🔬 DFIR & forensics
Volatility 3
Industry-standard memory forensics framework.
Why use it
Memory forensics catches what disk forensics misses — running malware, decrypted secrets, network connections, hidden processes. Volatility is the framework every IR team uses.
What you get
- 200+ plugins covering Windows, Linux, macOS memory
- Process listing and tree
- Network connection extraction
- Malware detection (malfind, hollowfind)
- Registry hive extraction from memory
System requirements
| Cpu | 2 cores |
|---|---|
| Ram | 8 GB+ (more than the captured image) |
| Disk | 50 GB+ for memory dumps |
| Os | Linux, macOS, Windows |
| Docker | Yes |
Installation
pip install volatility3. Capture memory with WinPMEM, LiME, or AVML. Then run a basic plugin: vol -f mem.raw windows.pslist. Volatility 3 is symbol-table-based — it auto-downloads what it needs for known kernels.
Suggested configuration
Always start with windows.pslist + windows.pstree for context, then windows.netscan for connections, then windows.malfind for hollowed processes. Save outputs to a case folder per investigation.
Integration ideas
- Pipe findings into TheHive case notes
- Combine with Velociraptor for live memory acquisition
- Submit suspicious processes to MalwareBazaar / VirusTotal
Alternatives
- Rekall — Google fork; less actively maintained.
- MemProcFS — Newer FUSE-style approach to memory.
Cyentrix verdict
Mandatory for IR work. Capture memory before you touch the disk on a live incident — Volatility is what you'll use to read it.