Volatility is one of the most powerful and widely used memory forensics frameworks. It allows investigators to analyze RAM dumps from Windows, Linux, macOS, and Android systems to uncover volatile evidence such as running processes, network connections, injected code, malware activity, registry hives, drivers, and artifacts that do not exist on disk. Memory forensics is essential for investigating sophisticated attacks, fileless malware, rootkits, and live system activity.
This chapter explains what Volatility is, how it works, supported plugins, common workflows, and how investigators use it to extract actionable intelligence from memory images.
What Is Volatility?
Volatility is an open-source memory forensics tool designed to analyze RAM images captured using tools such as:
-
WinPmem
-
DumpIt
-
LiME
-
FTK Imager
-
Belkasoft RAM Capture
It supports multiple OSes and provides deep introspection into live memory structures. Volatility reconstructs kernel and user-space information without relying on the OS itself.
Volatility Versions
Volatility 2
-
Python 2-based
-
Stable and widely supported
-
Plugin-based architecture
-
Requires correct profile for analysis
Volatility 3
-
Python 3-based
-
Rewritten architecture
-
No profiles needed (auto-detects symbols)
-
Faster and more flexible
-
New plugin framework
Most investigators use both, depending on the case.
What Volatility Can Reveal
Volatility extracts a wide range of forensic data, including:
-
Running processes
-
Process trees
-
Injected code
-
DLL lists
-
Loaded kernel drivers
-
Network connections
-
ARP tables
-
Command history
-
Clipboard contents
-
Memory strings
-
Mutexes and handles
-
Registry keys
-
Malware implants
-
User activity artifacts
This makes RAM forensics critical for modern intrusion investigations.
Supported Operating Systems
Volatility supports:
Windows
-
XP → Windows 11
-
Extracts registry, processes, handles, drivers
Linux
-
Kernel-based introspection
-
Extracts processes, network, memory maps
macOS
-
Limited support depending on version
-
Extracts processes, modules, kernel tasks
Android
-
Parses Dalvik VM memory structures
-
Extracts running apps, caches, metadata
Volatility requires the correct symbol tables (especially on Linux/macOS).
Common Volatility Plugins (Most Used)
Process Analysis
pslist
Lists active processes.
pstree
Shows hierarchical process tree.
psscan
Recovers terminated or hidden processes (malware often hides).
DLL & Module Analysis
dlllist
Lists DLLs loaded by each process.
ldrmodules
Shows hidden or unlinked modules.
malfind
Detects injected code and suspicious memory regions.
Network Analysis
netscan
Reveals connections, ports, and sockets.
connscan
Finds terminated network connections.
sockscan
Extracts socket-level details.
Registry Analysis (Windows)
hivelist
Lists registry hives in memory.
printkey
Extracts registry values.
userassist, shimcache, amcache
User activity artifacts.
File System & Artefact Recovery
filescan
Finds file handles and paths in memory.
dumpfiles
Extracts files directly from RAM.
Memory Strings
strings
Extracts readable strings (IOC hunting).
Handle & Object Analysis
handles
Reveals handles to files, processes, registry keys.
mutantscan
Identifies mutex objects (useful for malware detection).
Malware Detection Plugins
malfind
Detects code injection, shellcode, and RWX regions.
yarascan
Scans memory with YARA rules.
apihooks
Finds hooked API functions (rootkits/malware).
Volatility 3 Plugins
Volatility 3 uses updated plugin names and architecture.
Common plugins:
-
windows.pslist -
windows.psscan -
windows.netscan -
windows.dlllist -
windows.malfind -
windows.filescan -
windows.vadinfo -
windows.dumpfiles
The naming is modular and OS-specific.
Typical Volatility Workflow
1. Identify Memory Image Format
Example:
volatility -f memory.raw imageinfo
Identifies:
-
OS
-
Kernel version
-
Correct profile (Volatility 2)
2. Process Enumeration
volatility -f memory.raw --profile=Win10x64 pslist
volatility -f memory.raw pstree
Investigators look for:
-
Suspicious processes
-
Orphaned processes
-
Name-masked malware
3. Investigate Injected or Suspicious Processes
volatility malfind
volatility dlllist -p <PID>
volatility handles -p <PID>
Checks for:
-
Suspicious DLLs
-
RWX memory regions
-
Code injection
4. Analyze Network Connections
volatility netscan
Used to identify:
-
C2 traffic
-
Reverse shells
-
Persistent outbound connections
5. Extract Files & Binaries
volatility dumpfiles -Q <addr> -D output/
Useful for:
-
Dropped malware
-
Memory-resident payloads
6. Registry & User Activity Forensics
volatility hivelist
volatility printkey -K "Software\Microsoft\Windows\CurrentVersion\Run"
Reveals:
-
Persistence
-
Run keys
-
Malware configuration
7. Use YARA Rules to Detect Malware
volatility yarascan -y rules.yara
Matches malware signatures inside RAM.
Memory Image Acquisition Tools (Used with Volatility)
-
WinPmem
-
DumpIt
-
Belkasoft RAM Capture
-
FTK Imager
-
LiME (Android/Linux)
-
Magnet RAM Capture
Volatility requires a valid, complete memory dump.
Volatility in Malware Investigations
Memory forensics can uncover:
-
Fileless malware
-
In-memory RATs
-
PowerShell payloads
-
Cobalt Strike beacons
-
Reflective DLL injection
-
Rootkits
-
Kernel manipulation
Disk-based analysis cannot detect many of these artifacts.
When to Use Volatility
Volatility is ideal for:
-
Intrusion investigations
-
Ransomware root cause analysis
-
Fileless malware incidents
-
Live attack detection
-
Timeline reconstruction
-
Memory-only malware analysis
-
Incident response triage
Intel Dump
-
Volatility is a memory forensics framework for analyzing RAM dumps from Windows, Linux, macOS, and Android.
-
It identifies processes, injected code, DLLs, network connections, registry hives, handles, artifacts, and malware behavior.
-
Plugins like
pslist,pstree,dlllist,netscan,malfind,filescan, andyarascanenable deep introspection. -
Volatility 3 introduces a modern Python 3 architecture with OS-specific plugins and auto-detection of symbols.
-
Memory forensics is essential for detecting fileless malware, C2 beacons, in-memory payloads, and attacker activity invisible in disk forensics.