks - Detect API hooks in process and kernel memory\natoms - Print session and window station atom tables\natomscan - Pool scanner for atom tables\nauditpol - Prints out the Audit Policies from HKLM\\SECURITY\\Policy\\PolAdtEv\nbigpools - Dump the big page pools using BigPagePoolScanner\nbioskbd - Reads the keyboard buffer from Real Mode memory\ncachedump - Dumps cached domain hashes from memory\ncallbacks - Print system-wide notification routines\nclipboard - Extract the contents of the windows clipboard\ncmdline - Display process command-line arguments\ncmdscan - Extract command history by scanning for _COMMAND_HISTORY\nconnections - Print list of open connections [Windows XP and 2003 Only]\nconnscan - Pool scanner for tcp connections\nconsoles - Extract command history by scanning for _CONSOLE_INFORMATION\ncrashinfo - Dump crash-dump information\ndeskscan - Poolscaner for tagDESKTOP (desktops)\ndevicetree - Show device tree\ndlldump - Dump DLLs from a process address space\ndlllist - Print list of loaded dlls for each process\ndriverirp - Driver IRP hook detection\ndrivermodule - Associate driver objects to kernel modules\ndriverscan - Pool scanner for driver objects\ndumpcerts - Dump RSA private and public SSL keys\ndumpfiles - Extract memory mapped and cached files\ndumpregistry - Dumps registry files out to disk\neditbox - Displays information about Edit controls. (Listbox experimental.)\nenvars - Display process environment variables\neventhooks - Print details on windows event hooks\nevtlogs - Extract Windows Event Logs (XP/2003 only)\nfilescan - Pool scanner for file objects\ngahti - Dump the USER handle type information\ngditimers - Print installed GDI timers and callbacks\ngdt - Display Global Descriptor Table\ngetservicesids - Get the names of services in the Registry and return Calculated SID\ngetsids - Print the SIDs owning each process\nhandles - Print list of open handles for each process\nhashdump - Dumps passwords hashes (LM/NTLM) from memory\nhibinfo - Dump hibernation file information\nhivedump - Prints out a hive\nhivelist - Print list of registry hives.\nhivescan - Pool scanner for registry hives\nhpakextract - Extract physical memory from an HPAK file\nhpakinfo - Info on an HPAK file\nidt - Display Interrupt Descriptor Table\niehistory - Reconstruct Internet Explorer cache / history\nimagecopy - Copies a physical address space out as a raw DD image\nimageinfo - Identify information for the image\nimpscan - Scan for calls to imported functions\njoblinks - Print process job link information\nkdbgscan - Search for and dump potential KDBG values\nkpcrscan - Search for and dump potential KPCR values\nldrmodules - Detect unlinked DLLs\nlimeinfo - Dump Lime file format information\nlinux_apihooks - Checks for userland apihooks\nlinux_arp - Print the ARP table\nlinux_aslr_shift - Automatically detect the Linux ASLR shift\nlinux_banner - Prints the Linux banner information\nlinux_bash - Recover bash history from bash process memory\nlinux_bash_env - Recover a process' dynamic environment variables\nlinux_bash_hash - Recover bash hash table from bash process memory\nlinux_check_afinfo - Verifies the operation function pointers of network protocols\nlinux_check_creds - Checks if any processes are sharing credential structures\nlinux_check_evt_arm - Checks the Exception Vector Table to look for syscall table hooking\nlinux_check_fop - Check file operation structures for rootkit modifications\nlinux_check_idt - Checks if the IDT has been altered\nlinux_check_inline_kernel - Check for inline kernel hooks\nlinux_check_modules - Compares module list to sysfs info, if available\nlinux_check_syscall - Checks if the system call table has been altered\nlinux_check_syscall_arm - Checks if the system call table has been altered\nlinux_check_tty - Checks tty devices for hooks\nlinux_cpuinfo - Prints info about each active processor\nlinux_dentry_cache - Gather files from the dentry cache\nlinux_dmesg - Gather dmesg buffer\nlinux_dump_map - Writes selected memory mappings to disk\nlinux_dynamic_env - Recover a process' dynamic environment variables\nlinux_elfs - Find ELF binaries in process mappings\nlinux_enumerate_files - Lists files referenced by the filesystem cache\nlinux_find_file - Lists and recovers files from memory\nlinux_getcwd - Lists current working directory of each process\nlinux_hidden_modules - Carves memory to find hidden kernel modules\nlinux_ifconfig - Gathers active interfaces\nlinux_info_regs - It's like 'info registers' in GDB. It prints out all the\nlinux_iomem - Provides output similar to /proc/iomem\nlinux_kernel_opened_files - Lists files that are opened from within the kernel\nlinux_keyboard_notifiers - Parses the keyboard notifier call chain\nlinux_ldrmodules - Compares the output of proc maps with the list of libraries from libdl\nlinux_library_list - Lists libraries loaded into a process\nlinux_librarydump - Dumps shared libraries in process memory to disk\nlinux_list_raw - List applications with promiscuous sockets\nlinux_lsmod - Gather loaded kernel modules\nlinux_lsof - Lists file descriptors and their path\nlinux_malfind - Looks for suspicious process mappings\nlinux_memmap - Dumps the memory map for linux tasks\nlinux_moddump - Extract loaded kernel modules\nlinux_mount - Gather mounted fs/devices\nlinux_mount_cache - Gather mounted fs/devices from kmem_cache\nlinux_netfilter - Lists Netfilter hooks\nlinux_netscan - Carves for network connection structures\nlinux_netstat - Lists open sockets\nlinux_pidhashtable - Enumerates processes through the PID hash table\nlinux_pkt_queues - Writes per-process packet queues out to disk\nlinux_plthook - Scan ELF binaries' PLT for hooks to non-NEEDED images\nlinux_proc_maps - Gathers process memory maps\nlinux_proc_maps_rb - Gathers process maps for linux through the mappings red-black tree\nlinux_procdump - Dumps a process's executable image to disk\nlinux_process_hollow - Checks for signs of process hollowing\nlinux_psaux - Gathers processes along with full command line and start time\nlinux_psenv - Gathers processes along with their static environment variables\nlinux_pslist - Gather active tasks by walking the task_struct-\u003etask list\nlinux_pslist_cache - Gather tasks from the kmem_cache\nlinux_psscan - Scan physical memory for processes\nlinux_pstree - Shows the parent/child relationship between processes\nlinux_psxview - Find hidden processes with various process listings\nlinux_recover_filesystem - Recovers the entire cached file system from memory\nlinux_route_cache - Recovers the routing cache from memory\nlinux_sk_buff_cache - Recovers packets from the sk_buff kmem_cache\nlinux_slabinfo - Mimics /proc/slabinfo on a running machine\nlinux_strings - Match physical offsets to virtual addresses (may take a while, VERY verbose)\nlinux_threads - Prints threads of processes\nlinux_tmpfs - Recovers tmpfs filesystems from memory\nlinux_truecrypt_passphrase - Recovers cached Truecrypt passphrases\nlinux_vma_cache - Gather VMAs from the vm_area_struct cache\nlinux_volshell - Shell in the memory image\nlinux_yarascan - A shell in the Linux memory image\nlsadump - Dump (decrypted) LSA secrets from the registry\nmac_adium - Lists Adium messages\nmac_apihooks - Checks for API hooks in processes\nmac_apihooks_kernel - Checks to see if system call and kernel functions are hooked\nmac_arp - Prints the arp table\nmac_bash - Recover bash history from bash process memory\nmac_bash_env - Recover bash's environment variables\nmac_bash_hash - Recover bash hash table from bash process memory\nmac_calendar - Gets calendar events from Calendar.app\nmac_check_fop - Validate File Operation Pointers\nmac_check_mig_table - Lists entires in the kernel's MIG table\nmac_check_syscall_shadow - Looks for shadow system call tables\nmac_check_syscalls - Checks to see if system call table entries are hooked\nmac_check_sysctl - Checks for unknown sysctl handlers\nmac_check_trap_table - Checks to see if mach trap table entries are hooked\nmac_compressed_swap - Prints Mac OS X VM compressor stats and dumps all compressed pages\nmac_contacts - Gets contact names from Contacts.app\nmac_dead_procs - Prints terminated/de-allocated processes\nmac_dead_sockets - Prints terminated/de-allocated network sockets\nmac_dead_vnodes - Lists freed vnode structures\nmac_devfs - Lists files in the file cache\nmac_dmesg - Prints the kernel debug buffer\nmac_dump_file - Dumps a specified file\nmac_dump_maps - Dumps memory ranges of process(es), optionally including pages in compressed swap\nmac_dyld_maps - Gets memory maps of processes from dyld data structures\nmac_find_aslr_shift - Find the ASLR shift value for 10.8+ images\nmac_get_profile - Automatically detect Mac profiles\nmac_ifconfig - Lists network interface information for all devices\nmac_interest_handlers - Lists IOKit Interest Handlers\nmac_ip_filters - Reports any hooked IP filters\nmac_kernel_classes - Lists loaded c++ classes in the kernel\nmac_kevents - Show parent/child relationship of processes\nmac_keychaindump - Recovers possbile keychain keys. Use chainbreaker to open related keychain files\nmac_ldrmodules - Compares the output of proc maps with the list of libraries from libdl\nmac_librarydump - Dumps the executable of a process\nmac_list_files - Lists files in the file cache\nmac_list_kauth_listeners - Lists Kauth Scope listeners\nmac_list_kauth_scopes - Lists Kauth Scopes and their status\nmac_list_raw - List applications with promiscuous sockets\nmac_list_sessions - Enumerates sessions\nmac_list_zones - Prints active zones\nmac_lsmod - Lists loaded kernel modules\nmac_lsmod_iokit - Lists loaded kernel modules through IOkit\nmac_lsmod_kext_map - Lists loaded kernel modules\nmac_lsof - Lists per-process opened files\nmac_machine_info - Prints machine information about the sample\nmac_malfind - Looks for suspicious process mappings\nmac_memdump - Dump addressable memory pages to a file\nmac_moddump - Writes the specified kernel extension to disk\nmac_mount - Prints mounted device information\nmac_netstat - Lists active per-process network connections\nmac_network_conns - Lists network connections from kernel network structures\nmac_notesapp - Finds contents of Notes messages\nmac_notifiers - Detects rootkits that add hooks into I/O Kit (e.g. LogKext)\nmac_orphan_threads - Lists threads that don't map back to known modules/processes\nmac_pgrp_hash_table - Walks the process group hash table\nmac_pid_hash_table - Walks the pid hash table\nmac_print_boot_cmdline - Prints kernel boot arguments\nmac_proc_maps - Gets memory maps of processes\nmac_procdump - Dumps the executable of a process\nmac_psaux - Prints processes with arguments in user land (**argv)\nmac_psenv - Prints processes with environment in user land (**envp)\nmac_pslist - List Running Processes\nmac_pstree - Show parent/child relationship of processes\nmac_psxview - Find hidden processes with various process listings\nmac_recover_filesystem - Recover the cached filesystem\nmac_route - Prints the routing table\nmac_socket_filters - Reports socket filters\nmac_strings - Match physical offsets to virtual addresses (may take a while, VERY verbose)\nmac_tasks - List Active Tasks\nmac_threads - List Process Threads\nmac_threads_simple - Lists threads along with their start time and priority\nmac_timers - Reports timers set by kernel drivers\nmac_trustedbsd - Lists malicious trustedbsd policies\nmac_version - Prints the Mac version\nmac_vfsevents - Lists processes filtering file system events\nmac_volshell - Shell in the memory image\nmac_yarascan - Scan memory for yara signatures\nmachoinfo - Dump Mach-O file format information\nmalfind - Find hidden and injected code\nmbrparser - Scans for and parses potential Master Boot Records (MBRs)\nmemdump - Dump the addressable memory for a process\nmemmap - Print the memory map\nmessagehooks - List desktop and thread window message hooks\nmftparser - Scans for and parses potential MFT entries\nmoddump - Dump a kernel driver to an executable file sample\nmodscan - Pool scanner for kernel modules\nmodules - Print list of loaded modules\nmultiscan - Scan for various objects at once\nmutantscan - Pool scanner for mutex objects\nnetscan - Scan a Vista (or later) image for connections and sockets\nnotepad - List currently displayed notepad text\nobjtypescan - Scan for Windows object type objects\npatcher - Patches memory based on page scans\npoolpeek - Configurable pool scanner plugin\npooltracker - Show a summary of pool tag usage\nprintkey - Print a registry key, and its subkeys and values\nprivs - Display process privileges\nprocdump - Dump a process to an executable file sample\npslist - Print all running processes by following the EPROCESS lists\npsscan - Pool scanner for process objects\npstree - Print process list as a tree\npsxview - Find hidden processes with various process listings\nqemuinfo - Dump Qemu information\nraw2dmp - Converts a physical memory sample to a windbg crash dump\nscreenshot - Save a pseudo-screenshot based on GDI windows\nservicediff - List Windows services (ala Plugx)\nsessions - List details on _MM_SESSION_SPACE (user logon sessions)\nshellbags - Prints ShellBags info\nshimcache - Parses the Application Compatibility Shim Cache registry key\nshutdowntime - Print ShutdownTime of machine from registry\nsockets - Print list of open sockets\nsockscan - Pool scanner for tcp socket objects\nssdt - Display SSDT entries\nstrings - Match physical offsets to virtual addresses (may take a while, VERY verbose)\nsvcscan - Scan for Windows services\nsymlinkscan - Pool scanner for symlink objects\nthrdscan - Pool scanner for thread objects\nthreads - Investigate _ETHREAD and _KTHREADs\ntimeliner - Creates a timeline from various artifacts in memory\ntimers - Print kernel timers and associated module DPCs\ntruecryptmaster - Recover TrueCrypt 7.1a Master Keys\ntruecryptpassphrase - TrueCrypt Cached Passphrase Finder\ntruecryptsummary - TrueCrypt Summary\nunloadedmodules - Print list of unloaded modules\nuserassist - Print userassist registry keys and information\nuserhandles - Dump the USER handle tables\nvaddump - Dumps out the vad sections to a file\nvadinfo - Dump the VAD info\nvadtree - Walk the VAD tree and display in tree format\nvadwalk - Walk the VAD tree\nvboxinfo - Dump virtualbox information\nverinfo - Prints out the version information from PE images\nvmwareinfo - Dump VMware VMSS/VMSN information\nvolshell - Shell in the memory image\nwin10cookie - Find the ObHeaderCookie value for Windows 10\nwindows - Print Desktop Windows (verbose details)\nwintree - Print Z-Order Desktop Windows Tree\nwndscan - Pool scanner for window stations\nyarascan - Scan process or kernel memory with Yara signatures\n\n3. To get more information on a Windows memory sample and to make sure Volatility\n supports that sample type, run 'python vol.py imageinfo -f \u003cimagename\u003e' or 'python vol.py kdbgscan -f \u003cimagename\u003e'\n\n Example:\n \n $ python vol.py imageinfo -f WIN-II7VOJTUNGL-20120324-193051.raw \n Volatility Foundation Volatility Framework 2.6\n Determining profile based on KDBG search...\n \n Suggested Profile(s) : Win2008R2SP0x64, Win7SP1x64, Win7SP0x64, Win2008R2SP1x64 (Instantiated with Win7SP0x64)\n AS Layer1 : AMD64PagedMemory (Kernel AS)\n AS Layer2 : FileAddressSpace (/Path/to/WIN-II7VOJTUNGL-20120324-193051.raw)\n PAE type : PAE\n DTB : 0x187000L\n KDBG : 0xf800016460a0\n Number of Processors : 1\n Image Type (Service Pack) : 1\n KPCR for CPU 0 : 0xfffff80001647d00L\n KUSER_SHARED_DATA : 0xfffff78000000000L\n Image date and time : 2012-03-24 19:30:53 UTC+0000\n Image local date and time : 2012-03-25 03:30:53 +0800\n\n If multiple profiles are suggested by imageinfo or kdbgscan, or if you're having trouble analyzing \n Windows 7 or later memory samples, please see the guidelines here:\n\n https://github.com/volatilityfoundation/volatility/wiki/2.6-Win-Profiles\n\n4. Run some other plugins. -f is a required option for all plugins. Some\n also require/accept other options. Run \"python vol.py \u003cplugin\u003e -h\" for\n more information on a particular command. A Command Reference wiki\n is also available on the GitHub site:\n\n https://github.com/volatilityfoundation/volatility/wiki\n\n as well as Basic Usage:\n\n https://github.com/volatilityfoundation/volatility/wiki/Volatility-Usage\n\nLicensing and Copyright\n=======================\n\nCopyright (C) 2007-2016 Volatility Foundation\n\nAll Rights Reserved\n\nVolatility is free software; you can redistribute it and/or modify\nit under the terms of the GNU General Public License as published by\nthe Free Software Foundation; either version 2 of the License, or\n(at your option) any later version.\n\nVolatility is distributed in the hope that it will be useful,\nbut WITHOUT ANY WARRANTY; without even the implied warranty of\nMERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\nGNU General Public License for more details.\n\nYou should have received a copy of the GNU General Public License\nalong with Volatility. If not, see \u003chttp://www.gnu.org/licenses/\u003e.\n\nBugs and Support\n================\nThere is no support provided with Volatility. There is NO\nwarranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR\nPURPOSE. \n\nIf you think you've found a bug, please report it at:\n\n https://github.com/volatilityfoundation/volatility/issues\n\nIn order to help us solve your issues as quickly as possible,\nplease include the following information when filing a bug:\n\n* The version of volatility you're using\n* The operating system used to run volatility\n* The version of python used to run volatility\n* The suspected operating system of the memory image\n* The complete command line you used to run volatility\n\nDepending on the operating system of the memory image, you may need to provide\nadditional information, such as:\n\nFor Windows:\n* The suspected Service Pack of the memory image\n\nFor Linux:\n* The suspected kernel version of the memory image\n\nOther options for communication can be found at:\n https://github.com/volatilityfoundation/volatility/wiki\n\nMissing or Truncated Information\n================================\nVolatility Foundation makes no claims about the validity or correctness of the\noutput of Volatility. Many factors may contribute to the\nincorrectness of output from Volatility including, but not\nlimited to, malicious modifications to the operating system,\nincomplete information due to swapping, and information corruption on\nimage acquisition. \n\nCommand Reference \n====================\nThe following url contains a reference of all commands supported by \nVolatility.\n\n https://github.com/volatilityfoundation/volatility/wiki\n\n","funding_links":[],"categories":["Tools","Uncategorized","IR Tools Collection","Memory Forensics","Endpoint","Forensics","Python","Volatility 2","\u003ca id=\"e1fc1d87056438f82268742dc2ba08f5\"\u003e\u003c/a\u003e事件响应\u0026\u0026取证\u0026\u0026内存取证\u0026\u0026数字取证","Python (144)","Challenges","Table of Contents","malware","python","Blue Team","Dynamic Analysis","ابزارهای امنیتی","Security","IR tools Collection","\u003ca id=\"4d2a33083a894d6e6ef01b360929f30a\"\u003e\u003c/a\u003eVolatility","Tool","Programming/Comp Sci/SE Things","🔧 Packages"],"sub_categories":["Other","Uncategorized","Memory Forensics","Memory Analysis Tools","Other Resources","Forensics","\u003ca id=\"4d2a33083a894d6e6ef01b360929f30a\"\u003e\u003c/a\u003eVolatility","Analysis / Gathering tool (Know your ennemies)","DFIR","کار با زمان و تقویم","Volatility","Professional Security","Memory Analysis","⚡ Analyzing"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvolatilityfoundation%2Fvolatility","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fvolatilityfoundation%2Fvolatility","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvolatilityfoundation%2Fvolatility/lists"}