Volatility and Rekall are two of the most widely used memory forensics frameworks. They allow investigators to extract processes, network connections, DLLs, registry hives, command history, malware artifacts, and kernel data directly from RAM images. These tools transform raw memory dumps into human-readable forensic intelligence.
This chapter explains the basics of Volatility and Rekall, how they work, and how investigators use them to analyze captured RAM.
What Are Volatility & Rekall?
Both tools are memory forensics frameworks used to parse and analyze RAM dumps.
-
Volatility (Volatility 2 & Volatility 3 – Python-based)
-
Rekall (a fork of Volatility with speed and automation improvements)
They read a raw memory image and extract structured data from it.
Volatility Basics
Volatility is the most widely used memory analysis tool.
Supports:
-
Windows
-
Linux
-
macOS
-
Android
Volatility analyzes structures in RAM such as processes, threads, handles, modules, and kernel artifacts.
Installing Volatility
Volatility 3 can be installed via:
pip install volatility3
Run:
volatility3 -h
Loading a Memory Image
Basic command format:
volatility3 -f <image> <plugin>
Example:
volatility3 -f memdump.raw windows.pslist
Common Volatility Plugins (Windows)
Process Analysis
-
pslist→ View running processes -
pstree→ Parent-child relationship of processes -
psscan→ Find hidden/terminated processes
Memory & Modules
-
dlllist→ DLLs loaded by processes -
handles→ Handles opened by processes -
vadinfo→ Virtual memory maps
Network Analysis
-
netscan→ Network connections -
sockscan→ Sockets
Malware Indicators
-
malfind→ Detect injected code -
cmdline→ Process command-lines -
shimcache(Vol2) → Program execution traces
System Artifacts
-
registryplugins → Extract registry keys -
timeliner→ Build a timeline
Common Volatility Plugins (Linux)
-
linux.pslist -
linux.bash→ bash history -
linux.pstree -
linux.netstat -
linux.lsmod -
linux.mount -
linux.proc_maps
Common Volatility Plugins (macOS)
-
mac.pslist -
mac.lsmod -
mac.netstat -
mac.tasks -
mac.trustedbsd
Rekall Basics
Rekall is a memory forensics framework that grew from Volatility but is optimized for:
-
Speed
-
Automation
-
Better Windows parsing
-
A forensic-friendly interactive shell
Rekall also supports Windows, Linux, and macOS.
Installing Rekall
pip install rekall-agent rekall
Start the interactive console:
rekall
Running Commands in Rekall
Load a memory image:
rekall -f memdump.raw
Then run plugins:
pslist
pstree
netscan
modules
handles
Key Differences Between Volatility & Rekall
| Feature | Volatility | Rekall |
|---|---|---|
| Development | Actively maintained (V3) | Slower updates |
| Speed | Slower | Faster |
| Ease of use | Better documentation | Interactive shell |
| Plugins | Large set | Good but fewer |
| Profiles | Vol2 required profiles | Rekall auto-profiles |
| Community | Very large | Smaller |
Volatility is the industry standard; Rekall is great for automation and fast analysis.
Example Workflow Using Volatility
1. List processes
volatility3 -f mem.raw windows.pslist
2. Check for hidden/malicious processes
windows.psscan
windows.pstree
3. Extract process command-line
windows.cmdline
4. Check memory injections
windows.malfind
5. Analyze network connections
windows.netscan
6. Extract registry keys
windows.registry.hivescan
windows.registry.printkey
This workflow reveals malware, attacker commands, lateral movement, shells, and persistence.
Example Workflow Using Rekall
1. Process tree
pstree
2. Analyze handles
handles
3. Extract DLLs
dlllist
4. Detect hidden code
malfind
When to Use Which?
-
Volatility → Deep analysis, most plugins, top community support
-
Rekall → Fast, automated, good for large-scale or enterprise forensics
Most investigators use Volatility 3 as their main tool.
Intel Dump
-
Volatility and Rekall are the two primary frameworks used for RAM forensics across Windows, Linux, and macOS systems.
-
Volatility uses plugins to extract processes, threads, DLLs, registry hives, network connections, injected code, and more from memory images.
-
Rekall is a faster, automated fork offering an interactive interface and simplified parsing without external profiles.
-
Volatility 3 is the industry standard due to active development and wide plugin support.
-
Essential workflows include listing processes, detecting hidden processes, scanning for malicious injections, analyzing network activity, and extracting registry data.
-
Both tools are essential for analyzing malware, active intrusions, APT operations, credential theft, reverse shells, persistence, and volatile forensic artifacts.