Volatility
Temp cheat sheet ; https://downloads.volatilityfoundation.org/releases/2.4/CheatSheet_v2.4.pdf
Image identification
vol.py -f [file] imageinfo
vol.py -f [file] kdbgscan
Process listing
vol.py -f [file] --profile=[profile] pslist
vol.py -f [file] --profile=[profile] psscan
vol.py -f [file] --profile=[profile] psxview (hidden)
vol.py -f [file] --profile=[profile] pstree (parent-child)
Process information
vol.py -f [file] --profile=[profile] -p [process_pid] cmdline
vol.py -f [file] --profile=[profile] -p [process_pid] dlllist
vol.py -f [file] --profile=[profile] -p [process_pid] privs
vol.py -f [file] --profile=[profile] -p [process_pid] handles
vol.py -f [file] --profile=[profile] -p [process_pid] getsids
vol.py -f [file] --profile=[profile] -p [process_pid] envars
PE extraction
vol.py -f [file] --profile=[profile] -p [process_pid] --dump-dir [directory] procdump
vol.py -f [file] --profile=[profile] -p [process_pid] --dump-dir [directory] dlldump
Networking
vol.py -f [file] --profile=[profile] -p [process_pid] netscan
vol.py -f [file] --profile=[profile] -p [process_pid] connscan
vol.py -f [file] --profile=[profile] -p [process_pid] sockets
Last updated
Was this helpful?