Volatility 2 | Notion

Setup

Specify Profile:
```
vol.py --profile=Win7SP1x86 -f /path/to/memory.dmp
```
- Choose the correct profile for the OS version.

OS Information

Image Info:
```
vol.py -f /path/to/file imageinfo
```
- Detects image profile and basic information.

Process Information

List Processes:
```
vol.py -f /path/to/file pslist
```
- Displays running processes.
Hidden Processes:
```
vol.py -f /path/to/file psscan
```
- Finds hidden/unlinked processes.
Process Tree:
```
vol.py -f /path/to/file pstree
```
- Shows parent-child process relationships.

Memory Dumping

Dump Process Executable:
```
vol.py -f /path/to/file procdump -p <PID> -D /path/to/dir
```
- Dumps an executable file from a specific process.

Handles

List Open Handles:
```
vol.py -f /path/to/file handles -p <PID>
```
- Displays handles (files, registry, etc.) open by a process.

DLLs

List DLLs:

vol.py -f /path/to/file dlllist -p <PID>

Shows DLLs loaded by a process.

Command Line

Process Command Line:
```
vol.py -f /path/to/file cmdline -p <PID>
```
- Displays command-line arguments used for a process.

Network Information

Connections and Ports:
```
vol.py -f /path/to/file netscan
```
- Identifies active network connections and listening ports.

Registry Analysis

Registry Hives:

vol.py -f /path/to/file hivelist  #download

Lists registry hives.