> Article

Getting Started with Volatility3: A Memory Forensics Framework

By Bearloggs
#forensics #security #memory-analysis #volatility #dfir

Getting Started with Volatility3: A Memory Forensics Framework#

Memory forensics is a crucial aspect of digital forensics and incident response (DFIR). While disk analysis tells you what was stored on a machine, memory analysis tells you what was happening at a specific moment in time.

Volatility3 is the latest iteration of the Volatility Framework. Completely rewritten in Python 3, it offers significant performance improvements and removes the need for complex “profiles” required by previous versions.

In this post, we’ll explore how to install Volatility3, acquire memory, and perform a basic investigation.

What is Volatility3?#

Volatility3 is an open-source memory forensics framework used to extract digital artifacts from volatile memory (RAM) dumps. It allows investigators to analyze the runtime state of a system, which is critical for:

  • Detecting Fileless Malware: Malware that exists only in RAM and leaves no trace on the hard drive.
  • Retrieving Encryption Keys: Recovering passwords and keys used by TrueCrypt, BitLocker, or ransomware.
  • Network Analysis: Seeing active connections that were open at the time of capture.
  • Uncovering Rootkits: Identifying processes attempting to hide from the operating system.

Step 0: Acquisition (Getting the Dump)#

Before you can use Volatility, you need a memory image (often ending in .dmp, .mem, or .raw). Volatility analyzes the file, it does not capture it.

Common tools for capturing memory include:

  • Windows: FTK Imager, WinPMEM, or DumpIt.
  • Linux: AVML (Azure Volatile Memory LiME) or LiME.
  • macOS: OSXpmem.

> Always capture memory before pulling the plug or shutting down a compromised machine, otherwise, the data in RAM is lost forever.

Installation#

You can install Volatility3 via pip or directly from GitHub.

Option A: Using Pip (Easiest)#

python3 -m pip install volatility3

Option B: From Source (Development Version)#

For the latest plugins and features, cloning the repository is often best:

git clone https://github.com/volatilityfoundation/volatility3.git
cd volatility3
python3 -m pip install -r requirements.txt

To run Volatility from the source directory, use python3 vol.py.

The “Symbols” Magic#

The biggest improvement in Volatility3 is the handling of Symbols.

  • Old Way (Vol2): You had to manually determine the OS profile (e.g., Win7SP1x64).
  • New Way (Vol3): Volatility3 automatically identifies the OS and downloads the necessary symbol tables from Microsoft/Linux repositories.

Note: The first time you run a scan, it may take a moment to download the symbols. Ensure you have an internet connection or manually place symbol files in the volatility3/symbols directory.

Basic Usage & Cheatsheet#

Below are the essential commands for a Windows memory dump analysis.

1. General Info & Processes#

Start by getting the “lay of the land” to see what was running.

# Get image details (OS version, time of crash)
vol -f memory.dmp windows.info.Info

# List running processes (The standard task manager view)
vol -f memory.dmp windows.pslist.PsList

# Scan for hidden/terminated processes (Unlinking via DKOM)
vol -f memory.dmp windows.psscan.PsScan

# Visualize parent-child process relationships
vol -f memory.dmp windows.pstree.PsTree

2. Network & Connections#

Identify command-and-control (C2) connections.

# View active network connections
vol -f memory.dmp windows.netscan.NetScan

3. Malware Hunting#

Look for injected code and malicious artifacts.

# Find injected code / hollowed processes (Look for RWX permissions)
vol -f memory.dmp windows.malfind.Malfind

# List loaded DLLs for a specific PID
vol -f memory.dmp windows.dlllist.DllList --pid 1234

Example Investigation: The “Suspicious PowerPoint”#

Let’s say we have a memory dump from a user who claimed their PC acted strangely after opening an email attachment. We suspect a malicious PowerPoint file.

Goal: Identify the malware and extract the payload.

Step 1: Identify the Process#

We list processes to look for POWERPNT.EXE and anything spawned by it.

vol -f case_001.mem windows.pstree.PsTree

Observation: We see POWERPNT.EXE (PID 4420). Unexpectedly, it has a child process: powershell.exe (PID 5001). PowerPoint launching PowerShell is highly suspicious.

Step 2: Check for Network Activity#

Is that PowerShell process talking to the internet?

vol -f case_001.mem windows.netscan.NetScan

Observation: We look for PID 5001. We see a connection established to an external IP (192.168.x.x) on port 4444.

Step 3: Hunt for Injected Code#

Let’s see if the PowerShell process has suspicious memory regions (specifically code that looks like an executable hidden inside).

vol -f case_001.mem windows.malfind.Malfind --pid 5001

Observation: Malfind returns a hit. We see a memory region with PAGE_EXECUTE_READWRITE permissions and the bytes 4D 5A (MZ) at the start—the signature of a Windows Executable.

Step 4: Extract the Malware#

Now we dump the memory of that specific malicious process for further analysis (hashing, reverse engineering).

# Dump the executable payload
vol -f case_001.mem windows.pslist.PsList --pid 5001 --dump

# Or extract the specific suspicious memory pages
vol -f case_001.mem windows.malfind.Malfind --pid 5001 --dump

We can now take these dumped files and upload them to VirusTotal or open them in Ghidra.

Best Practices#

  1. Work on specific analysis VMs: Do not install Volatility on the infected machine. Move the dump to a clean analysis station (like REMnux or generic Ubuntu/WSL).
  2. Verify Integrity: Before starting, hash your memory dump (MD5/SHA256) to prove the evidence hasn’t changed.
  3. Cross-Reference Plugins: PsList relies on the OS’s list of processes. PsScan scans memory bytes for process structures. Malware often hides from the list, but appears in the scan. If a PID is in PsScan but not PsList, you’ve likely found a rootkit.
  4. Use Directory Flags: When dumping files, use -o to keep your workspace clean: 
    vol -f memory.dmp -o ./evidence_dump windows.malfind.Malfind --dump

Conclusion#

Volatility3 is a powerful, flexible tool that is essential for incident response. By moving away from profiles and embracing automatic symbol table handling, it has become much easier for beginners to pick up.

Remember, memory forensics is an iterative process. Start with the process list, identify anomalies, and zoom in using plugins like netscan and malfind.

Resources#