Volatility 2 & 3 Ultimate Interactive Cheatsheet

Section Jump

SECTION 1 — IDENTIFY PROFILE / IMAGE INFO 2 plugins

imageinfo

SECTION 1 — IDENTIFY PROFILE / IMAGE INFO

Vol2Common

vol2 -f mem.raw imageinfo

Detect OS, suggested profiles, build info. FIRST step always.
CTF: always run this before anything else.

kdbgscan

SECTION 1 — IDENTIFY PROFILE / IMAGE INFO

Vol2Common

vol2 -f mem.raw kdbgscan

Scan for KDBG structure manually. Use if imageinfo gives wrong/multiple profiles.

SECTION 2 — PROCESS ANALYSIS 9 plugins

pslist

SECTION 2 — PROCESS ANALYSIS

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 pslist

List running processes via EPROCESS linked list. Fast but rootkits can hide from it.

pstree

SECTION 2 — PROCESS ANALYSIS

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 pstree

Show processes as parent-child tree. Spot orphan processes or malware spawned from Word/Excel.

psscan

SECTION 2 — PROCESS ANALYSIS

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 psscan

Scan memory for EPROCESS structures directly. Finds hidden and terminated processes.

psxview

SECTION 2 — PROCESS ANALYSIS

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 psxview

Compare process lists from 7 sources. FALSE column = hidden from that source.
CTF GOLD: instantly spot rootkit-hidden processes.

linux_pslist

SECTION 2 — PROCESS ANALYSIS

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_pslist

List Linux processes from task_struct linked list.

linux_pstree

SECTION 2 — PROCESS ANALYSIS

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_pstree

Linux process parent-child tree.

linux_psscan

SECTION 2 — PROCESS ANALYSIS

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_psscan

Scan memory for hidden Linux processes.

mac_pslist

SECTION 2 — PROCESS ANALYSIS

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_pslist

List Mac processes.

mac_pstree

SECTION 2 — PROCESS ANALYSIS

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_pstree

Mac process tree.

SECTION 3 — DLL & MODULE ANALYSIS 9 plugins

dlllist

SECTION 3 — DLL & MODULE ANALYSIS

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 dlllist
vol2 -f mem.raw --profile=Win7SP1x64 dlllist -p <PID>

List DLLs loaded by each process. -p to filter by PID.

ldrmodules

SECTION 3 — DLL & MODULE ANALYSIS

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 ldrmodules -p <PID>

Cross-check 3 DLL load lists (InLoad, InInit, InMem). FALSE = DLL hiding via injection.

modules

SECTION 3 — DLL & MODULE ANALYSIS

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 modules

List loaded kernel drivers/modules via linked list.

modscan

SECTION 3 — DLL & MODULE ANALYSIS

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 modscan

Scan memory for kernel module structures. Finds unlinked/hidden drivers.

moddump

SECTION 3 — DLL & MODULE ANALYSIS

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 moddump -D ./output/

Dump kernel driver to file for analysis in IDA/Ghidra.

unloadedmodules

SECTION 3 — DLL & MODULE ANALYSIS

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 unloadedmodules

List previously loaded but now unloaded kernel modules. Forensic trace.

drivermodule

SECTION 3 — DLL & MODULE ANALYSIS

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 drivermodule

Associate driver objects to kernel modules. Spot orphan drivers.

linux_lsmod

SECTION 3 — DLL & MODULE ANALYSIS

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_lsmod

List Linux kernel modules (like lsmod command).

mac_lsmod

SECTION 3 — DLL & MODULE ANALYSIS

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_lsmod

List Mac kernel extensions (kexts).

SECTION 4 — HANDLES & OPEN FILES 9 plugins

handles

SECTION 4 — HANDLES & OPEN FILES

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 handles -p <PID>
vol2 -f mem.raw --profile=Win7SP1x64 handles -p <PID> -t File

List open handles per process. Filter by type: File, Process, Thread, Key,
Event, Mutant, Section, Token. Find open files, registry keys, mutexes.

filescan

SECTION 4 — HANDLES & OPEN FILES

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 filescan

Scan memory for FILE_OBJECT structures. Finds all file refs including closed ones.

mutantscan

SECTION 4 — HANDLES & OPEN FILES

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 mutantscan

Scan for mutex objects. Malware uses mutexes as infection markers (only infect once).

symlinkscan

SECTION 4 — HANDLES & OPEN FILES

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 symlinkscan

Scan for symbolic link objects in memory.

userhandles

SECTION 4 — HANDLES & OPEN FILES

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 userhandles

Dump USER handle tables (windows, menus, cursors).

gahti

SECTION 4 — HANDLES & OPEN FILES

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 gahti

Dump USER handle type information from kernel.

linux_find_file -L

SECTION 4 — HANDLES & OPEN FILES

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_find_file -L

List all files cached in Linux memory (VFS page cache).

linux_find_file -i <INODE> -O <output_file>

SECTION 4 — HANDLES & OPEN FILES

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_find_file -i 0xINODEADDR -O saved_file

Extract specific file from memory by inode address.

mac_lsof

SECTION 4 — HANDLES & OPEN FILES

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_lsof

List open files for Mac processes.

SECTION 5 — NETWORK CONNECTIONS 9 plugins

connections (XP/2003 only)

SECTION 5 — NETWORK CONNECTIONS

Vol2Windows

vol2 -f mem.raw --profile=WinXPSP3x86 connections

Active TCP connections. Windows XP/2003 only.

connscan (XP/2003 only)

SECTION 5 — NETWORK CONNECTIONS

Vol2Windows

vol2 -f mem.raw --profile=WinXPSP3x86 connscan

Scan for TCP connection structures including closed ones. XP/2003 only.

sockets (XP/2003 only)

SECTION 5 — NETWORK CONNECTIONS

Vol2Windows

vol2 -f mem.raw --profile=WinXPSP3x86 sockets

List open sockets. XP/2003 only.

sockscan (XP/2003 only)

SECTION 5 — NETWORK CONNECTIONS

Vol2Windows

vol2 -f mem.raw --profile=WinXPSP3x86 sockscan

Pool scanner for socket objects. XP/2003 only.

netscan (Vista+ / Win7+)

SECTION 5 — NETWORK CONNECTIONS

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 netscan

Active + closed TCP/UDP connections for Win7+.
Shows PID, local/remote IP:port, state, process name.

linux_netstat

SECTION 5 — NETWORK CONNECTIONS

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_netstat

Show active Linux network connections.

linux_ifconfig

SECTION 5 — NETWORK CONNECTIONS

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_ifconfig

Show Linux network interface configuration from memory.

mac_netstat

SECTION 5 — NETWORK CONNECTIONS

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_netstat

List Mac network connections.

mac_ifconfig

SECTION 5 — NETWORK CONNECTIONS

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_ifconfig

Show Mac network interface config.

SECTION 6 — REGISTRY (WINDOWS ONLY) 9 plugins

hivelist

SECTION 6 — REGISTRY (WINDOWS ONLY)

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 hivelist

List all loaded registry hives with memory addresses.

hivescan

SECTION 6 — REGISTRY (WINDOWS ONLY)

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 hivescan

Scan memory pool for registry hive objects. Finds more than hivelist.

hivedump

SECTION 6 — REGISTRY (WINDOWS ONLY)

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 hivedump -o <HIVE_OFFSET>

Dump entire registry hive to file for offline analysis.

printkey

SECTION 6 — REGISTRY (WINDOWS ONLY)

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 printkey -K "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"

Print registry key + subkeys + values.
CTF USE: check Run keys for persistence, startup malware.

hashdump

SECTION 6 — REGISTRY (WINDOWS ONLY)

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 hashdump
vol2 -f mem.raw --profile=Win7SP1x64 hashdump -y <SYSTEM_OFFSET> -s <SAM_OFFSET>

Extract NTLM password hashes from SAM/SYSTEM hive. Crack with hashcat/john.

lsadump

SECTION 6 — REGISTRY (WINDOWS ONLY)

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 lsadump

Dump LSA secrets: service passwords, cached domain credentials.

userassist

SECTION 6 — REGISTRY (WINDOWS ONLY)

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 userassist

Show recently executed programs from UserAssist registry key.

shimcachemem

SECTION 6 — REGISTRY (WINDOWS ONLY)

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 shimcachemem

Extract shimcache from registry: program execution evidence.

amcache (Win8+)

SECTION 6 — REGISTRY (WINDOWS ONLY)

Vol2Windows

vol2 -f mem.raw --profile=Win8SP0x64 amcache

Parse AmCache hive: detailed program execution history.

SECTION 7 — MEMORY DUMP / EXTRACTION 9 plugins

memdump

SECTION 7 — MEMORY DUMP / EXTRACTION

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 memdump -p <PID> -D ./output/

Dump full addressable memory of a process. Run strings on result to find flags.

procdump

SECTION 7 — MEMORY DUMP / EXTRACTION

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 procdump -p <PID> -D ./output/

Dump process as reconstructed .exe file. Analyze in IDA/Ghidra/CFF Explorer.

dlldump

SECTION 7 — MEMORY DUMP / EXTRACTION

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 dlldump -p <PID> -D ./output/
vol2 -f mem.raw --profile=Win7SP1x64 dlldump --base=0xBASEADDR -D ./output/

Dump specific DLL from process memory.

moddump

SECTION 7 — MEMORY DUMP / EXTRACTION

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 moddump -D ./output/

Dump kernel driver/module to file.

dumpfiles

SECTION 7 — MEMORY DUMP / EXTRACTION

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 dumpfiles -Q <PHYSOFFSET> -D ./output/
vol2 -f mem.raw --profile=Win7SP1x64 dumpfiles -r \.txt -D ./output/

Extract file from memory cache by physical offset or regex filename pattern.

dumpcerts

SECTION 7 — MEMORY DUMP / EXTRACTION

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 dumpcerts -D ./output/

Dump RSA private and public SSL/TLS certificates from memory.

imagecopy

SECTION 7 — MEMORY DUMP / EXTRACTION

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 imagecopy -O output.raw

Copy physical address space as raw DD image.

linux_dump_map

SECTION 7 — MEMORY DUMP / EXTRACTION

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_dump_map -p <PID> -D ./output/

Dump memory map regions of a Linux process.

linux_procdump

SECTION 7 — MEMORY DUMP / EXTRACTION

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_procdump -p <PID> -D ./output/

Dump Linux process ELF binary reconstructed from memory.

SECTION 8 — CODE INJECTION DETECTION 14 plugins

malfind

SECTION 8 — CODE INJECTION DETECTION

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 malfind
vol2 -f mem.raw --profile=Win7SP1x64 malfind -p <PID> -D ./output/

Find injected code: RWX memory regions with MZ/PE headers or shellcode patterns.
CTF #1 TOOL for finding malware injections. Dump with -D for further analysis.

hollowfind

SECTION 8 — CODE INJECTION DETECTION

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 hollowfind

Detect process hollowing: legitimate process replaced with malicious executable.

cmdline

SECTION 8 — CODE INJECTION DETECTION

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 cmdline

Show command-line arguments for all processes. Find suspicious execution.

cmdscan

SECTION 8 — CODE INJECTION DETECTION

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 cmdscan

Scan for COMMAND_HISTORY structures. Recover typed commands from cmd.exe.

consoles

SECTION 8 — CODE INJECTION DETECTION

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 consoles

Recover full console I/O (both input typed + output shown) from cmd.exe.
CTF USE: see exactly what attacker typed and what output appeared.

impscan

SECTION 8 — CODE INJECTION DETECTION

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 impscan -p <PID>

Scan process for calls to imported functions. Find hidden API calls.

linux_malfind

SECTION 8 — CODE INJECTION DETECTION

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_malfind

Find suspicious RWX memory regions in Linux processes.

linux_check_syscall

SECTION 8 — CODE INJECTION DETECTION

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_check_syscall

Check syscall table for hooks. Rootkits replace syscall pointers.

linux_check_idt

SECTION 8 — CODE INJECTION DETECTION

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_check_idt

Check IDT (Interrupt Descriptor Table) for hooks.

linux_check_fop

SECTION 8 — CODE INJECTION DETECTION

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_check_fop

Check file operation function pointers for hooks.

mac_malfind

SECTION 8 — CODE INJECTION DETECTION

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_malfind

Find injected code in Mac process memory.

mac_check_syscall

SECTION 8 — CODE INJECTION DETECTION

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_check_syscall

Check Mac BSD syscall table for hooks.

mac_check_sysctl

SECTION 8 — CODE INJECTION DETECTION

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_check_sysctl

Check sysctl handlers for hooks.

mac_check_trap_table

SECTION 8 — CODE INJECTION DETECTION

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_check_trap_table

Check Mach trap table for hooks.

SECTION 9 — ENVIRONMENT, PRIVILEGES & SIDS 7 plugins

envars

SECTION 9 — ENVIRONMENT, PRIVILEGES & SIDS

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 envars
vol2 -f mem.raw --profile=Win7SP1x64 envars -p <PID>

Show environment variables of processes. Can contain passwords, paths, flags.

getsids

SECTION 9 — ENVIRONMENT, PRIVILEGES & SIDS

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 getsids -p <PID>

Show Security IDs (SIDs) for processes. Check if running as SYSTEM or admin.
CTF USE: find which user/group context malware is running under.

getservicesids

SECTION 9 — ENVIRONMENT, PRIVILEGES & SIDS

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 getservicesids

Map Windows service names to their SIDs.

privs

SECTION 9 — ENVIRONMENT, PRIVILEGES & SIDS

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 privs -p <PID>

Show process token privileges (SeDebugPrivilege, SeImpersonatePrivilege etc).
Detect privilege escalation: enabled dangerous privileges.

linux_psenv

SECTION 9 — ENVIRONMENT, PRIVILEGES & SIDS

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_psenv -p <PID>

Show environment variables of Linux processes.

linux_getcwd

SECTION 9 — ENVIRONMENT, PRIVILEGES & SIDS

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_getcwd

Show current working directory of each Linux process.

mac_psenv

SECTION 9 — ENVIRONMENT, PRIVILEGES & SIDS

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_psenv

Show environment variables of Mac processes.

SECTION 10 — KERNEL & HOOKS 11 plugins

ssdt

SECTION 10 — KERNEL & HOOKS

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 ssdt

Show System Service Descriptor Table. Hooked entries = rootkit replacing syscalls.

idt

SECTION 10 — KERNEL & HOOKS

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 idt

Dump Interrupt Descriptor Table. Hooked IDT entries = rootkit.

driverirp

SECTION 10 — KERNEL & HOOKS

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 driverirp

Show IRP (I/O Request Packet) handler pointers for drivers. Hooked = rootkit.

callbacks

SECTION 10 — KERNEL & HOOKS

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 callbacks

List kernel notification callbacks. Malware registers callbacks for persistence/monitoring.

gdt

SECTION 10 — KERNEL & HOOKS

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 gdt

Display Global Descriptor Table. Advanced rootkit analysis.

threads

SECTION 10 — KERNEL & HOOKS

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 threads -F OrphanThread

List threads. OrphanThread filter = injected threads with no legitimate parent.

timers

SECTION 10 — KERNEL & HOOKS

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 timers

Print kernel timers and DPCs. Malware uses timers for scheduled execution.

gditimers

SECTION 10 — KERNEL & HOOKS

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 gditimers

Print GDI timers and callbacks.

linux_check_modules

SECTION 10 — KERNEL & HOOKS

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_check_modules

Find hidden kernel modules not in official module list.

mac_check_syscall

SECTION 10 — KERNEL & HOOKS

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_check_syscall

Check Mac syscall table for hooks.

mac_check_sysctl

SECTION 10 — KERNEL & HOOKS

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_check_sysctl

Check sysctl handlers.

SECTION 11 — STRING & ARTIFACT HUNTING 17 plugins

strings (external tool + memdump)

SECTION 11 — STRING & ARTIFACT HUNTING

Vol2Windows

strings ./output/PID.dmp | grep -i "flag\|CTF\|password\|http"

After memdump, run strings tool on output. Find flags, URLs, credentials, keys.

clipboard

SECTION 11 — STRING & ARTIFACT HUNTING

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 clipboard

Extract Windows clipboard content. Attacker may have copied flag/password.

screenshot

SECTION 11 — STRING & ARTIFACT HUNTING

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 screenshot -D ./output/

Capture GDI-based screenshots of all windows from memory. See what was on screen.

iehistory

SECTION 11 — STRING & ARTIFACT HUNTING

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 iehistory

Recover Internet Explorer cache/history from memory.

notepad

SECTION 11 — STRING & ARTIFACT HUNTING

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 notepad

Show text currently displayed in open Notepad windows. Flags sometimes left here.

editbox

SECTION 11 — STRING & ARTIFACT HUNTING

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 editbox

Show text in Win32 Edit controls: text fields, input boxes in any application.

messagehooks

SECTION 11 — STRING & ARTIFACT HUNTING

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 messagehooks

List desktop and thread window message hooks. Keyloggers use these.

eventhooks

SECTION 11 — STRING & ARTIFACT HUNTING

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 eventhooks

Print Windows event hook details. Malware uses for UI monitoring.

atoms

SECTION 11 — STRING & ARTIFACT HUNTING

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 atoms

Show Windows atom tables (global + session). Can contain strings/code refs.

atomscan

SECTION 11 — STRING & ARTIFACT HUNTING

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 atomscan

Pool scanner for atom tables. Finds more than atoms plugin.

deskscan

SECTION 11 — STRING & ARTIFACT HUNTING

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 deskscan

Pool scanner for Desktop objects.

wintree

SECTION 11 — STRING & ARTIFACT HUNTING

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 wintree

Print Z-order desktop window tree. See layered window arrangement.

windows

SECTION 11 — STRING & ARTIFACT HUNTING

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 windows

Print Desktop windows with verbose details.

wndscan

SECTION 11 — STRING & ARTIFACT HUNTING

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 wndscan

Pool scanner for window station objects.

linux_bash

SECTION 11 — STRING & ARTIFACT HUNTING

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_bash

Recover bash command history from memory buffers.
CTF GOLD: see exactly what commands attacker typed.

linux_truecrypt_passphrase

SECTION 11 — STRING & ARTIFACT HUNTING

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_truecrypt_passphrase

Find TrueCrypt/VeraCrypt passphrase cached in memory.

mac_bash

SECTION 11 — STRING & ARTIFACT HUNTING

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_bash

Recover bash command history from Mac memory.

SECTION 12 — VIRTUAL ADDRESS DESCRIPTOR (VAD) 4 plugins

vadinfo

SECTION 12 — VIRTUAL ADDRESS DESCRIPTOR (VAD)

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 vadinfo -p <PID>

Show VAD tree entries: memory regions, permissions (RWX), mapped files.

vadtree

SECTION 12 — VIRTUAL ADDRESS DESCRIPTOR (VAD)

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 vadtree -p <PID>

Show VAD tree in visual tree format.

vadwalk

SECTION 12 — VIRTUAL ADDRESS DESCRIPTOR (VAD)

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 vadwalk -p <PID>

Walk VAD tree and show each node.

vaddump

SECTION 12 — VIRTUAL ADDRESS DESCRIPTOR (VAD)

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 vaddump -p <PID> -D ./output/

Dump all VAD memory regions of a process to files.

SECTION 13 — SERVICES, MFT, POOLS & MISC 19 plugins

svcscan

SECTION 13 — SERVICES, MFT, POOLS & MISC

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 svcscan

List Windows services. Find malicious services installed for persistence.

mftparser

SECTION 13 — SERVICES, MFT, POOLS & MISC

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 mftparser

Parse NTFS $MFT (Master File Table). Find deleted files, creation timestamps.

bigpools

SECTION 13 — SERVICES, MFT, POOLS & MISC

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 bigpools

Dump big page pool allocations. Find large kernel memory structures.

poolpeek

SECTION 13 — SERVICES, MFT, POOLS & MISC

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 poolpeek

Configurable pool scanner for custom object hunting.

multiscan

SECTION 13 — SERVICES, MFT, POOLS & MISC

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 multiscan

Scan for multiple object types simultaneously. Faster than running separately.

objtypescan

SECTION 13 — SERVICES, MFT, POOLS & MISC

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 objtypescan

Scan for Windows object type objects in pool memory.

verinfo

SECTION 13 — SERVICES, MFT, POOLS & MISC

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 verinfo

Print version info from PE images. Detect tampered/fake binary versions.

mbrscan / mbrparser

SECTION 13 — SERVICES, MFT, POOLS & MISC

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 mbrparser

Scan for Master Boot Records. Detect bootkit infections.

bioskbd

SECTION 13 — SERVICES, MFT, POOLS & MISC

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 bioskbd

Read keyboard buffer from BIOS Real Mode memory. Sometimes contains typed passwords.

qemuinfo

SECTION 13 — SERVICES, MFT, POOLS & MISC

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 qemuinfo

Dump QEMU hypervisor information.

vboxinfo

SECTION 13 — SERVICES, MFT, POOLS & MISC

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 vboxinfo

Dump VirtualBox hypervisor information.

vmwareinfo

SECTION 13 — SERVICES, MFT, POOLS & MISC

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 vmwareinfo

Dump VMware VMSS/VMSN hypervisor information.

volshell

SECTION 13 — SERVICES, MFT, POOLS & MISC

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 volshell

Interactive Python shell with memory access. Advanced custom analysis.

linux_enumerate_files

SECTION 13 — SERVICES, MFT, POOLS & MISC

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_enumerate_files

Enumerate all files from Linux VFS (virtual filesystem) cache.

linux_mount

SECTION 13 — SERVICES, MFT, POOLS & MISC

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_mount

Show mounted filesystems from memory.

linux_dmesg

SECTION 13 — SERVICES, MFT, POOLS & MISC

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_dmesg

Recover kernel ring buffer log from memory.

mac_dmesg

SECTION 13 — SERVICES, MFT, POOLS & MISC

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_dmesg

Print Mac kernel log buffer.

mac_mount

SECTION 13 — SERVICES, MFT, POOLS & MISC

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_mount

Show Mac mounted filesystems.

mac_netstat

SECTION 13 — SERVICES, MFT, POOLS & MISC

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_netstat

List Mac network connections.

SECTION 16 — RARE / SPECIALIZED COMMANDS 44 plugins

patcher

SECTION 16 — RARE / SPECIALIZED COMMANDS

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 patcher

Patch memory based on page scans. Advanced memory modification tool.

raw2dmp

SECTION 16 — RARE / SPECIALIZED COMMANDS

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 raw2dmp -O output.dmp

Convert raw memory image to WinDbg crash dump format for debugger analysis.

hibinfo

SECTION 16 — RARE / SPECIALIZED COMMANDS

Vol2Windows

vol2 -f hiberfil.sys --profile=Win7SP1x64 hibinfo

Parse Windows hibernation file (hiberfil.sys). Show hibernation metadata.

hpakinfo

SECTION 16 — RARE / SPECIALIZED COMMANDS

Vol2Windows

vol2 -f mem.hpak hpakinfo

Show info about HPAK format memory file (FTK Imager format).

hpakextract

SECTION 16 — RARE / SPECIALIZED COMMANDS

Vol2Windows

vol2 -f mem.hpak hpakextract -O output.raw

Extract physical memory from HPAK file to raw format.

machoinfo

SECTION 16 — RARE / SPECIALIZED COMMANDS

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 machoinfo

Dump Mach-O file format information from memory.

joblinks

SECTION 16 — RARE / SPECIALIZED COMMANDS

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 joblinks

Print process job link information (Vol2 version).

kpcrscan

SECTION 16 — RARE / SPECIALIZED COMMANDS

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 kpcrscan

Search for and dump potential KPCR values. Use if kdbgscan fails.

raw2dmp

SECTION 16 — RARE / SPECIALIZED COMMANDS

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 raw2dmp -O memory.dmp

Convert raw image to WinDbg crash dump (.dmp) format.

linux_volshell

SECTION 16 — RARE / SPECIALIZED COMMANDS

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_volshell

Interactive Python shell with Linux memory access. Advanced custom analysis.

linux_apihooks

SECTION 16 — RARE / SPECIALIZED COMMANDS

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_apihooks

Detect userland API hooks in Linux processes (LD_PRELOAD style hooks).

linux_keyboard_notifiers

SECTION 16 — RARE / SPECIALIZED COMMANDS

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_keyboard_notifiers

Parse keyboard notifier call chain. Detect kernel keyloggers.

linux_check_creds

SECTION 16 — RARE / SPECIALIZED COMMANDS

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_check_creds

Check if processes share credential structures (rootkit privilege escalation).

linux_check_afinfo

SECTION 16 — RARE / SPECIALIZED COMMANDS

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_check_afinfo

Verify network protocol operation function pointers for hooks.

linux_check_tty

SECTION 16 — RARE / SPECIALIZED COMMANDS

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_check_tty

Check TTY devices for hooks. Rootkit keylogger detection.

linux_library_list

SECTION 16 — RARE / SPECIALIZED COMMANDS

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_library_list

List shared libraries loaded per process.

linux_proc_maps

SECTION 16 — RARE / SPECIALIZED COMMANDS

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_proc_maps -p <PID>

Show memory maps of Linux process (like /proc/PID/maps).

linux_memmap

SECTION 16 — RARE / SPECIALIZED COMMANDS

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_memmap -p <PID>

Print memory map of a Linux process.

linux_plthook

SECTION 16 — RARE / SPECIALIZED COMMANDS

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_plthook

Scan PLT (Procedure Linkage Table) for hooks in Linux processes.

linux_threads

SECTION 16 — RARE / SPECIALIZED COMMANDS

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_threads

List threads of Linux processes.

linux_tmpfs

SECTION 16 — RARE / SPECIALIZED COMMANDS

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_tmpfs

Recover files from tmpfs (memory-based filesystem). Find in-memory files.

linux_recover_filesystem

SECTION 16 — RARE / SPECIALIZED COMMANDS

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_recover_filesystem -D ./output/

Recover cached Linux filesystem to disk.

mac_volshell

SECTION 16 — RARE / SPECIALIZED COMMANDS

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_volshell

Interactive Python shell for Mac memory analysis.

mac_dump_maps

SECTION 16 — RARE / SPECIALIZED COMMANDS

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_dump_maps -p <PID> -D ./output/

Dump memory maps of Mac process.

mac_procdump

SECTION 16 — RARE / SPECIALIZED COMMANDS

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_procdump -p <PID> -D ./output/

Dump Mac process binary from memory.

mac_memdump

SECTION 16 — RARE / SPECIALIZED COMMANDS

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_memdump -p <PID> -D ./output/

Dump full memory of Mac process.

mac_find_files

SECTION 16 — RARE / SPECIALIZED COMMANDS

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_find_files

Find files in Mac VFS cache.

mac_recover_filesystem

SECTION 16 — RARE / SPECIALIZED COMMANDS

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_recover_filesystem -D ./output/

Recover Mac cached filesystem.

mac_dead_procs

SECTION 16 — RARE / SPECIALIZED COMMANDS

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_dead_procs

List terminated Mac processes still in memory.

mac_pid_hashmap

SECTION 16 — RARE / SPECIALIZED COMMANDS

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_pid_hashmap

List Mac processes via PID hash map (finds hidden procs).

mac_tasks

SECTION 16 — RARE / SPECIALIZED COMMANDS

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_tasks

List Mac Mach tasks (low-level process representation).

mac_threads

SECTION 16 — RARE / SPECIALIZED COMMANDS

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_threads

List Mac threads.

mac_handles

SECTION 16 — RARE / SPECIALIZED COMMANDS

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_handles

List open handles for Mac processes.

mac_apihooks

SECTION 16 — RARE / SPECIALIZED COMMANDS

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_apihooks

Find userland API hooks in Mac processes.

mac_apihooks_kernel

SECTION 16 — RARE / SPECIALIZED COMMANDS

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_apihooks_kernel

Find kernel-level API hooks on Mac.

mac_ip_filters

SECTION 16 — RARE / SPECIALIZED COMMANDS

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_ip_filters

List IP filters registered in Mac kernel (network interception).

mac_notifiers

SECTION 16 — RARE / SPECIALIZED COMMANDS

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_notifiers

Print Mac IOKit notification handlers.

mac_pgrp_hash_table

SECTION 16 — RARE / SPECIALIZED COMMANDS

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_pgrp_hash_table

List Mac processes via process group hash table.

mac_route

SECTION 16 — RARE / SPECIALIZED COMMANDS

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_route

Print Mac routing table from memory.

mac_arp

SECTION 16 — RARE / SPECIALIZED COMMANDS

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_arp

Print Mac ARP table from memory.

mac_socket_filters

SECTION 16 — RARE / SPECIALIZED COMMANDS

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_socket_filters

List Mac kernel socket filters.

mac_strings

SECTION 16 — RARE / SPECIALIZED COMMANDS

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_strings -p <PID>

Find strings in Mac process memory.

mac_list_sessions

SECTION 16 — RARE / SPECIALIZED COMMANDS

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_list_sessions

List Mac login sessions.

mac_list_zones

SECTION 16 — RARE / SPECIALIZED COMMANDS

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_list_zones

List Mac kernel memory zones (allocator zones).

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET) 81 plugins

bigpagepools

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 bigpagepools

Dump big page pool allocations using BigPagePoolScanner.

evtlogs

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2Windows

vol2 -f mem.raw --profile=WinXPSP3x86 evtlogs -D ./output/

Extract Windows Event Logs (.evt format). XP/2003 only.

heaps

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 heaps -p <PID>

Show process heap information. Find heap spray attacks.

patchguard

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 patchguard

Analyze PatchGuard structures. Detect kernel tampering on x64 Windows.

pooltracker

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 pooltracker

Show pool tag usage statistics. Advanced kernel memory analysis.

taskmods

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 taskmods

Display process command-line arguments (alternative to cmdline).

tcaudit

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 tcaudit

Audit TrueCrypt driver presence in memory.

malware/cmdhistory

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 cmdhistory

Recover command history from console host processes.

malware/servicediff

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 servicediff

Compare services from list-walking vs scanning to find hidden rootkit services.

registry/auditpol

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 auditpol

Print audit policy from registry. See what events were being logged.

registry/dumpregistry

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 dumpregistry -D ./output/

Dump all registry hives to disk as raw files.

registry/registryapi

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 registryapi

Internal registry API plugin (used by other registry plugins).

registry/shellbags

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 shellbags

Extract ShellBags from registry. Shows folders user browsed via Explorer.
CTF USE: find accessed directories/paths even if deleted.

registry/shutdown

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 shutdown

Get last shutdown time from registry.

linux_aslr_shift

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_aslr_shift

Find the ASLR shift applied to the kernel. Needed for some profile builds.

linux_bash_hash

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_bash_hash

Recover bash hash table (cached command locations) from memory.

linux_check_evt_arm

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2Linux

vol2 -f mem.raw --profile=LinuxARM linux_check_evt_arm

Check ARM event table for hooks. ARM architecture specific.

linux_check_fops

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_check_fops

Check file operation function pointers for hooks (rootkit detection).

linux_check_inline_kernel

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_check_inline_kernel

Check for inline kernel function hooks (direct code patching rootkits).

linux_cpuinfo

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_cpuinfo

Print CPU info from Linux memory (like /proc/cpuinfo).

linux_dentry_cache

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_dentry_cache

Enumerate Linux dentry cache (directory entry cache). Find cached file paths.

linux_kernel_opened_files

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_kernel_opened_files

List files opened by the kernel itself.

linux_ld_env

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_ld_env

Show LD_PRELOAD and LD_LIBRARY_PATH env vars. Detect userland rootkit injection.
CTF USE: LD_PRELOAD hook is common Linux malware technique.

linux_libc_env

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_libc_env

Show libc environment variables for processes.

linux_librarydump

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_librarydump -p <PID> -D ./output/

Dump shared libraries (.so files) loaded by a process.

linux_linux_strings

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_linux_strings -p <PID>

Match strings to virtual addresses in Linux process memory.

linux_linux_yarascan

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_linux_yarascan --yara-rules rules.yar

Scan Linux process memory with YARA rules.

linux_list_raw

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_list_raw

List processes with raw socket access. Packet sniffers/network tools.

linux_mount_cache

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_mount_cache

List mounts from kernel mount cache.

linux_pkt_queues

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_pkt_queues

Show packet queues for network sockets. Network forensics.

linux_proc_maps_rb

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_proc_maps_rb -p <PID>

Show process memory maps via red-black tree (alternate method).

linux_process_hollow

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_process_hollow

Detect process hollowing on Linux (process with replaced executable).

linux_process_info

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_process_info -p <PID>

Show detailed info about a Linux process.

linux_process_stack

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_process_stack -p <PID>

Show stack contents of a Linux process.

linux_pslist_cache

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_pslist_cache

List Linux processes from kernel slab cache (alternative method).

linux_route_cache

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_route_cache

Show Linux routing cache from memory.

linux_sk_buff_cache

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_sk_buff_cache

Show socket buffer cache. Network packet analysis.

linux_slab_info

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_slab_info

Show Linux kernel slab allocator info (memory allocator statistics).

linux_vma_cache

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_vma_cache

Show VMA (Virtual Memory Area) cache entries.

linux_info_regs

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_info_regs -p <PID>

Show CPU register values for Linux process. Advanced crash analysis.

linux_flags

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_flags

Show Linux kernel flags and compile options.

mac_adiummsgs

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_adiummsgs

Extract Adium (Mac chat app) messages from memory.

mac_bash_env

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_bash_env

Show bash environment variables for Mac processes.

mac_bash_hash

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_bash_hash

Recover bash hash table from Mac memory.

mac_calendar

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_calendar

Extract Mac Calendar app data from memory.

mac_check_mig_table

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_check_mig_table

Check Mach Interface Generator table for hooks.

mac_check_syscall_shadow

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_check_syscall_shadow

Check for shadow syscall table (rootkit technique).

mac_check_syscall_table

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_check_syscall_table

Check BSD syscall table for hooks/modifications.

mac_classes

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_classes

List Objective-C classes loaded in Mac processes.

mac_compressed_swap

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_compressed_swap

Analyze Mac compressed swap (memory compression) data.

mac_contacts

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_contacts

Extract Mac Contacts app data from memory.

mac_dead_sockets

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_dead_sockets

List closed/dead network sockets still in memory.

mac_dead_vnodes

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_dead_vnodes

List dead vnode objects (closed file references) in Mac memory.

mac_devfs

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_devfs

List Mac devfs (device filesystem) entries.

mac_dlyd_maps

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_dlyd_maps

Show dyld (dynamic linker) memory maps for Mac processes.

mac_dump_files

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_dump_files -D ./output/

Dump cached files from Mac memory.

mac_find_aslr_shift

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_find_aslr_shift

Find KASLR (kernel ASLR) shift value for Mac.

mac_get_profile

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2macOS

vol2 -f mem.raw mac_get_profile

Auto-detect Mac profile from memory dump.

mac_gkextmap

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_gkextmap

Show Mac kernel extension (kext) map.

mac_interest_handlers

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_interest_handlers

List IOKit interest handlers. Malware registers these for device notifications.

mac_keychaindump

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_keychaindump

Dump Mac keychain master key from memory.
CTF USE: may contain credentials/passwords.

mac_ldrmodules

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_ldrmodules

Cross-check Mac process library load lists. Find hidden/injected libraries.

mac_librarydump

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_librarydump -p <PID> -D ./output/

Dump Mac process dylib (dynamic library) from memory.

mac_list_kauth_listeners

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_list_kauth_listeners

List kauth authorization listeners.

mac_list_kauth_scopes

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_list_kauth_scopes

List kauth authorization scopes.

mac_list_raw

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_list_raw

List Mac processes with raw socket access.

mac_list_zones

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_list_zones

List Mac kernel memory zones (allocator zones).

mac_lsmod_iokit

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_lsmod_iokit

List Mac IOKit kexts (driver framework extensions).

mac_mac_yarascan

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_mac_yarascan --yara-rules rules.yar

Scan Mac process memory with YARA rules.

mac_machine_info

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_machine_info

Show Mac hardware/machine information from memory.

mac_netconns

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_netconns

List active network connections on Mac (alternative to mac_netstat).

mac_notesapp

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_notesapp

Extract Mac Notes app content from memory.
CTF USE: notes sometimes contain flags or sensitive data.

mac_notifiers

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_notifiers

Print Mac IOKit notification handlers.

mac_orphan_threads

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_orphan_threads

Find orphan threads with no parent process. Injected thread detection.

mac_pgrp_hash_table

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_pgrp_hash_table

List Mac processes via process group hash table.

mac_pid_hash_table

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_pid_hash_table

List Mac processes via PID hash table. Finds hidden processes.

mac_print_boot_cmdline

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_print_boot_cmdline

Print Mac kernel boot command line arguments.

mac_pstasks

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_pstasks

List Mac processes via Mach task structures (low-level).

mac_session_hash_table

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_session_hash_table

List Mac processes via session hash table.

mac_threads_simple

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_threads_simple

List Mac threads with simplified output format.

linux_lime

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_lime

Show LiME (Linux Memory Extractor) acquisition info embedded in dump.

SECTION 2 — PROCESS ANALYSIS 4 plugins

pslist

SECTION 2 — PROCESS ANALYSIS

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 pslist

List running processes via EPROCESS linked list. Fast but rootkits can hide from it.

pstree

SECTION 2 — PROCESS ANALYSIS

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 pstree

Show processes as parent-child tree. Spot orphan processes or malware spawned from Word/Excel.

psscan

SECTION 2 — PROCESS ANALYSIS

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 psscan

Scan memory for EPROCESS structures directly. Finds hidden and terminated processes.

psxview

SECTION 2 — PROCESS ANALYSIS

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 psxview

Compare process lists from 7 sources. FALSE column = hidden from that source.
CTF GOLD: instantly spot rootkit-hidden processes.

SECTION 3 — DLL & MODULE ANALYSIS 7 plugins

dlllist

SECTION 3 — DLL & MODULE ANALYSIS

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 dlllist
vol2 -f mem.raw --profile=Win7SP1x64 dlllist -p <PID>

List DLLs loaded by each process. -p to filter by PID.

ldrmodules

SECTION 3 — DLL & MODULE ANALYSIS

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 ldrmodules -p <PID>

Cross-check 3 DLL load lists (InLoad, InInit, InMem). FALSE = DLL hiding via injection.

modules

SECTION 3 — DLL & MODULE ANALYSIS

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 modules

List loaded kernel drivers/modules via linked list.

modscan

SECTION 3 — DLL & MODULE ANALYSIS

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 modscan

Scan memory for kernel module structures. Finds unlinked/hidden drivers.

moddump

SECTION 3 — DLL & MODULE ANALYSIS

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 moddump -D ./output/

Dump kernel driver to file for analysis in IDA/Ghidra.

unloadedmodules

SECTION 3 — DLL & MODULE ANALYSIS

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 unloadedmodules

List previously loaded but now unloaded kernel modules. Forensic trace.

drivermodule

SECTION 3 — DLL & MODULE ANALYSIS

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 drivermodule

Associate driver objects to kernel modules. Spot orphan drivers.

SECTION 4 — HANDLES & OPEN FILES 6 plugins

handles

SECTION 4 — HANDLES & OPEN FILES

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 handles -p <PID>
vol2 -f mem.raw --profile=Win7SP1x64 handles -p <PID> -t File

List open handles per process. Filter by type: File, Process, Thread, Key,
Event, Mutant, Section, Token. Find open files, registry keys, mutexes.

filescan

SECTION 4 — HANDLES & OPEN FILES

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 filescan

Scan memory for FILE_OBJECT structures. Finds all file refs including closed ones.

mutantscan

SECTION 4 — HANDLES & OPEN FILES

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 mutantscan

Scan for mutex objects. Malware uses mutexes as infection markers (only infect once).

symlinkscan

SECTION 4 — HANDLES & OPEN FILES

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 symlinkscan

Scan for symbolic link objects in memory.

userhandles

SECTION 4 — HANDLES & OPEN FILES

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 userhandles

Dump USER handle tables (windows, menus, cursors).

gahti

SECTION 4 — HANDLES & OPEN FILES

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 gahti

Dump USER handle type information from kernel.

SECTION 5 — NETWORK CONNECTIONS 5 plugins

connections (XP/2003 only)

SECTION 5 — NETWORK CONNECTIONS

Vol2Windows

vol2 -f mem.raw --profile=WinXPSP3x86 connections

Active TCP connections. Windows XP/2003 only.

connscan (XP/2003 only)

SECTION 5 — NETWORK CONNECTIONS

Vol2Windows

vol2 -f mem.raw --profile=WinXPSP3x86 connscan

Scan for TCP connection structures including closed ones. XP/2003 only.

sockets (XP/2003 only)

SECTION 5 — NETWORK CONNECTIONS

Vol2Windows

vol2 -f mem.raw --profile=WinXPSP3x86 sockets

List open sockets. XP/2003 only.

sockscan (XP/2003 only)

SECTION 5 — NETWORK CONNECTIONS

Vol2Windows

vol2 -f mem.raw --profile=WinXPSP3x86 sockscan

Pool scanner for socket objects. XP/2003 only.

netscan (Vista+ / Win7+)

SECTION 5 — NETWORK CONNECTIONS

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 netscan

Active + closed TCP/UDP connections for Win7+.
Shows PID, local/remote IP:port, state, process name.

SECTION 6 — REGISTRY (WINDOWS ONLY) 9 plugins

hivelist

SECTION 6 — REGISTRY (WINDOWS ONLY)

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 hivelist

List all loaded registry hives with memory addresses.

hivescan

SECTION 6 — REGISTRY (WINDOWS ONLY)

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 hivescan

Scan memory pool for registry hive objects. Finds more than hivelist.

hivedump

SECTION 6 — REGISTRY (WINDOWS ONLY)

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 hivedump -o <HIVE_OFFSET>

Dump entire registry hive to file for offline analysis.

printkey

SECTION 6 — REGISTRY (WINDOWS ONLY)

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 printkey -K "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"

Print registry key + subkeys + values.
CTF USE: check Run keys for persistence, startup malware.

hashdump

SECTION 6 — REGISTRY (WINDOWS ONLY)

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 hashdump
vol2 -f mem.raw --profile=Win7SP1x64 hashdump -y <SYSTEM_OFFSET> -s <SAM_OFFSET>

Extract NTLM password hashes from SAM/SYSTEM hive. Crack with hashcat/john.

lsadump

SECTION 6 — REGISTRY (WINDOWS ONLY)

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 lsadump

Dump LSA secrets: service passwords, cached domain credentials.

userassist

SECTION 6 — REGISTRY (WINDOWS ONLY)

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 userassist

Show recently executed programs from UserAssist registry key.

shimcachemem

SECTION 6 — REGISTRY (WINDOWS ONLY)

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 shimcachemem

Extract shimcache from registry: program execution evidence.

amcache (Win8+)

SECTION 6 — REGISTRY (WINDOWS ONLY)

Vol2Windows

vol2 -f mem.raw --profile=Win8SP0x64 amcache

Parse AmCache hive: detailed program execution history.

SECTION 7 — MEMORY DUMP / EXTRACTION 7 plugins

memdump

SECTION 7 — MEMORY DUMP / EXTRACTION

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 memdump -p <PID> -D ./output/

Dump full addressable memory of a process. Run strings on result to find flags.

procdump

SECTION 7 — MEMORY DUMP / EXTRACTION

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 procdump -p <PID> -D ./output/

Dump process as reconstructed .exe file. Analyze in IDA/Ghidra/CFF Explorer.

dlldump

SECTION 7 — MEMORY DUMP / EXTRACTION

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 dlldump -p <PID> -D ./output/
vol2 -f mem.raw --profile=Win7SP1x64 dlldump --base=0xBASEADDR -D ./output/

Dump specific DLL from process memory.

moddump

SECTION 7 — MEMORY DUMP / EXTRACTION

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 moddump -D ./output/

Dump kernel driver/module to file.

dumpfiles

SECTION 7 — MEMORY DUMP / EXTRACTION

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 dumpfiles -Q <PHYSOFFSET> -D ./output/
vol2 -f mem.raw --profile=Win7SP1x64 dumpfiles -r \.txt -D ./output/

Extract file from memory cache by physical offset or regex filename pattern.

dumpcerts

SECTION 7 — MEMORY DUMP / EXTRACTION

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 dumpcerts -D ./output/

Dump RSA private and public SSL/TLS certificates from memory.

imagecopy

SECTION 7 — MEMORY DUMP / EXTRACTION

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 imagecopy -O output.raw

Copy physical address space as raw DD image.

SECTION 8 — CODE INJECTION DETECTION 6 plugins

malfind

SECTION 8 — CODE INJECTION DETECTION

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 malfind
vol2 -f mem.raw --profile=Win7SP1x64 malfind -p <PID> -D ./output/

Find injected code: RWX memory regions with MZ/PE headers or shellcode patterns.
CTF #1 TOOL for finding malware injections. Dump with -D for further analysis.

hollowfind

SECTION 8 — CODE INJECTION DETECTION

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 hollowfind

Detect process hollowing: legitimate process replaced with malicious executable.

cmdline

SECTION 8 — CODE INJECTION DETECTION

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 cmdline

Show command-line arguments for all processes. Find suspicious execution.

cmdscan

SECTION 8 — CODE INJECTION DETECTION

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 cmdscan

Scan for COMMAND_HISTORY structures. Recover typed commands from cmd.exe.

consoles

SECTION 8 — CODE INJECTION DETECTION

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 consoles

Recover full console I/O (both input typed + output shown) from cmd.exe.
CTF USE: see exactly what attacker typed and what output appeared.

impscan

SECTION 8 — CODE INJECTION DETECTION

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 impscan -p <PID>

Scan process for calls to imported functions. Find hidden API calls.

SECTION 9 — ENVIRONMENT, PRIVILEGES & SIDS 4 plugins

envars

SECTION 9 — ENVIRONMENT, PRIVILEGES & SIDS

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 envars
vol2 -f mem.raw --profile=Win7SP1x64 envars -p <PID>

Show environment variables of processes. Can contain passwords, paths, flags.

getsids

SECTION 9 — ENVIRONMENT, PRIVILEGES & SIDS

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 getsids -p <PID>

Show Security IDs (SIDs) for processes. Check if running as SYSTEM or admin.
CTF USE: find which user/group context malware is running under.

getservicesids

SECTION 9 — ENVIRONMENT, PRIVILEGES & SIDS

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 getservicesids

Map Windows service names to their SIDs.

privs

SECTION 9 — ENVIRONMENT, PRIVILEGES & SIDS

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 privs -p <PID>

Show process token privileges (SeDebugPrivilege, SeImpersonatePrivilege etc).
Detect privilege escalation: enabled dangerous privileges.

SECTION 10 — KERNEL & HOOKS 8 plugins

ssdt

SECTION 10 — KERNEL & HOOKS

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 ssdt

Show System Service Descriptor Table. Hooked entries = rootkit replacing syscalls.

idt

SECTION 10 — KERNEL & HOOKS

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 idt

Dump Interrupt Descriptor Table. Hooked IDT entries = rootkit.

driverirp

SECTION 10 — KERNEL & HOOKS

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 driverirp

Show IRP (I/O Request Packet) handler pointers for drivers. Hooked = rootkit.

callbacks

SECTION 10 — KERNEL & HOOKS

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 callbacks

List kernel notification callbacks. Malware registers callbacks for persistence/monitoring.

gdt

SECTION 10 — KERNEL & HOOKS

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 gdt

Display Global Descriptor Table. Advanced rootkit analysis.

threads

SECTION 10 — KERNEL & HOOKS

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 threads -F OrphanThread

List threads. OrphanThread filter = injected threads with no legitimate parent.

timers

SECTION 10 — KERNEL & HOOKS

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 timers

Print kernel timers and DPCs. Malware uses timers for scheduled execution.

gditimers

SECTION 10 — KERNEL & HOOKS

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 gditimers

Print GDI timers and callbacks.

SECTION 11 — STRING & ARTIFACT HUNTING 14 plugins

strings (external tool + memdump)

SECTION 11 — STRING & ARTIFACT HUNTING

Vol2Windows

strings ./output/PID.dmp | grep -i "flag\|CTF\|password\|http"

After memdump, run strings tool on output. Find flags, URLs, credentials, keys.

clipboard

SECTION 11 — STRING & ARTIFACT HUNTING

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 clipboard

Extract Windows clipboard content. Attacker may have copied flag/password.

screenshot

SECTION 11 — STRING & ARTIFACT HUNTING

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 screenshot -D ./output/

Capture GDI-based screenshots of all windows from memory. See what was on screen.

iehistory

SECTION 11 — STRING & ARTIFACT HUNTING

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 iehistory

Recover Internet Explorer cache/history from memory.

notepad

SECTION 11 — STRING & ARTIFACT HUNTING

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 notepad

Show text currently displayed in open Notepad windows. Flags sometimes left here.

editbox

SECTION 11 — STRING & ARTIFACT HUNTING

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 editbox

Show text in Win32 Edit controls: text fields, input boxes in any application.

messagehooks

SECTION 11 — STRING & ARTIFACT HUNTING

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 messagehooks

List desktop and thread window message hooks. Keyloggers use these.

eventhooks

SECTION 11 — STRING & ARTIFACT HUNTING

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 eventhooks

Print Windows event hook details. Malware uses for UI monitoring.

atoms

SECTION 11 — STRING & ARTIFACT HUNTING

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 atoms

Show Windows atom tables (global + session). Can contain strings/code refs.

atomscan

SECTION 11 — STRING & ARTIFACT HUNTING

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 atomscan

Pool scanner for atom tables. Finds more than atoms plugin.

deskscan

SECTION 11 — STRING & ARTIFACT HUNTING

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 deskscan

Pool scanner for Desktop objects.

wintree

SECTION 11 — STRING & ARTIFACT HUNTING

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 wintree

Print Z-order desktop window tree. See layered window arrangement.

windows

SECTION 11 — STRING & ARTIFACT HUNTING

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 windows

Print Desktop windows with verbose details.

wndscan

SECTION 11 — STRING & ARTIFACT HUNTING

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 wndscan

Pool scanner for window station objects.

SECTION 12 — VIRTUAL ADDRESS DESCRIPTOR (VAD) 4 plugins

vadinfo

SECTION 12 — VIRTUAL ADDRESS DESCRIPTOR (VAD)

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 vadinfo -p <PID>

Show VAD tree entries: memory regions, permissions (RWX), mapped files.

vadtree

SECTION 12 — VIRTUAL ADDRESS DESCRIPTOR (VAD)

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 vadtree -p <PID>

Show VAD tree in visual tree format.

vadwalk

SECTION 12 — VIRTUAL ADDRESS DESCRIPTOR (VAD)

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 vadwalk -p <PID>

Walk VAD tree and show each node.

vaddump

SECTION 12 — VIRTUAL ADDRESS DESCRIPTOR (VAD)

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 vaddump -p <PID> -D ./output/

Dump all VAD memory regions of a process to files.

SECTION 13 — SERVICES, MFT, POOLS & MISC 13 plugins

svcscan

SECTION 13 — SERVICES, MFT, POOLS & MISC

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 svcscan

List Windows services. Find malicious services installed for persistence.

mftparser

SECTION 13 — SERVICES, MFT, POOLS & MISC

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 mftparser

Parse NTFS $MFT (Master File Table). Find deleted files, creation timestamps.

bigpools

SECTION 13 — SERVICES, MFT, POOLS & MISC

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 bigpools

Dump big page pool allocations. Find large kernel memory structures.

poolpeek

SECTION 13 — SERVICES, MFT, POOLS & MISC

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 poolpeek

Configurable pool scanner for custom object hunting.

multiscan

SECTION 13 — SERVICES, MFT, POOLS & MISC

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 multiscan

Scan for multiple object types simultaneously. Faster than running separately.

objtypescan

SECTION 13 — SERVICES, MFT, POOLS & MISC

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 objtypescan

Scan for Windows object type objects in pool memory.

verinfo

SECTION 13 — SERVICES, MFT, POOLS & MISC

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 verinfo

Print version info from PE images. Detect tampered/fake binary versions.

mbrscan / mbrparser

SECTION 13 — SERVICES, MFT, POOLS & MISC

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 mbrparser

Scan for Master Boot Records. Detect bootkit infections.

bioskbd

SECTION 13 — SERVICES, MFT, POOLS & MISC

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 bioskbd

Read keyboard buffer from BIOS Real Mode memory. Sometimes contains typed passwords.

qemuinfo

SECTION 13 — SERVICES, MFT, POOLS & MISC

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 qemuinfo

Dump QEMU hypervisor information.

vboxinfo

SECTION 13 — SERVICES, MFT, POOLS & MISC

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 vboxinfo

Dump VirtualBox hypervisor information.

vmwareinfo

SECTION 13 — SERVICES, MFT, POOLS & MISC

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 vmwareinfo

Dump VMware VMSS/VMSN hypervisor information.

volshell

SECTION 13 — SERVICES, MFT, POOLS & MISC

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 volshell

Interactive Python shell with memory access. Advanced custom analysis.

SECTION 16 — RARE / SPECIALIZED COMMANDS 9 plugins

patcher

SECTION 16 — RARE / SPECIALIZED COMMANDS

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 patcher

Patch memory based on page scans. Advanced memory modification tool.

raw2dmp

SECTION 16 — RARE / SPECIALIZED COMMANDS

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 raw2dmp -O output.dmp

Convert raw memory image to WinDbg crash dump format for debugger analysis.

hibinfo

SECTION 16 — RARE / SPECIALIZED COMMANDS

Vol2Windows

vol2 -f hiberfil.sys --profile=Win7SP1x64 hibinfo

Parse Windows hibernation file (hiberfil.sys). Show hibernation metadata.

hpakinfo

SECTION 16 — RARE / SPECIALIZED COMMANDS

Vol2Windows

vol2 -f mem.hpak hpakinfo

Show info about HPAK format memory file (FTK Imager format).

hpakextract

SECTION 16 — RARE / SPECIALIZED COMMANDS

Vol2Windows

vol2 -f mem.hpak hpakextract -O output.raw

Extract physical memory from HPAK file to raw format.

machoinfo

SECTION 16 — RARE / SPECIALIZED COMMANDS

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 machoinfo

Dump Mach-O file format information from memory.

joblinks

SECTION 16 — RARE / SPECIALIZED COMMANDS

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 joblinks

Print process job link information (Vol2 version).

kpcrscan

SECTION 16 — RARE / SPECIALIZED COMMANDS

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 kpcrscan

Search for and dump potential KPCR values. Use if kdbgscan fails.

raw2dmp

SECTION 16 — RARE / SPECIALIZED COMMANDS

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 raw2dmp -O memory.dmp

Convert raw image to WinDbg crash dump (.dmp) format.

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET) 14 plugins

bigpagepools

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 bigpagepools

Dump big page pool allocations using BigPagePoolScanner.

evtlogs

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2Windows

vol2 -f mem.raw --profile=WinXPSP3x86 evtlogs -D ./output/

Extract Windows Event Logs (.evt format). XP/2003 only.

heaps

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 heaps -p <PID>

Show process heap information. Find heap spray attacks.

patchguard

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 patchguard

Analyze PatchGuard structures. Detect kernel tampering on x64 Windows.

pooltracker

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 pooltracker

Show pool tag usage statistics. Advanced kernel memory analysis.

taskmods

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 taskmods

Display process command-line arguments (alternative to cmdline).

tcaudit

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 tcaudit

Audit TrueCrypt driver presence in memory.

malware/cmdhistory

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 cmdhistory

Recover command history from console host processes.

malware/servicediff

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 servicediff

Compare services from list-walking vs scanning to find hidden rootkit services.

registry/auditpol

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 auditpol

Print audit policy from registry. See what events were being logged.

registry/dumpregistry

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 dumpregistry -D ./output/

Dump all registry hives to disk as raw files.

registry/registryapi

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 registryapi

Internal registry API plugin (used by other registry plugins).

registry/shellbags

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 shellbags

Extract ShellBags from registry. Shows folders user browsed via Explorer.
CTF USE: find accessed directories/paths even if deleted.

registry/shutdown

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2Windows

vol2 -f mem.raw --profile=Win7SP1x64 shutdown

Get last shutdown time from registry.

SECTION 2 — PROCESS ANALYSIS 3 plugins

linux_pslist

SECTION 2 — PROCESS ANALYSIS

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_pslist

List Linux processes from task_struct linked list.

linux_pstree

SECTION 2 — PROCESS ANALYSIS

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_pstree

Linux process parent-child tree.

linux_psscan

SECTION 2 — PROCESS ANALYSIS

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_psscan

Scan memory for hidden Linux processes.

SECTION 3 — DLL & MODULE ANALYSIS 1 plugins

linux_lsmod

SECTION 3 — DLL & MODULE ANALYSIS

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_lsmod

List Linux kernel modules (like lsmod command).

SECTION 4 — HANDLES & OPEN FILES 2 plugins

linux_find_file -L

SECTION 4 — HANDLES & OPEN FILES

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_find_file -L

List all files cached in Linux memory (VFS page cache).

linux_find_file -i <INODE> -O <output_file>

SECTION 4 — HANDLES & OPEN FILES

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_find_file -i 0xINODEADDR -O saved_file

Extract specific file from memory by inode address.

SECTION 5 — NETWORK CONNECTIONS 2 plugins

linux_netstat

SECTION 5 — NETWORK CONNECTIONS

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_netstat

Show active Linux network connections.

linux_ifconfig

SECTION 5 — NETWORK CONNECTIONS

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_ifconfig

Show Linux network interface configuration from memory.

SECTION 7 — MEMORY DUMP / EXTRACTION 2 plugins

linux_dump_map

SECTION 7 — MEMORY DUMP / EXTRACTION

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_dump_map -p <PID> -D ./output/

Dump memory map regions of a Linux process.

linux_procdump

SECTION 7 — MEMORY DUMP / EXTRACTION

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_procdump -p <PID> -D ./output/

Dump Linux process ELF binary reconstructed from memory.

SECTION 8 — CODE INJECTION DETECTION 4 plugins

linux_malfind

SECTION 8 — CODE INJECTION DETECTION

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_malfind

Find suspicious RWX memory regions in Linux processes.

linux_check_syscall

SECTION 8 — CODE INJECTION DETECTION

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_check_syscall

Check syscall table for hooks. Rootkits replace syscall pointers.

linux_check_idt

SECTION 8 — CODE INJECTION DETECTION

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_check_idt

Check IDT (Interrupt Descriptor Table) for hooks.

linux_check_fop

SECTION 8 — CODE INJECTION DETECTION

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_check_fop

Check file operation function pointers for hooks.

SECTION 9 — ENVIRONMENT, PRIVILEGES & SIDS 2 plugins

linux_psenv

SECTION 9 — ENVIRONMENT, PRIVILEGES & SIDS

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_psenv -p <PID>

Show environment variables of Linux processes.

linux_getcwd

SECTION 9 — ENVIRONMENT, PRIVILEGES & SIDS

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_getcwd

Show current working directory of each Linux process.

SECTION 10 — KERNEL & HOOKS 1 plugins

linux_check_modules

SECTION 10 — KERNEL & HOOKS

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_check_modules

Find hidden kernel modules not in official module list.

SECTION 11 — STRING & ARTIFACT HUNTING 2 plugins

linux_bash

SECTION 11 — STRING & ARTIFACT HUNTING

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_bash

Recover bash command history from memory buffers.
CTF GOLD: see exactly what commands attacker typed.

linux_truecrypt_passphrase

SECTION 11 — STRING & ARTIFACT HUNTING

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_truecrypt_passphrase

Find TrueCrypt/VeraCrypt passphrase cached in memory.

SECTION 13 — SERVICES, MFT, POOLS & MISC 3 plugins

linux_enumerate_files

SECTION 13 — SERVICES, MFT, POOLS & MISC

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_enumerate_files

Enumerate all files from Linux VFS (virtual filesystem) cache.

linux_mount

SECTION 13 — SERVICES, MFT, POOLS & MISC

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_mount

Show mounted filesystems from memory.

linux_dmesg

SECTION 13 — SERVICES, MFT, POOLS & MISC

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_dmesg

Recover kernel ring buffer log from memory.

SECTION 16 — RARE / SPECIALIZED COMMANDS 13 plugins

linux_volshell

SECTION 16 — RARE / SPECIALIZED COMMANDS

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_volshell

Interactive Python shell with Linux memory access. Advanced custom analysis.

linux_apihooks

SECTION 16 — RARE / SPECIALIZED COMMANDS

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_apihooks

Detect userland API hooks in Linux processes (LD_PRELOAD style hooks).

linux_keyboard_notifiers

SECTION 16 — RARE / SPECIALIZED COMMANDS

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_keyboard_notifiers

Parse keyboard notifier call chain. Detect kernel keyloggers.

linux_check_creds

SECTION 16 — RARE / SPECIALIZED COMMANDS

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_check_creds

Check if processes share credential structures (rootkit privilege escalation).

linux_check_afinfo

SECTION 16 — RARE / SPECIALIZED COMMANDS

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_check_afinfo

Verify network protocol operation function pointers for hooks.

linux_check_tty

SECTION 16 — RARE / SPECIALIZED COMMANDS

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_check_tty

Check TTY devices for hooks. Rootkit keylogger detection.

linux_library_list

SECTION 16 — RARE / SPECIALIZED COMMANDS

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_library_list

List shared libraries loaded per process.

linux_proc_maps

SECTION 16 — RARE / SPECIALIZED COMMANDS

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_proc_maps -p <PID>

Show memory maps of Linux process (like /proc/PID/maps).

linux_memmap

SECTION 16 — RARE / SPECIALIZED COMMANDS

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_memmap -p <PID>

Print memory map of a Linux process.

linux_plthook

SECTION 16 — RARE / SPECIALIZED COMMANDS

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_plthook

Scan PLT (Procedure Linkage Table) for hooks in Linux processes.

linux_threads

SECTION 16 — RARE / SPECIALIZED COMMANDS

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_threads

List threads of Linux processes.

linux_tmpfs

SECTION 16 — RARE / SPECIALIZED COMMANDS

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_tmpfs

Recover files from tmpfs (memory-based filesystem). Find in-memory files.

linux_recover_filesystem

SECTION 16 — RARE / SPECIALIZED COMMANDS

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_recover_filesystem -D ./output/

Recover cached Linux filesystem to disk.

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET) 28 plugins

linux_aslr_shift

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_aslr_shift

Find the ASLR shift applied to the kernel. Needed for some profile builds.

linux_bash_hash

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_bash_hash

Recover bash hash table (cached command locations) from memory.

linux_check_evt_arm

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2Linux

vol2 -f mem.raw --profile=LinuxARM linux_check_evt_arm

Check ARM event table for hooks. ARM architecture specific.

linux_check_fops

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_check_fops

Check file operation function pointers for hooks (rootkit detection).

linux_check_inline_kernel

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_check_inline_kernel

Check for inline kernel function hooks (direct code patching rootkits).

linux_cpuinfo

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_cpuinfo

Print CPU info from Linux memory (like /proc/cpuinfo).

linux_dentry_cache

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_dentry_cache

Enumerate Linux dentry cache (directory entry cache). Find cached file paths.

linux_kernel_opened_files

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_kernel_opened_files

List files opened by the kernel itself.

linux_ld_env

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_ld_env

Show LD_PRELOAD and LD_LIBRARY_PATH env vars. Detect userland rootkit injection.
CTF USE: LD_PRELOAD hook is common Linux malware technique.

linux_libc_env

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_libc_env

Show libc environment variables for processes.

linux_librarydump

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_librarydump -p <PID> -D ./output/

Dump shared libraries (.so files) loaded by a process.

linux_linux_strings

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_linux_strings -p <PID>

Match strings to virtual addresses in Linux process memory.

linux_linux_yarascan

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_linux_yarascan --yara-rules rules.yar

Scan Linux process memory with YARA rules.

linux_list_raw

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_list_raw

List processes with raw socket access. Packet sniffers/network tools.

linux_mount_cache

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_mount_cache

List mounts from kernel mount cache.

linux_pkt_queues

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_pkt_queues

Show packet queues for network sockets. Network forensics.

linux_proc_maps_rb

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_proc_maps_rb -p <PID>

Show process memory maps via red-black tree (alternate method).

linux_process_hollow

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_process_hollow

Detect process hollowing on Linux (process with replaced executable).

linux_process_info

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_process_info -p <PID>

Show detailed info about a Linux process.

linux_process_stack

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_process_stack -p <PID>

Show stack contents of a Linux process.

linux_pslist_cache

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_pslist_cache

List Linux processes from kernel slab cache (alternative method).

linux_route_cache

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_route_cache

Show Linux routing cache from memory.

linux_sk_buff_cache

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_sk_buff_cache

Show socket buffer cache. Network packet analysis.

linux_slab_info

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_slab_info

Show Linux kernel slab allocator info (memory allocator statistics).

linux_vma_cache

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_vma_cache

Show VMA (Virtual Memory Area) cache entries.

linux_info_regs

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_info_regs -p <PID>

Show CPU register values for Linux process. Advanced crash analysis.

linux_flags

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_flags

Show Linux kernel flags and compile options.

linux_lime

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2Linux

vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_lime

Show LiME (Linux Memory Extractor) acquisition info embedded in dump.

SECTION 2 — PROCESS ANALYSIS 2 plugins

mac_pslist

SECTION 2 — PROCESS ANALYSIS

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_pslist

List Mac processes.

mac_pstree

SECTION 2 — PROCESS ANALYSIS

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_pstree

Mac process tree.

SECTION 3 — DLL & MODULE ANALYSIS 1 plugins

mac_lsmod

SECTION 3 — DLL & MODULE ANALYSIS

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_lsmod

List Mac kernel extensions (kexts).

SECTION 4 — HANDLES & OPEN FILES 1 plugins

mac_lsof

SECTION 4 — HANDLES & OPEN FILES

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_lsof

List open files for Mac processes.

SECTION 5 — NETWORK CONNECTIONS 2 plugins

mac_netstat

SECTION 5 — NETWORK CONNECTIONS

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_netstat

List Mac network connections.

mac_ifconfig

SECTION 5 — NETWORK CONNECTIONS

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_ifconfig

Show Mac network interface config.

SECTION 8 — CODE INJECTION DETECTION 4 plugins

mac_malfind

SECTION 8 — CODE INJECTION DETECTION

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_malfind

Find injected code in Mac process memory.

mac_check_syscall

SECTION 8 — CODE INJECTION DETECTION

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_check_syscall

Check Mac BSD syscall table for hooks.

mac_check_sysctl

SECTION 8 — CODE INJECTION DETECTION

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_check_sysctl

Check sysctl handlers for hooks.

mac_check_trap_table

SECTION 8 — CODE INJECTION DETECTION

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_check_trap_table

Check Mach trap table for hooks.

SECTION 9 — ENVIRONMENT, PRIVILEGES & SIDS 1 plugins

mac_psenv

SECTION 9 — ENVIRONMENT, PRIVILEGES & SIDS

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_psenv

Show environment variables of Mac processes.

SECTION 10 — KERNEL & HOOKS 2 plugins

mac_check_syscall

SECTION 10 — KERNEL & HOOKS

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_check_syscall

Check Mac syscall table for hooks.

mac_check_sysctl

SECTION 10 — KERNEL & HOOKS

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_check_sysctl

Check sysctl handlers.

SECTION 11 — STRING & ARTIFACT HUNTING 1 plugins

mac_bash

SECTION 11 — STRING & ARTIFACT HUNTING

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_bash

Recover bash command history from Mac memory.

SECTION 13 — SERVICES, MFT, POOLS & MISC 3 plugins

mac_dmesg

SECTION 13 — SERVICES, MFT, POOLS & MISC

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_dmesg

Print Mac kernel log buffer.

mac_mount

SECTION 13 — SERVICES, MFT, POOLS & MISC

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_mount

Show Mac mounted filesystems.

mac_netstat

SECTION 13 — SERVICES, MFT, POOLS & MISC

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_netstat

List Mac network connections.

SECTION 16 — RARE / SPECIALIZED COMMANDS 22 plugins

mac_volshell

SECTION 16 — RARE / SPECIALIZED COMMANDS

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_volshell

Interactive Python shell for Mac memory analysis.

mac_dump_maps

SECTION 16 — RARE / SPECIALIZED COMMANDS

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_dump_maps -p <PID> -D ./output/

Dump memory maps of Mac process.

mac_procdump

SECTION 16 — RARE / SPECIALIZED COMMANDS

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_procdump -p <PID> -D ./output/

Dump Mac process binary from memory.

mac_memdump

SECTION 16 — RARE / SPECIALIZED COMMANDS

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_memdump -p <PID> -D ./output/

Dump full memory of Mac process.

mac_find_files

SECTION 16 — RARE / SPECIALIZED COMMANDS

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_find_files

Find files in Mac VFS cache.

mac_recover_filesystem

SECTION 16 — RARE / SPECIALIZED COMMANDS

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_recover_filesystem -D ./output/

Recover Mac cached filesystem.

mac_dead_procs

SECTION 16 — RARE / SPECIALIZED COMMANDS

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_dead_procs

List terminated Mac processes still in memory.

mac_pid_hashmap

SECTION 16 — RARE / SPECIALIZED COMMANDS

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_pid_hashmap

List Mac processes via PID hash map (finds hidden procs).

mac_tasks

SECTION 16 — RARE / SPECIALIZED COMMANDS

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_tasks

List Mac Mach tasks (low-level process representation).

mac_threads

SECTION 16 — RARE / SPECIALIZED COMMANDS

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_threads

List Mac threads.

mac_handles

SECTION 16 — RARE / SPECIALIZED COMMANDS

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_handles

List open handles for Mac processes.

mac_apihooks

SECTION 16 — RARE / SPECIALIZED COMMANDS

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_apihooks

Find userland API hooks in Mac processes.

mac_apihooks_kernel

SECTION 16 — RARE / SPECIALIZED COMMANDS

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_apihooks_kernel

Find kernel-level API hooks on Mac.

mac_ip_filters

SECTION 16 — RARE / SPECIALIZED COMMANDS

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_ip_filters

List IP filters registered in Mac kernel (network interception).

mac_notifiers

SECTION 16 — RARE / SPECIALIZED COMMANDS

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_notifiers

Print Mac IOKit notification handlers.

mac_pgrp_hash_table

SECTION 16 — RARE / SPECIALIZED COMMANDS

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_pgrp_hash_table

List Mac processes via process group hash table.

mac_route

SECTION 16 — RARE / SPECIALIZED COMMANDS

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_route

Print Mac routing table from memory.

mac_arp

SECTION 16 — RARE / SPECIALIZED COMMANDS

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_arp

Print Mac ARP table from memory.

mac_socket_filters

SECTION 16 — RARE / SPECIALIZED COMMANDS

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_socket_filters

List Mac kernel socket filters.

mac_strings

SECTION 16 — RARE / SPECIALIZED COMMANDS

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_strings -p <PID>

Find strings in Mac process memory.

mac_list_sessions

SECTION 16 — RARE / SPECIALIZED COMMANDS

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_list_sessions

List Mac login sessions.

mac_list_zones

SECTION 16 — RARE / SPECIALIZED COMMANDS

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_list_zones

List Mac kernel memory zones (allocator zones).

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET) 39 plugins

mac_adiummsgs

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_adiummsgs

Extract Adium (Mac chat app) messages from memory.

mac_bash_env

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_bash_env

Show bash environment variables for Mac processes.

mac_bash_hash

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_bash_hash

Recover bash hash table from Mac memory.

mac_calendar

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_calendar

Extract Mac Calendar app data from memory.

mac_check_mig_table

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_check_mig_table

Check Mach Interface Generator table for hooks.

mac_check_syscall_shadow

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_check_syscall_shadow

Check for shadow syscall table (rootkit technique).

mac_check_syscall_table

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_check_syscall_table

Check BSD syscall table for hooks/modifications.

mac_classes

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_classes

List Objective-C classes loaded in Mac processes.

mac_compressed_swap

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_compressed_swap

Analyze Mac compressed swap (memory compression) data.

mac_contacts

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_contacts

Extract Mac Contacts app data from memory.

mac_dead_sockets

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_dead_sockets

List closed/dead network sockets still in memory.

mac_dead_vnodes

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_dead_vnodes

List dead vnode objects (closed file references) in Mac memory.

mac_devfs

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_devfs

List Mac devfs (device filesystem) entries.

mac_dlyd_maps

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_dlyd_maps

Show dyld (dynamic linker) memory maps for Mac processes.

mac_dump_files

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_dump_files -D ./output/

Dump cached files from Mac memory.

mac_find_aslr_shift

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_find_aslr_shift

Find KASLR (kernel ASLR) shift value for Mac.

mac_get_profile

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2macOS

vol2 -f mem.raw mac_get_profile

Auto-detect Mac profile from memory dump.

mac_gkextmap

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_gkextmap

Show Mac kernel extension (kext) map.

mac_interest_handlers

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_interest_handlers

List IOKit interest handlers. Malware registers these for device notifications.

mac_keychaindump

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_keychaindump

Dump Mac keychain master key from memory.
CTF USE: may contain credentials/passwords.

mac_ldrmodules

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_ldrmodules

Cross-check Mac process library load lists. Find hidden/injected libraries.

mac_librarydump

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_librarydump -p <PID> -D ./output/

Dump Mac process dylib (dynamic library) from memory.

mac_list_kauth_listeners

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_list_kauth_listeners

List kauth authorization listeners.

mac_list_kauth_scopes

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_list_kauth_scopes

List kauth authorization scopes.

mac_list_raw

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_list_raw

List Mac processes with raw socket access.

mac_list_zones

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_list_zones

List Mac kernel memory zones (allocator zones).

mac_lsmod_iokit

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_lsmod_iokit

List Mac IOKit kexts (driver framework extensions).

mac_mac_yarascan

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_mac_yarascan --yara-rules rules.yar

Scan Mac process memory with YARA rules.

mac_machine_info

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_machine_info

Show Mac hardware/machine information from memory.

mac_netconns

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_netconns

List active network connections on Mac (alternative to mac_netstat).

mac_notesapp

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_notesapp

Extract Mac Notes app content from memory.
CTF USE: notes sometimes contain flags or sensitive data.

mac_notifiers

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_notifiers

Print Mac IOKit notification handlers.

mac_orphan_threads

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_orphan_threads

Find orphan threads with no parent process. Injected thread detection.

mac_pgrp_hash_table

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_pgrp_hash_table

List Mac processes via process group hash table.

mac_pid_hash_table

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_pid_hash_table

List Mac processes via PID hash table. Finds hidden processes.

mac_print_boot_cmdline

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_print_boot_cmdline

Print Mac kernel boot command line arguments.

mac_pstasks

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_pstasks

List Mac processes via Mach task structures (low-level).

mac_session_hash_table

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_session_hash_table

List Mac processes via session hash table.

mac_threads_simple

SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)

Vol2macOS

vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_threads_simple

List Mac threads with simplified output format.

SECTION 1 — IDENTIFY PROFILE / IMAGE INFO 2 plugins

imageinfo

SECTION 1 — IDENTIFY PROFILE / IMAGE INFO

Vol2Common

vol2 -f mem.raw imageinfo

Detect OS, suggested profiles, build info. FIRST step always.
CTF: always run this before anything else.

kdbgscan

SECTION 1 — IDENTIFY PROFILE / IMAGE INFO

Vol2Common

vol2 -f mem.raw kdbgscan

Scan for KDBG structure manually. Use if imageinfo gives wrong/multiple profiles.

SECTION 1 — IDENTIFY PROFILE / IMAGE INFO 6 plugins

windows.info

SECTION 1 — IDENTIFY PROFILE / IMAGE INFO

Vol3Windows

vol3 -f mem.raw windows.info

Show Windows OS version, build number, architecture, kernel base. First step for Win dumps.

windows.crashinfo

SECTION 1 — IDENTIFY PROFILE / IMAGE INFO

Vol3Windows

vol3 -f mem.raw windows.crashinfo

Show crash dump metadata: date, uptime, crash reason, bugcheck code.

banners.Banners

SECTION 1 — IDENTIFY PROFILE / IMAGE INFO

Vol3Linux

vol3 -f mem.raw banners.Banners

Use banners.Banners to identify Linux/macOS/Windows banner strings when OS type is uncertain.
Current Vol3 Linux plugin list does not include banners.Banners as a core plugin.

banners.Banners

SECTION 1 — IDENTIFY PROFILE / IMAGE INFO

Vol3Common

vol3 -f mem.raw banners.Banners

Identify OS from banner strings in memory. Good when unsure if Win/Linux/Mac.

isfinfo.IsfInfo

SECTION 1 — IDENTIFY PROFILE / IMAGE INFO

Vol3Common

vol3 -f mem.raw isfinfo.IsfInfo

Show available ISF (symbol) files. Helps debug missing symbols.

frameworkinfo.FrameworkInfo

SECTION 1 — IDENTIFY PROFILE / IMAGE INFO

Vol3Common

vol3 frameworkinfo.FrameworkInfo

Show Volatility 3 version + all loaded modules. Use to verify installation.

SECTION 2 — PROCESS ANALYSIS 23 plugins

windows.pslist

SECTION 2 — PROCESS ANALYSIS

Vol3Windows

vol3 -f mem.raw windows.pslist

Vol3 process list.

windows.pstree

SECTION 2 — PROCESS ANALYSIS

Vol3Windows

vol3 -f mem.raw windows.pstree

Vol3 process tree view.

windows.psscan

SECTION 2 — PROCESS ANALYSIS

Vol3Windows

vol3 -f mem.raw windows.psscan

Vol3 deep EPROCESS scan — finds hidden/terminated processes.

windows.malware.psxview.PsXView

SECTION 2 — PROCESS ANALYSIS

Vol3Windows

vol3 -f mem.raw windows.malware.psxview.PsXView

Vol3 psxview — cross-reference 4 process listing methods to find hidden processes.

windows.malware.pebmasquerade.PebMasquerade

SECTION 2 — PROCESS ANALYSIS

Vol3Windows

vol3 -f mem.raw windows.malware.pebmasquerade.PebMasquerade

Detect process name spoofing: EPROCESS name vs PEB name mismatch. Malware hides this way.

windows.malware.processghosting.ProcessGhosting

SECTION 2 — PROCESS ANALYSIS

Vol3Windows

vol3 -f mem.raw windows.malware.processghosting.ProcessGhosting

Find ghost processes: executable deleted from disk but still running in memory.

windows.sessions.Sessions

SECTION 2 — PROCESS ANALYSIS

Vol3Windows

vol3 -f mem.raw windows.sessions.Sessions

List processes with session/logon info from environment variables.

windows.joblinks.JobLinks

SECTION 2 — PROCESS ANALYSIS

Vol3Windows

vol3 -f mem.raw windows.joblinks.JobLinks

Show process job link info. Useful for sandbox/container detection.

windows.thrdscan.ThrdScan

SECTION 2 — PROCESS ANALYSIS

Vol3Windows

vol3 -f mem.raw windows.thrdscan.ThrdScan

Scan for thread objects in memory pool.

windows.threads.Threads

SECTION 2 — PROCESS ANALYSIS

Vol3Windows

vol3 -f mem.raw windows.threads

List process threads with details.

windows.orphan_kernel_threads.Threads

SECTION 2 — PROCESS ANALYSIS

Vol3Windows

vol3 -f mem.raw windows.orphan_kernel_threads.Threads

Find orphan kernel threads — injected threads with no legitimate parent process.

windows.suspended_threads.SuspendedThreads

SECTION 2 — PROCESS ANALYSIS

Vol3Windows

vol3 -f mem.raw windows.suspended_threads.SuspendedThreads

List suspended threads. Malware suspends threads during injection.

linux.pslist

SECTION 2 — PROCESS ANALYSIS

Vol3Linux

vol3 -f mem.raw linux.pslist

Vol3 Linux process list.

linux.pstree

SECTION 2 — PROCESS ANALYSIS

Vol3Linux

vol3 -f mem.raw linux.pstree

Vol3 Linux process tree.

linux.psscan

SECTION 2 — PROCESS ANALYSIS

Vol3Linux

vol3 -f mem.raw linux.psscan

Vol3 deep scan for hidden Linux processes.

linux.psaux.PsAux

SECTION 2 — PROCESS ANALYSIS

Vol3Linux

vol3 -f mem.raw linux.psaux.PsAux

List Linux processes with full command line arguments. Like ps aux.

linux.pidhashtable.PIDHashTable

SECTION 2 — PROCESS ANALYSIS

Vol3Linux

vol3 -f mem.raw linux.pidhashtable.PIDHashTable

Enumerate processes via PID hash table. Finds more hidden processes than pslist.

linux.pscallstack.PsCallStack

SECTION 2 — PROCESS ANALYSIS

Vol3Linux

vol3 -f mem.raw linux.pscallstack.PsCallStack

Show kernel call stack of each task. Deep process inspection.

linux.malware.process_spoofing.ProcessSpoofing

SECTION 2 — PROCESS ANALYSIS

Vol3Linux

vol3 -f mem.raw linux.malware.process_spoofing.ProcessSpoofing

Detect process name spoofing: executable path vs cmdline vs comm field mismatch.

linux.ptrace.Ptrace

SECTION 2 — PROCESS ANALYSIS

Vol3Linux

vol3 -f mem.raw linux.ptrace.Ptrace

Find ptrace tracer/tracee pairs. Spot debugger-attached processes or injection via ptrace.

mac.pslist

SECTION 2 — PROCESS ANALYSIS

Vol3macOS

vol3 -f mem.raw mac.pslist.PsList

Vol3 Mac process list.

mac.pstree

SECTION 2 — PROCESS ANALYSIS

Vol3macOS

vol3 -f mem.raw mac.pstree.PsTree

Vol3 Mac process tree.

mac.psaux.Psaux

SECTION 2 — PROCESS ANALYSIS

Vol3macOS

vol3 -f mem.raw mac.psaux.Psaux

Mac process list with command line arguments.

SECTION 3 — DLL & MODULE ANALYSIS 16 plugins

windows.dlllist

SECTION 3 — DLL & MODULE ANALYSIS

Vol3Windows

vol3 -f mem.raw windows.dlllist
vol3 -f mem.raw windows.dlllist --pid <PID>

No description provided in source cheat sheet.

windows.ldrmodules.LdrModules

SECTION 3 — DLL & MODULE ANALYSIS

Vol3Windows

vol3 -f mem.raw windows.ldrmodules.LdrModules

Vol3 DLL load order cross-check.

windows.malware.ldrmodules.LdrModules

SECTION 3 — DLL & MODULE ANALYSIS

Vol3Windows

vol3 -f mem.raw windows.malware.ldrmodules.LdrModules

Updated ldrmodules focused on malware detection.

windows.modules

SECTION 3 — DLL & MODULE ANALYSIS

Vol3Windows

vol3 -f mem.raw windows.modules

Vol3 kernel module list.

windows.modscan

SECTION 3 — DLL & MODULE ANALYSIS

Vol3Windows

vol3 -f mem.raw windows.modscan

Vol3 deep kernel module scan.

windows.driverscan

SECTION 3 — DLL & MODULE ANALYSIS

Vol3Windows

vol3 -f mem.raw windows.driverscan

Scan memory for driver objects. Finds hidden drivers.

windows.unloadedmodules

SECTION 3 — DLL & MODULE ANALYSIS

Vol3Windows

vol3 -f mem.raw windows.unloadedmodules

Vol3 unloaded module list.

windows.malware.drivermodule.DriverModule

SECTION 3 — DLL & MODULE ANALYSIS

Vol3Windows

vol3 -f mem.raw windows.malware.drivermodule.DriverModule

Find drivers hidden by rootkit (not in normal module list).

windows.iat.IAT

SECTION 3 — DLL & MODULE ANALYSIS

Vol3Windows

vol3 -f mem.raw windows.iat.IAT --pid <PID>

Extract Import Address Table: see what API functions a process uses. Spot suspicious imports.

windows.pe_symbols.PESymbols

SECTION 3 — DLL & MODULE ANALYSIS

Vol3Windows

vol3 -f mem.raw windows.pe_symbols.PESymbols --pid <PID>

Print symbols from PE files in process/kernel memory.

windows.devicetree.DeviceTree

SECTION 3 — DLL & MODULE ANALYSIS

Vol3Windows

vol3 -f mem.raw windows.devicetree.DeviceTree

Show driver + attached device tree. Find malicious device stacks.

linux.lsmod

SECTION 3 — DLL & MODULE ANALYSIS

Vol3Linux

vol3 -f mem.raw linux.lsmod

Vol3 Linux kernel module list.

linux.library_list.LibraryList

SECTION 3 — DLL & MODULE ANALYSIS

Vol3Linux

vol3 -f mem.raw linux.library_list.LibraryList

Enumerate shared libraries (.so files) loaded into each process.

linux.elfs.Elfs

SECTION 3 — DLL & MODULE ANALYSIS

Vol3Linux

vol3 -f mem.raw linux.elfs.Elfs

List all memory-mapped ELF files across all processes.

linux.module_extract.ModuleExtract

SECTION 3 — DLL & MODULE ANALYSIS

Vol3Linux

vol3 -f mem.raw linux.module_extract.ModuleExtract --module-address <ADDR>

Recreate ELF file from kernel module in memory for analysis.

mac.lsmod

SECTION 3 — DLL & MODULE ANALYSIS

Vol3macOS

vol3 -f mem.raw mac.lsmod.Lsmod

Vol3 Mac kernel extension list.

SECTION 4 — HANDLES & OPEN FILES 10 plugins

windows.handles

SECTION 4 — HANDLES & OPEN FILES

Vol3Windows

vol3 -f mem.raw windows.handles --pid <PID>

No description provided in source cheat sheet.

windows.filescan

SECTION 4 — HANDLES & OPEN FILES

Vol3Windows

vol3 -f mem.raw windows.filescan

Vol3 file object scanner.

windows.mutantscan

SECTION 4 — HANDLES & OPEN FILES

Vol3Windows

vol3 -f mem.raw windows.mutantscan

Vol3 mutex scanner.

windows.symlinkscan

SECTION 4 — HANDLES & OPEN FILES

Vol3Windows

vol3 -f mem.raw windows.symlinkscan

Vol3 symlink scanner.

linux.lsof.Lsof

SECTION 4 — HANDLES & OPEN FILES

Vol3Linux

vol3 -f mem.raw linux.lsof.Lsof

List open file descriptors for each process. Like lsof command.

linux.pagecache.Files

SECTION 4 — HANDLES & OPEN FILES

Vol3Linux

vol3 -f mem.raw linux.pagecache.Files

List files currently in page cache.

linux.pagecache.InodePages

SECTION 4 — HANDLES & OPEN FILES

Vol3Linux

vol3 -f mem.raw linux.pagecache.InodePages

List and recover cached inode pages from memory.

linux.pagecache.RecoverFs

SECTION 4 — HANDLES & OPEN FILES

Vol3Linux

vol3 -f mem.raw linux.pagecache.RecoverFs --dump-dir ./output/

Recover entire cached filesystem (dirs, files, symlinks) as compressed tarball.
CTF GOLD: recover deleted/hidden files that were in memory.

mac.lsof.Lsof

SECTION 4 — HANDLES & OPEN FILES

Vol3macOS

vol3 -f mem.raw mac.lsof.Lsof

Vol3 Mac open file descriptor lister.

mac.list_files.List_Files

SECTION 4 — HANDLES & OPEN FILES

Vol3macOS

vol3 -f mem.raw mac.list_files.List_Files

List all open file descriptors for all Mac processes.

SECTION 5 — NETWORK CONNECTIONS 9 plugins

windows.netscan

SECTION 5 — NETWORK CONNECTIONS

Vol3Windows

vol3 -f mem.raw windows.netscan

Vol3 network object scanner.

windows.netstat

SECTION 5 — NETWORK CONNECTIONS

Vol3Windows

vol3 -f mem.raw windows.netstat

Vol3 netstat-style output — traverses network tracking structures directly.

linux.sockstat.Sockstat

SECTION 5 — NETWORK CONNECTIONS

Vol3Linux

vol3 -f mem.raw linux.sockstat.Sockstat

List all network connections per process. Like ss/netstat command.

linux.sockscan.Sockscan

SECTION 5 — NETWORK CONNECTIONS

Vol3Linux

vol3 -f mem.raw linux.sockscan.Sockscan

Scan memory layer for socket objects. Finds more than sockstat.

linux.ip.Addr

SECTION 5 — NETWORK CONNECTIONS

Vol3Linux

vol3 -f mem.raw linux.ip.Addr

Network interface info like ip addr command.

linux.ip.Link

SECTION 5 — NETWORK CONNECTIONS

Vol3Linux

vol3 -f mem.raw linux.ip.Link

Network interface list like ip link show.

linux.malware.netfilter.Netfilter

SECTION 5 — NETWORK CONNECTIONS

Vol3Linux

vol3 -f mem.raw linux.malware.netfilter.Netfilter

List Netfilter hooks. Rootkits hook Netfilter to intercept/modify traffic.

mac.netstat.Netstat

SECTION 5 — NETWORK CONNECTIONS

Vol3macOS

vol3 -f mem.raw mac.netstat.Netstat

Vol3 Mac network connection lister.

mac.ifconfig.Ifconfig

SECTION 5 — NETWORK CONNECTIONS

Vol3macOS

vol3 -f mem.raw mac.ifconfig.Ifconfig

Vol3 Mac network interface info.

SECTION 6 — REGISTRY (WINDOWS ONLY) 11 plugins

windows.registry.hivelist

SECTION 6 — REGISTRY (WINDOWS ONLY)

Vol3Windows

vol3 -f mem.raw windows.registry.hivelist

Vol3 registry hive list.

windows.registry.hivescan

SECTION 6 — REGISTRY (WINDOWS ONLY)

Vol3Windows

vol3 -f mem.raw windows.registry.hivescan

Vol3 registry hive scanner (finds more hives).

windows.registry.printkey

SECTION 6 — REGISTRY (WINDOWS ONLY)

Vol3Windows

vol3 -f mem.raw windows.registry.printkey --key "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"

Vol3 registry key printer.

windows.registry.userassist

SECTION 6 — REGISTRY (WINDOWS ONLY)

Vol3Windows

vol3 -f mem.raw windows.registry.userassist

Show recently executed programs from UserAssist registry keys.

windows.registry.amcache.Amcache

SECTION 6 — REGISTRY (WINDOWS ONLY)

Vol3Windows

vol3 -f mem.raw windows.registry.amcache.Amcache

Extract executed app info from AmCache registry hive.

windows.registry.certificates.Certificates

SECTION 6 — REGISTRY (WINDOWS ONLY)

Vol3Windows

vol3 -f mem.raw windows.registry.certificates.Certificates

List certificates from registry Certificate Store. Find rogue certs.

windows.registry.scheduled_tasks.ScheduledTasks

SECTION 6 — REGISTRY (WINDOWS ONLY)

Vol3Windows

vol3 -f mem.raw windows.registry.scheduled_tasks.ScheduledTasks

Decode scheduled tasks from registry: triggers, actions, run times.

windows.registry.getcellroutine.GetCellRoutine

SECTION 6 — REGISTRY (WINDOWS ONLY)

Vol3Windows

vol3 -f mem.raw windows.registry.getcellroutine.GetCellRoutine

Find registry hives with hooked GetCellRoutine handler (rootkit sign).

windows.hashdump

SECTION 6 — REGISTRY (WINDOWS ONLY)

Vol3Windows

vol3 -f mem.raw windows.hashdump

Vol3 NTLM hash extractor.

windows.lsadump

SECTION 6 — REGISTRY (WINDOWS ONLY)

Vol3Windows

vol3 -f mem.raw windows.lsadump

Vol3 LSA secrets dumper.

windows.shimcachemem.ShimcacheMem

SECTION 6 — REGISTRY (WINDOWS ONLY)

Vol3Windows

vol3 -f mem.raw windows.shimcachemem.ShimcacheMem

Read Shimcache entries from ahcache.sys AVL tree.

SECTION 7 — MEMORY DUMP / EXTRACTION 6 plugins

windows.memmap.Memmap

SECTION 7 — MEMORY DUMP / EXTRACTION

Vol3Windows

vol3 -f mem.raw -o ./output/ windows.memmap.Memmap --pid <PID> --dump

Volatility 3 current replacement for dumping a process address space.
The old windows.memmap.Memmap command is not an official core plugin name in current Vol3 docs.

windows.dumpfiles / windows.pedump.PEDump

SECTION 7 — MEMORY DUMP / EXTRACTION

Vol3Windows

vol3 -f mem.raw -o ./output/ windows.dumpfiles --pid <PID>
vol3 -f mem.raw windows.pedump.PEDump --pid <PID> --base <BASE_ADDR>

Use windows.dumpfiles for mapped/executable file extraction from a process, or windows.pedump.PEDump for a PE at a known base address.
The old windows.dumpfiles command is not an official core plugin name in current Vol3 docs.

windows.dumpfiles

SECTION 7 — MEMORY DUMP / EXTRACTION

Vol3Windows

vol3 -f mem.raw windows.dumpfiles --virtaddr <ADDR>
vol3 -f mem.raw windows.dumpfiles --physaddr <ADDR>

No description provided in source cheat sheet.

windows.pedump.PEDump

SECTION 7 — MEMORY DUMP / EXTRACTION

Vol3Windows

vol3 -f mem.raw windows.pedump.PEDump --pid <PID> --base <BASE_ADDR>

Dump PE file from specific virtual address in process memory.

layerwriter.LayerWriter

SECTION 7 — MEMORY DUMP / EXTRACTION

Vol3Windows

vol3 -f mem.raw layerwriter.LayerWriter --dump-dir ./output/

Write out the primary memory layer as raw file. Full memory extraction.

linux.proc.Maps

SECTION 7 — MEMORY DUMP / EXTRACTION

Vol3Linux

vol3 -f mem.raw linux.proc.Maps --pid <PID>

Show Linux process memory map regions (like /proc/PID/maps).

SECTION 8 — CODE INJECTION DETECTION 28 plugins

windows.malfind

SECTION 8 — CODE INJECTION DETECTION

Vol3Windows

vol3 -f mem.raw windows.malfind
vol3 -f mem.raw windows.malfind --pid <PID>

No description provided in source cheat sheet.

windows.malware.malfind.Malfind

SECTION 8 — CODE INJECTION DETECTION

Vol3Windows

vol3 -f mem.raw windows.malware.malfind.Malfind

Updated malfind with improved shellcode/injection detection.

windows.malware.hollowprocesses.HollowProcesses

SECTION 8 — CODE INJECTION DETECTION

Vol3Windows

vol3 -f mem.raw windows.malware.hollowprocesses.HollowProcesses

Vol3 process hollowing detector.

windows.cmdline

SECTION 8 — CODE INJECTION DETECTION

Vol3Windows

vol3 -f mem.raw windows.cmdline

Vol3 process command line args.

windows.cmdscan

SECTION 8 — CODE INJECTION DETECTION

Vol3Windows

vol3 -f mem.raw windows.cmdscan

Vol3 command history scanner.

windows.consoles

SECTION 8 — CODE INJECTION DETECTION

Vol3Windows

vol3 -f mem.raw windows.consoles

Vol3 console I/O recovery.

windows.malware.suspicious_threads.SuspiciousThreads

SECTION 8 — CODE INJECTION DETECTION

Vol3Windows

vol3 -f mem.raw windows.malware.suspicious_threads.SuspiciousThreads

Find suspicious userland threads: injected thread indicators.

windows.malware.skeleton_key_check.Skeleton_Key_Check

SECTION 8 — CODE INJECTION DETECTION

Vol3Windows

vol3 -f mem.raw windows.malware.skeleton_key_check.Skeleton_Key_Check

Detect Skeleton Key malware: LSASS patch to bypass all domain authentication.

windows.etwpatch.EtwPatch

SECTION 8 — CODE INJECTION DETECTION

Vol3Windows

vol3 -f mem.raw windows.etwpatch.EtwPatch

Detect ETW (Event Tracing) patching by malware to blind security tools.

windows.malware.unhooked_system_calls.UnhookedSystemCalls

SECTION 8 — CODE INJECTION DETECTION

Vol3Windows

vol3 -f mem.raw windows.malware.unhooked_system_calls.UnhookedSystemCalls

Detect hooked ntdll.dll stubs: EDR/AV bypass technique.

windows.malware.direct_system_calls

SECTION 8 — CODE INJECTION DETECTION

Vol3Windows

vol3 -f mem.raw windows.malware.direct_system_calls

Detect direct syscall usage bypassing ntdll.dll entirely.

linux.malware.malfind.Malfind

SECTION 8 — CODE INJECTION DETECTION

Vol3Linux

vol3 -f mem.raw linux.malware.malfind.Malfind

Find injected code in Linux process memory regions.

linux.malware.check_syscall.Check_syscall

SECTION 8 — CODE INJECTION DETECTION

Vol3Linux

vol3 -f mem.raw linux.malware.check_syscall.Check_syscall

Check Linux syscall table for hooks.

linux.malware.check_idt.Check_idt

SECTION 8 — CODE INJECTION DETECTION

Vol3Linux

vol3 -f mem.raw linux.malware.check_idt.Check_idt

Check IDT for hooks.

linux.malware.check_afinfo.Check_afinfo

SECTION 8 — CODE INJECTION DETECTION

Vol3Linux

vol3 -f mem.raw linux.malware.check_afinfo.Check_afinfo

Verify network protocol operation function pointers for hooks.

linux.malware.check_creds.Check_creds

SECTION 8 — CODE INJECTION DETECTION

Vol3Linux

vol3 -f mem.raw linux.malware.check_creds.Check_creds

Check if processes share credential structures (rootkit privilege escalation sign).

linux.malware.tty_check.Tty_Check

SECTION 8 — CODE INJECTION DETECTION

Vol3Linux

vol3 -f mem.raw linux.malware.tty_check.Tty_Check

Check TTY device hooks. Rootkits hook TTY to intercept terminal input (keylogger).

linux.malware.keyboard_notifiers.Keyboard_notifiers

SECTION 8 — CODE INJECTION DETECTION

Vol3Linux

vol3 -f mem.raw linux.malware.keyboard_notifiers.Keyboard_notifiers

Check keyboard notifier call chain for hooks. Detect kernel-level keyloggers.

linux.tracing.ftrace.CheckFtrace

SECTION 8 — CODE INJECTION DETECTION

Vol3Linux

vol3 -f mem.raw linux.tracing.ftrace.CheckFtrace

Detect ftrace hooking: rootkits abuse kernel function tracing for stealth.

linux.tracing.tracepoints.CheckTracepoints

SECTION 8 — CODE INJECTION DETECTION

Vol3Linux

vol3 -f mem.raw linux.tracing.tracepoints.CheckTracepoints

Detect tracepoint hooking by rootkits.

linux.ebpf.EBPF

SECTION 8 — CODE INJECTION DETECTION

Vol3Linux

vol3 -f mem.raw linux.ebpf.EBPF

Enumerate eBPF programs. Modern rootkits use eBPF for stealthy hooks.

mac.malfind.Malfind

SECTION 8 — CODE INJECTION DETECTION

Vol3macOS

vol3 -f mem.raw mac.malfind.Malfind

Vol3 Mac injected code finder.

mac.check_syscall.Check_syscall

SECTION 8 — CODE INJECTION DETECTION

Vol3macOS

vol3 -f mem.raw mac.check_syscall.Check_syscall

Vol3 Mac syscall table hook check.

mac.check_sysctl.Check_sysctl

SECTION 8 — CODE INJECTION DETECTION

Vol3macOS

vol3 -f mem.raw mac.check_sysctl.Check_sysctl

Vol3 sysctl handler hook check.

mac.check_trap_table.Check_trap_table

SECTION 8 — CODE INJECTION DETECTION

Vol3macOS

vol3 -f mem.raw mac.check_trap_table.Check_trap_table

Vol3 Mach trap table hook check.

mac.trustedbsd.Trustedbsd

SECTION 8 — CODE INJECTION DETECTION

Vol3macOS

vol3 -f mem.raw mac.trustedbsd.Trustedbsd

Check for malicious TrustedBSD policy modules (Mac rootkit mechanism).

mac.timers.Timers

SECTION 8 — CODE INJECTION DETECTION

Vol3macOS

vol3 -f mem.raw mac.timers.Timers

Check for malicious kernel timers in Mac memory.

mac.socket_filters.Socket_filters

SECTION 8 — CODE INJECTION DETECTION

Vol3macOS

vol3 -f mem.raw mac.socket_filters.Socket_filters

List kernel socket filters. Malware uses these to intercept network data.

SECTION 9 — ENVIRONMENT, PRIVILEGES & SIDS 13 plugins

windows.envars

SECTION 9 — ENVIRONMENT, PRIVILEGES & SIDS

Vol3Windows

vol3 -f mem.raw windows.envars --pid <PID>

No description provided in source cheat sheet.

windows.getsids.GetSIDs

SECTION 9 — ENVIRONMENT, PRIVILEGES & SIDS

Vol3Windows

vol3 -f mem.raw windows.getsids.GetSIDs

Vol3 SID lister. Show SIDs owning each process.

windows.getservicesids.GetServiceSIDs

SECTION 9 — ENVIRONMENT, PRIVILEGES & SIDS

Vol3Windows

vol3 -f mem.raw windows.getservicesids.GetServiceSIDs

Vol3 service SID mapper.

windows.privileges.Privs

SECTION 9 — ENVIRONMENT, PRIVILEGES & SIDS

Vol3Windows

vol3 -f mem.raw windows.privileges.Privs --pid <PID>

Vol3 process privilege lister.

windows.statistics.Statistics (not core Vol3)

SECTION 9 — ENVIRONMENT, PRIVILEGES & SIDS

Vol3Windows

vol3 -f mem.raw windows.statistics.Statistics
# Verify first: vol -h | grep -i statistics

Marked as not official core Vol3 in current docs. Some builds/community sets may differ.
Use frameworkinfo.FrameworkInfo or plugin-specific outputs for framework/plugin verification.

windows.kpcrs.KPCRs

SECTION 9 — ENVIRONMENT, PRIVILEGES & SIDS

Vol3Windows

vol3 -f mem.raw windows.kpcrs.KPCRs

Print KPCR (Kernel Processor Control Region) for each CPU.

linux.envars.Envars

SECTION 9 — ENVIRONMENT, PRIVILEGES & SIDS

Vol3Linux

vol3 -f mem.raw linux.envars.Envars

List Linux process environment variables.

linux.capabilities.Capabilities

SECTION 9 — ENVIRONMENT, PRIVILEGES & SIDS

Vol3Linux

vol3 -f mem.raw linux.capabilities.Capabilities

List Linux process capabilities (cap_sys_admin etc). Detect privilege escalation.

linux.boottime.Boottime

SECTION 9 — ENVIRONMENT, PRIVILEGES & SIDS

Vol3Linux

vol3 -f mem.raw linux.boottime.Boottime

Show when the Linux system was started.

linux.iomem.IOMem

SECTION 9 — ENVIRONMENT, PRIVILEGES & SIDS

Vol3Linux

vol3 -f mem.raw linux.iomem.IOMem

Show memory map like /proc/iomem.

mac.kevents.Kevents

SECTION 9 — ENVIRONMENT, PRIVILEGES & SIDS

Vol3macOS

vol3 -f mem.raw mac.kevents.Kevents

List event handlers registered by Mac processes.

mac.kauth_listeners.Kauth_listeners

SECTION 9 — ENVIRONMENT, PRIVILEGES & SIDS

Vol3macOS

vol3 -f mem.raw mac.kauth_listeners.Kauth_listeners

List kauth authorization listeners and their status.

mac.kauth_scopes.Kauth_scopes

SECTION 9 — ENVIRONMENT, PRIVILEGES & SIDS

Vol3macOS

vol3 -f mem.raw mac.kauth_scopes.Kauth_scopes

List kauth authorization scopes.

SECTION 10 — KERNEL & HOOKS 13 plugins

windows.ssdt

SECTION 10 — KERNEL & HOOKS

Vol3Windows

vol3 -f mem.raw windows.ssdt

No description provided in source cheat sheet.

windows.driverirp

SECTION 10 — KERNEL & HOOKS

Vol3Windows

vol3 -f mem.raw windows.driverirp

No description provided in source cheat sheet.

windows.callbacks

SECTION 10 — KERNEL & HOOKS

Vol3Windows

vol3 -f mem.raw windows.callbacks

No description provided in source cheat sheet.

windows.threads

SECTION 10 — KERNEL & HOOKS

Vol3Windows

vol3 -f mem.raw windows.threads

No description provided in source cheat sheet.

windows.timers.Timers

SECTION 10 — KERNEL & HOOKS

Vol3Windows

vol3 -f mem.raw windows.timers.Timers

Kernel timers + DPCs. Malware uses for periodic execution.

windows.malware.svcdiff.SvcDiff

SECTION 10 — KERNEL & HOOKS

Vol3Windows

vol3 -f mem.raw windows.malware.svcdiff.SvcDiff

Compare list-walking vs pool-scanning for services. Find rootkit-hidden services.

linux.malware.check_modules.Check_modules

SECTION 10 — KERNEL & HOOKS

Vol3Linux

vol3 -f mem.raw linux.malware.check_modules.Check_modules

Vol3 hidden kernel module detector.

linux.malware.modxview.Modxview

SECTION 10 — KERNEL & HOOKS

Vol3Linux

vol3 -f mem.raw linux.malware.modxview.Modxview

Centralize lsmod + check_modules + hidden_modules results. Best rootkit overview.
CTF USE: single command for complete module rootkit analysis.

linux.kthreads.Kthreads

SECTION 10 — KERNEL & HOOKS

Vol3Linux

vol3 -f mem.raw linux.kthreads.Kthreads

Enumerate kernel thread functions.

linux.kallsyms.Kallsyms

SECTION 10 — KERNEL & HOOKS

Vol3Linux

vol3 -f mem.raw linux.kallsyms.Kallsyms

Enumerate kernel symbols from kallsyms.

mac.dmesg.Dmesg

SECTION 10 — KERNEL & HOOKS

Vol3macOS

vol3 -f mem.raw mac.dmesg.Dmesg

Print Mac kernel log buffer (like dmesg).

mac.mount.Mount

SECTION 10 — KERNEL & HOOKS

Vol3macOS

vol3 -f mem.raw mac.mount.Mount

Show mounted filesystems on Mac.

mac.vfsevents.VFSevents

SECTION 10 — KERNEL & HOOKS

Vol3macOS

vol3 -f mem.raw mac.vfsevents.VFSevents

List processes filtering filesystem events (surveillance/rootkit technique).

SECTION 11 — STRING & ARTIFACT HUNTING 13 plugins

windows.clipboard (Vol2/community; not core Vol3)

SECTION 11 — STRING & ARTIFACT HUNTING

Vol3Windows

vol3 -f mem.raw windows.clipboard
# Verify first: vol -h | grep -i clipboard

Marked as not official core Vol3 in current docs. Keep Vol2 clipboard for Volatility 2, or use a community plugin if your Vol3 installation provides it.
Always verify with vol -h before using this command.

windows.strings.Strings

SECTION 11 — STRING & ARTIFACT HUNTING

Vol3Windows

vol3 -f mem.raw windows.strings.Strings

Match physical memory offsets to virtual addresses for strings analysis.

windows.vadregexscan.VadRegExScan

SECTION 11 — STRING & ARTIFACT HUNTING

Vol3Windows

vol3 -f mem.raw windows.vadregexscan.VadRegExScan --pattern "flag\{" --pid <PID>

Scan VAD memory regions with regex. Directly hunt flags/patterns in process memory.

regexscan.RegExScan

SECTION 11 — STRING & ARTIFACT HUNTING

Vol3Windows

vol3 -f mem.raw regexscan.RegExScan --pattern "flag\{"

Scan entire kernel memory with regex pattern. Broadest string hunt.

windows.windows.Windows

SECTION 11 — STRING & ARTIFACT HUNTING

Vol3Windows

vol3 -f mem.raw windows.windows.Windows

Enumerate visible Desktop window elements.

windows.desktops.Desktops

SECTION 11 — STRING & ARTIFACT HUNTING

Vol3Windows

vol3 -f mem.raw windows.desktops.Desktops

Enumerate Desktop instances of each Window Station.

windows.deskscan.DeskScan

SECTION 11 — STRING & ARTIFACT HUNTING

Vol3Windows

vol3 -f mem.raw windows.deskscan.DeskScan

Scan for Desktop instances.

linux.bash.Bash

SECTION 11 — STRING & ARTIFACT HUNTING

Vol3Linux

vol3 -f mem.raw linux.bash.Bash

Vol3 bash history recovery.

linux.vmaregexscan.VmaRegExScan

SECTION 11 — STRING & ARTIFACT HUNTING

Vol3Linux

vol3 -f mem.raw linux.vmaregexscan.VmaRegExScan --pattern "flag\{" --pid <PID>

Scan Linux VMA regions with regex. Hunt flags/secrets in process memory.

linux.graphics.fbdev.Fbdev

SECTION 11 — STRING & ARTIFACT HUNTING

Vol3Linux

vol3 -f mem.raw linux.graphics.fbdev.Fbdev --dump-dir ./output/

Extract Linux framebuffer content. Screenshot equivalent for Linux systems.

linux.kmsg.Kmsg

SECTION 11 — STRING & ARTIFACT HUNTING

Vol3Linux

vol3 -f mem.raw linux.kmsg.Kmsg

Read kernel ring buffer log (like dmesg). Find kernel messages/errors.

mac.bash.Bash

SECTION 11 — STRING & ARTIFACT HUNTING

Vol3macOS

vol3 -f mem.raw mac.bash.Bash

Vol3 Mac bash history recovery.

mac.dmesg.Dmesg

SECTION 11 — STRING & ARTIFACT HUNTING

Vol3macOS

vol3 -f mem.raw mac.dmesg.Dmesg

Print Mac kernel log buffer.

SECTION 12 — VIRTUAL ADDRESS DESCRIPTOR (VAD) 5 plugins

windows.vadinfo

SECTION 12 — VIRTUAL ADDRESS DESCRIPTOR (VAD)

Vol3Windows

vol3 -f mem.raw windows.vadinfo --pid <PID>

No description provided in source cheat sheet.

windows.vadwalk

SECTION 12 — VIRTUAL ADDRESS DESCRIPTOR (VAD)

Vol3Windows

vol3 -f mem.raw windows.vadwalk --pid <PID>

No description provided in source cheat sheet.

windows.memmap.Memmap / windows.vadinfo

SECTION 12 — VIRTUAL ADDRESS DESCRIPTOR (VAD)

Vol3Windows

vol3 -f mem.raw -o ./output/ windows.memmap.Memmap --pid <PID> --dump
vol3 -f mem.raw windows.vadinfo --pid <PID>

Current Vol3 docs include windows.vadinfo and windows.vadwalk, but not windows.memmap.Memmap as a core plugin.
Use windows.memmap.Memmap --dump to dump mapped process memory; use vadinfo/vadwalk for VAD inspection.

windows.virtmap.VirtMap

SECTION 12 — VIRTUAL ADDRESS DESCRIPTOR (VAD)

Vol3Windows

vol3 -f mem.raw windows.virtmap.VirtMap

List virtual mapped sections in memory.

windows.memmap.Memmap

SECTION 12 — VIRTUAL ADDRESS DESCRIPTOR (VAD)

Vol3Windows

vol3 -f mem.raw windows.memmap.Memmap --pid <PID>

Print full memory map of a process.

SECTION 13 — SERVICES, MFT, POOLS & MISC 16 plugins

windows.svcscan

SECTION 13 — SERVICES, MFT, POOLS & MISC

Vol3Windows

vol3 -f mem.raw windows.svcscan

No description provided in source cheat sheet.

windows.svclist.SvcList

SECTION 13 — SERVICES, MFT, POOLS & MISC

Vol3Windows

vol3 -f mem.raw windows.svclist.SvcList

List services from services.exe doubly linked list.

windows.mftscan.MFTScan

SECTION 13 — SERVICES, MFT, POOLS & MISC

Vol3Windows

vol3 -f mem.raw windows.mftscan.MFTScan

Vol3 MFT parser.

windows.mbrscan.MBRScan

SECTION 13 — SERVICES, MFT, POOLS & MISC

Vol3Windows

vol3 -f mem.raw windows.mbrscan.MBRScan

Vol3 MBR scanner for bootkit detection.

windows.bigpools.BigPools

SECTION 13 — SERVICES, MFT, POOLS & MISC

Vol3Windows

vol3 -f mem.raw windows.bigpools.BigPools

Vol3 big page pool scanner.

windows.poolscanner.PoolScanner

SECTION 13 — SERVICES, MFT, POOLS & MISC

Vol3Windows

vol3 -f mem.raw windows.poolscanner.PoolScanner

Generic configurable pool scanner.

windows.verinfo.VerInfo

SECTION 13 — SERVICES, MFT, POOLS & MISC

Vol3Windows

vol3 -f mem.raw windows.verinfo.VerInfo

Vol3 PE version info.

windows.scheduled_tasks.ScheduledTasks

SECTION 13 — SERVICES, MFT, POOLS & MISC

Vol3Windows

vol3 -f mem.raw windows.scheduled_tasks.ScheduledTasks

Find scheduled tasks (persistence mechanism).

windows.truecrypt.Passphrase

SECTION 13 — SERVICES, MFT, POOLS & MISC

Vol3Windows

vol3 -f mem.raw windows.truecrypt.Passphrase

Find TrueCrypt cached passphrase in Windows memory.

windows.debugregisters.DebugRegisters

SECTION 13 — SERVICES, MFT, POOLS & MISC

Vol3Windows

vol3 -f mem.raw windows.debugregisters.DebugRegisters

Show hardware debug registers. Detect hardware breakpoints set by malware.

windows.amcache.Amcache

SECTION 13 — SERVICES, MFT, POOLS & MISC

Vol3Windows

vol3 -f mem.raw windows.amcache.Amcache

Extract AmCache program execution evidence (deprecated — use registry.amcache).

timeliner.Timeliner

SECTION 13 — SERVICES, MFT, POOLS & MISC

Vol3Windows

vol3 -f mem.raw timeliner.Timeliner

Run ALL time-related plugins and order results chronologically.
CTF USE: full timeline of system activity in one command.

vmscan.Vmscan

SECTION 13 — SERVICES, MFT, POOLS & MISC

Vol3Windows

vol3 -f mem.raw vmscan.Vmscan

Scan for Intel VT-d structures. Analyze nested VM environments.

linux.mountinfo.MountInfo

SECTION 13 — SERVICES, MFT, POOLS & MISC

Vol3Linux

vol3 -f mem.raw linux.mountinfo.MountInfo

List mount points across all process namespaces.

linux.vmcoreinfo.VMCoreInfo

SECTION 13 — SERVICES, MFT, POOLS & MISC

Vol3Linux

vol3 -f mem.raw linux.vmcoreinfo.VMCoreInfo

Enumerate VMCoreInfo tables from Linux crash dump.

linux.tracing.perf_events.PerfEvents

SECTION 13 — SERVICES, MFT, POOLS & MISC

Vol3Linux

vol3 -f mem.raw linux.tracing.perf_events.PerfEvents

List performance monitoring events per process.

SECTION 16 — RARE / SPECIALIZED COMMANDS 2 plugins

linux.malware.hidden_modules.Hidden_modules

SECTION 16 — RARE / SPECIALIZED COMMANDS

Vol3Linux

vol3 -f mem.raw linux.malware.hidden_modules.Hidden_modules

Carve memory to find hidden kernel modules (alternate method).

mac.proc_maps.Maps

SECTION 16 — RARE / SPECIALIZED COMMANDS

Vol3macOS

vol3 -f mem.raw mac.proc_maps.Maps

List Mac process memory ranges.

SECTION 17 — VOL3 REMAINING PLUGINS (CHECKED SET) 31 plugins

windows.cachedump

SECTION 17 — VOL3 REMAINING PLUGINS (CHECKED SET)

Vol3Windows

vol3 -f mem.raw windows.cachedump

Dump cached domain credentials (MSCacheV2 hashes). Crack with hashcat mode 2100.

windows.registry.cachedump

SECTION 17 — VOL3 REMAINING PLUGINS (CHECKED SET)

Vol3Windows

vol3 -f mem.raw windows.registry.cachedump

Extract cached domain logon credentials from registry.

windows.registry.hashdump

SECTION 17 — VOL3 REMAINING PLUGINS (CHECKED SET)

Vol3Windows

vol3 -f mem.raw windows.registry.hashdump

Extract NTLM hashes directly from registry SAM/SYSTEM hives.

windows.registry.lsadump

SECTION 17 — VOL3 REMAINING PLUGINS (CHECKED SET)

Vol3Windows

vol3 -f mem.raw windows.registry.lsadump

Extract LSA secrets from registry. Service passwords, auto-logon creds.

windows.direct_system_calls

SECTION 17 — VOL3 REMAINING PLUGINS (CHECKED SET)

Vol3Windows

vol3 -f mem.raw windows.direct_system_calls

Detect direct syscall usage in processes bypassing ntdll.dll (EDR bypass).

windows.indirect_system_calls

SECTION 17 — VOL3 REMAINING PLUGINS (CHECKED SET)

Vol3Windows

vol3 -f mem.raw windows.indirect_system_calls

Detect indirect syscall techniques used by malware.

windows.malware.indirect_system_calls

SECTION 17 — VOL3 REMAINING PLUGINS (CHECKED SET)

Vol3Windows

vol3 -f mem.raw windows.malware.indirect_system_calls

Updated indirect syscall detector focused on malware patterns.

windows.drivermodule

SECTION 17 — VOL3 REMAINING PLUGINS (CHECKED SET)

Vol3Windows

vol3 -f mem.raw windows.drivermodule

Associate driver objects to kernel modules (deprecated — use malware version).

windows.hollowprocesses

SECTION 17 — VOL3 REMAINING PLUGINS (CHECKED SET)

Vol3Windows

vol3 -f mem.raw windows.hollowprocesses

List hollowed processes (deprecated — use malware.hollowprocesses).

windows.processghosting

SECTION 17 — VOL3 REMAINING PLUGINS (CHECKED SET)

Vol3Windows

vol3 -f mem.raw windows.processghosting

Ghost process detector (deprecated — use malware.processghosting).

windows.psxview

SECTION 17 — VOL3 REMAINING PLUGINS (CHECKED SET)

Vol3Windows

vol3 -f mem.raw windows.psxview

Cross-reference process lists (deprecated — use malware.psxview.PsXView).

windows.skeleton_key_check

SECTION 17 — VOL3 REMAINING PLUGINS (CHECKED SET)

Vol3Windows

vol3 -f mem.raw windows.skeleton_key_check

Skeleton Key malware detector (deprecated — use malware.skeleton_key_check).

windows.suspicious_threads

SECTION 17 — VOL3 REMAINING PLUGINS (CHECKED SET)

Vol3Windows

vol3 -f mem.raw windows.suspicious_threads

Suspicious thread lister (deprecated — use malware.suspicious_threads).

windows.svcdiff

SECTION 17 — VOL3 REMAINING PLUGINS (CHECKED SET)

Vol3Windows

vol3 -f mem.raw windows.svcdiff

Service diff (deprecated — use malware.svcdiff).

windows.unhooked_system_calls

SECTION 17 — VOL3 REMAINING PLUGINS (CHECKED SET)

Vol3Windows

vol3 -f mem.raw windows.unhooked_system_calls

Hooked syscall detector (deprecated — use malware.unhooked_system_calls).

windows.vadyarascan

SECTION 17 — VOL3 REMAINING PLUGINS (CHECKED SET)

Vol3Windows

vol3 -f mem.raw windows.vadyarascan --yara-rules /path/to/rules.yar

Scan process VAD regions with YARA rules. Hunt specific malware signatures.

windows.windowstations

SECTION 17 — VOL3 REMAINING PLUGINS (CHECKED SET)

Vol3Windows

vol3 -f mem.raw windows.windowstations

Scan for top-level Window Station objects in memory.

linux.check_afinfo

SECTION 17 — VOL3 REMAINING PLUGINS (CHECKED SET)

Vol3Linux

vol3 -f mem.raw linux.check_afinfo

Verify network protocol function pointers for hooks (deprecated — use malware version).

linux.check_creds

SECTION 17 — VOL3 REMAINING PLUGINS (CHECKED SET)

Vol3Linux

vol3 -f mem.raw linux.check_creds

Check shared credential structures (deprecated — use malware version).

linux.check_idt

SECTION 17 — VOL3 REMAINING PLUGINS (CHECKED SET)

Vol3Linux

vol3 -f mem.raw linux.check_idt

Check IDT for hooks (deprecated — use malware version).

linux.check_modules

SECTION 17 — VOL3 REMAINING PLUGINS (CHECKED SET)

Vol3Linux

vol3 -f mem.raw linux.check_modules

Find hidden kernel modules (deprecated — use malware version).

linux.check_syscall

SECTION 17 — VOL3 REMAINING PLUGINS (CHECKED SET)

Vol3Linux

vol3 -f mem.raw linux.check_syscall

Check syscall table for hooks (deprecated — use malware version).

linux.hidden_modules

SECTION 17 — VOL3 REMAINING PLUGINS (CHECKED SET)

Vol3Linux

vol3 -f mem.raw linux.hidden_modules

Carve memory for hidden kernel modules (deprecated — use malware version).

linux.keyboard_notifiers

SECTION 17 — VOL3 REMAINING PLUGINS (CHECKED SET)

Vol3Linux

vol3 -f mem.raw linux.keyboard_notifiers

Parse keyboard notifier chain (deprecated — use malware version).

linux.malfind

SECTION 17 — VOL3 REMAINING PLUGINS (CHECKED SET)

Vol3Linux

vol3 -f mem.raw linux.malfind

Find injected code in Linux (deprecated — use malware.malfind).

linux.modxview

SECTION 17 — VOL3 REMAINING PLUGINS (CHECKED SET)

Vol3Linux

vol3 -f mem.raw linux.modxview

Module cross-view (deprecated — use malware.modxview).

linux.netfilter

SECTION 17 — VOL3 REMAINING PLUGINS (CHECKED SET)

Vol3Linux

vol3 -f mem.raw linux.netfilter

List Netfilter hooks (deprecated — use malware.netfilter).

linux.tty_check

SECTION 17 — VOL3 REMAINING PLUGINS (CHECKED SET)

Vol3Linux

vol3 -f mem.raw linux.tty_check

Check TTY hooks (deprecated — use malware.tty_check).

linux.vmayarascan

SECTION 17 — VOL3 REMAINING PLUGINS (CHECKED SET)

Vol3Linux

vol3 -f mem.raw linux.vmayarascan --yara-rules /path/to/rules.yar

Scan Linux VMA regions with YARA rules. Hunt specific malware signatures.

configwriter.ConfigWriter

SECTION 17 — VOL3 REMAINING PLUGINS (CHECKED SET)

Vol3Common

vol3 -f mem.raw configwriter.ConfigWriter

Run automagics and output full configuration JSON. Debug/inspect Vol3 config.

yarascan

SECTION 17 — VOL3 REMAINING PLUGINS (CHECKED SET)

Vol3Common

vol3 -f mem.raw yarascan --yara-rules /path/to/rules.yar

Scan entire memory with YARA rules. Broadest signature-based malware hunt.
CTF USE: if you have YARA rules for specific malware, run this first.

SECTION 1 — IDENTIFY PROFILE / IMAGE INFO 2 plugins

windows.info

SECTION 1 — IDENTIFY PROFILE / IMAGE INFO

Vol3Windows

vol3 -f mem.raw windows.info

Show Windows OS version, build number, architecture, kernel base. First step for Win dumps.

windows.crashinfo

SECTION 1 — IDENTIFY PROFILE / IMAGE INFO

Vol3Windows

vol3 -f mem.raw windows.crashinfo

Show crash dump metadata: date, uptime, crash reason, bugcheck code.

SECTION 2 — PROCESS ANALYSIS 12 plugins

windows.pslist

SECTION 2 — PROCESS ANALYSIS

Vol3Windows

vol3 -f mem.raw windows.pslist

Vol3 process list.

windows.pstree

SECTION 2 — PROCESS ANALYSIS

Vol3Windows

vol3 -f mem.raw windows.pstree

Vol3 process tree view.

windows.psscan

SECTION 2 — PROCESS ANALYSIS

Vol3Windows

vol3 -f mem.raw windows.psscan

Vol3 deep EPROCESS scan — finds hidden/terminated processes.

windows.malware.psxview.PsXView

SECTION 2 — PROCESS ANALYSIS

Vol3Windows

vol3 -f mem.raw windows.malware.psxview.PsXView

Vol3 psxview — cross-reference 4 process listing methods to find hidden processes.

windows.malware.pebmasquerade.PebMasquerade

SECTION 2 — PROCESS ANALYSIS

Vol3Windows

vol3 -f mem.raw windows.malware.pebmasquerade.PebMasquerade

Detect process name spoofing: EPROCESS name vs PEB name mismatch. Malware hides this way.

windows.malware.processghosting.ProcessGhosting

SECTION 2 — PROCESS ANALYSIS

Vol3Windows

vol3 -f mem.raw windows.malware.processghosting.ProcessGhosting

Find ghost processes: executable deleted from disk but still running in memory.

windows.sessions.Sessions

SECTION 2 — PROCESS ANALYSIS

Vol3Windows

vol3 -f mem.raw windows.sessions.Sessions

List processes with session/logon info from environment variables.

windows.joblinks.JobLinks

SECTION 2 — PROCESS ANALYSIS

Vol3Windows

vol3 -f mem.raw windows.joblinks.JobLinks

Show process job link info. Useful for sandbox/container detection.

windows.thrdscan.ThrdScan

SECTION 2 — PROCESS ANALYSIS

Vol3Windows

vol3 -f mem.raw windows.thrdscan.ThrdScan

Scan for thread objects in memory pool.

windows.threads.Threads

SECTION 2 — PROCESS ANALYSIS

Vol3Windows

vol3 -f mem.raw windows.threads

List process threads with details.

windows.orphan_kernel_threads.Threads

SECTION 2 — PROCESS ANALYSIS

Vol3Windows

vol3 -f mem.raw windows.orphan_kernel_threads.Threads

Find orphan kernel threads — injected threads with no legitimate parent process.

windows.suspended_threads.SuspendedThreads

SECTION 2 — PROCESS ANALYSIS

Vol3Windows

vol3 -f mem.raw windows.suspended_threads.SuspendedThreads

List suspended threads. Malware suspends threads during injection.

SECTION 3 — DLL & MODULE ANALYSIS 11 plugins

windows.dlllist

SECTION 3 — DLL & MODULE ANALYSIS

Vol3Windows

vol3 -f mem.raw windows.dlllist
vol3 -f mem.raw windows.dlllist --pid <PID>

No description provided in source cheat sheet.

windows.ldrmodules.LdrModules

SECTION 3 — DLL & MODULE ANALYSIS

Vol3Windows

vol3 -f mem.raw windows.ldrmodules.LdrModules

Vol3 DLL load order cross-check.

windows.malware.ldrmodules.LdrModules

SECTION 3 — DLL & MODULE ANALYSIS

Vol3Windows

vol3 -f mem.raw windows.malware.ldrmodules.LdrModules

Updated ldrmodules focused on malware detection.

windows.modules

SECTION 3 — DLL & MODULE ANALYSIS

Vol3Windows

vol3 -f mem.raw windows.modules

Vol3 kernel module list.

windows.modscan

SECTION 3 — DLL & MODULE ANALYSIS

Vol3Windows

vol3 -f mem.raw windows.modscan

Vol3 deep kernel module scan.

windows.driverscan

SECTION 3 — DLL & MODULE ANALYSIS

Vol3Windows

vol3 -f mem.raw windows.driverscan

Scan memory for driver objects. Finds hidden drivers.

windows.unloadedmodules

SECTION 3 — DLL & MODULE ANALYSIS

Vol3Windows

vol3 -f mem.raw windows.unloadedmodules

Vol3 unloaded module list.

windows.malware.drivermodule.DriverModule

SECTION 3 — DLL & MODULE ANALYSIS

Vol3Windows

vol3 -f mem.raw windows.malware.drivermodule.DriverModule

Find drivers hidden by rootkit (not in normal module list).

windows.iat.IAT

SECTION 3 — DLL & MODULE ANALYSIS

Vol3Windows

vol3 -f mem.raw windows.iat.IAT --pid <PID>

Extract Import Address Table: see what API functions a process uses. Spot suspicious imports.

windows.pe_symbols.PESymbols

SECTION 3 — DLL & MODULE ANALYSIS

Vol3Windows

vol3 -f mem.raw windows.pe_symbols.PESymbols --pid <PID>

Print symbols from PE files in process/kernel memory.

windows.devicetree.DeviceTree

SECTION 3 — DLL & MODULE ANALYSIS

Vol3Windows

vol3 -f mem.raw windows.devicetree.DeviceTree

Show driver + attached device tree. Find malicious device stacks.

SECTION 4 — HANDLES & OPEN FILES 4 plugins

windows.handles

SECTION 4 — HANDLES & OPEN FILES

Vol3Windows

vol3 -f mem.raw windows.handles --pid <PID>

No description provided in source cheat sheet.

windows.filescan

SECTION 4 — HANDLES & OPEN FILES

Vol3Windows

vol3 -f mem.raw windows.filescan

Vol3 file object scanner.

windows.mutantscan

SECTION 4 — HANDLES & OPEN FILES

Vol3Windows

vol3 -f mem.raw windows.mutantscan

Vol3 mutex scanner.

windows.symlinkscan

SECTION 4 — HANDLES & OPEN FILES

Vol3Windows

vol3 -f mem.raw windows.symlinkscan

Vol3 symlink scanner.

SECTION 5 — NETWORK CONNECTIONS 2 plugins

windows.netscan

SECTION 5 — NETWORK CONNECTIONS

Vol3Windows

vol3 -f mem.raw windows.netscan

Vol3 network object scanner.

windows.netstat

SECTION 5 — NETWORK CONNECTIONS

Vol3Windows

vol3 -f mem.raw windows.netstat

Vol3 netstat-style output — traverses network tracking structures directly.

SECTION 6 — REGISTRY (WINDOWS ONLY) 11 plugins

windows.registry.hivelist

SECTION 6 — REGISTRY (WINDOWS ONLY)

Vol3Windows

vol3 -f mem.raw windows.registry.hivelist

Vol3 registry hive list.

windows.registry.hivescan

SECTION 6 — REGISTRY (WINDOWS ONLY)

Vol3Windows

vol3 -f mem.raw windows.registry.hivescan

Vol3 registry hive scanner (finds more hives).

windows.registry.printkey

SECTION 6 — REGISTRY (WINDOWS ONLY)

Vol3Windows

vol3 -f mem.raw windows.registry.printkey --key "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"

Vol3 registry key printer.

windows.registry.userassist

SECTION 6 — REGISTRY (WINDOWS ONLY)

Vol3Windows

vol3 -f mem.raw windows.registry.userassist

Show recently executed programs from UserAssist registry keys.

windows.registry.amcache.Amcache

SECTION 6 — REGISTRY (WINDOWS ONLY)

Vol3Windows

vol3 -f mem.raw windows.registry.amcache.Amcache

Extract executed app info from AmCache registry hive.

windows.registry.certificates.Certificates

SECTION 6 — REGISTRY (WINDOWS ONLY)

Vol3Windows

vol3 -f mem.raw windows.registry.certificates.Certificates

List certificates from registry Certificate Store. Find rogue certs.

windows.registry.scheduled_tasks.ScheduledTasks

SECTION 6 — REGISTRY (WINDOWS ONLY)

Vol3Windows

vol3 -f mem.raw windows.registry.scheduled_tasks.ScheduledTasks

Decode scheduled tasks from registry: triggers, actions, run times.

windows.registry.getcellroutine.GetCellRoutine

SECTION 6 — REGISTRY (WINDOWS ONLY)

Vol3Windows

vol3 -f mem.raw windows.registry.getcellroutine.GetCellRoutine

Find registry hives with hooked GetCellRoutine handler (rootkit sign).

windows.hashdump

SECTION 6 — REGISTRY (WINDOWS ONLY)

Vol3Windows

vol3 -f mem.raw windows.hashdump

Vol3 NTLM hash extractor.

windows.lsadump

SECTION 6 — REGISTRY (WINDOWS ONLY)

Vol3Windows

vol3 -f mem.raw windows.lsadump

Vol3 LSA secrets dumper.

windows.shimcachemem.ShimcacheMem

SECTION 6 — REGISTRY (WINDOWS ONLY)

Vol3Windows

vol3 -f mem.raw windows.shimcachemem.ShimcacheMem

Read Shimcache entries from ahcache.sys AVL tree.

SECTION 7 — MEMORY DUMP / EXTRACTION 5 plugins

windows.memmap.Memmap

SECTION 7 — MEMORY DUMP / EXTRACTION

Vol3Windows

vol3 -f mem.raw -o ./output/ windows.memmap.Memmap --pid <PID> --dump

Volatility 3 current replacement for dumping a process address space.
The old windows.memmap.Memmap command is not an official core plugin name in current Vol3 docs.

windows.dumpfiles / windows.pedump.PEDump

SECTION 7 — MEMORY DUMP / EXTRACTION

Vol3Windows

vol3 -f mem.raw -o ./output/ windows.dumpfiles --pid <PID>
vol3 -f mem.raw windows.pedump.PEDump --pid <PID> --base <BASE_ADDR>

Use windows.dumpfiles for mapped/executable file extraction from a process, or windows.pedump.PEDump for a PE at a known base address.
The old windows.dumpfiles command is not an official core plugin name in current Vol3 docs.

windows.dumpfiles

SECTION 7 — MEMORY DUMP / EXTRACTION

Vol3Windows

vol3 -f mem.raw windows.dumpfiles --virtaddr <ADDR>
vol3 -f mem.raw windows.dumpfiles --physaddr <ADDR>

No description provided in source cheat sheet.

windows.pedump.PEDump

SECTION 7 — MEMORY DUMP / EXTRACTION

Vol3Windows

vol3 -f mem.raw windows.pedump.PEDump --pid <PID> --base <BASE_ADDR>

Dump PE file from specific virtual address in process memory.

layerwriter.LayerWriter

SECTION 7 — MEMORY DUMP / EXTRACTION

Vol3Windows

vol3 -f mem.raw layerwriter.LayerWriter --dump-dir ./output/

Write out the primary memory layer as raw file. Full memory extraction.

SECTION 8 — CODE INJECTION DETECTION 11 plugins

windows.malfind

SECTION 8 — CODE INJECTION DETECTION

Vol3Windows

vol3 -f mem.raw windows.malfind
vol3 -f mem.raw windows.malfind --pid <PID>

No description provided in source cheat sheet.

windows.malware.malfind.Malfind

SECTION 8 — CODE INJECTION DETECTION

Vol3Windows

vol3 -f mem.raw windows.malware.malfind.Malfind

Updated malfind with improved shellcode/injection detection.

windows.malware.hollowprocesses.HollowProcesses

SECTION 8 — CODE INJECTION DETECTION

Vol3Windows

vol3 -f mem.raw windows.malware.hollowprocesses.HollowProcesses

Vol3 process hollowing detector.

windows.cmdline

SECTION 8 — CODE INJECTION DETECTION

Vol3Windows

vol3 -f mem.raw windows.cmdline

Vol3 process command line args.

windows.cmdscan

SECTION 8 — CODE INJECTION DETECTION

Vol3Windows

vol3 -f mem.raw windows.cmdscan

Vol3 command history scanner.

windows.consoles

SECTION 8 — CODE INJECTION DETECTION

Vol3Windows

vol3 -f mem.raw windows.consoles

Vol3 console I/O recovery.

windows.malware.suspicious_threads.SuspiciousThreads

SECTION 8 — CODE INJECTION DETECTION

Vol3Windows

vol3 -f mem.raw windows.malware.suspicious_threads.SuspiciousThreads

Find suspicious userland threads: injected thread indicators.

windows.malware.skeleton_key_check.Skeleton_Key_Check

SECTION 8 — CODE INJECTION DETECTION

Vol3Windows

vol3 -f mem.raw windows.malware.skeleton_key_check.Skeleton_Key_Check

Detect Skeleton Key malware: LSASS patch to bypass all domain authentication.

windows.etwpatch.EtwPatch

SECTION 8 — CODE INJECTION DETECTION

Vol3Windows

vol3 -f mem.raw windows.etwpatch.EtwPatch

Detect ETW (Event Tracing) patching by malware to blind security tools.

windows.malware.unhooked_system_calls.UnhookedSystemCalls

SECTION 8 — CODE INJECTION DETECTION

Vol3Windows

vol3 -f mem.raw windows.malware.unhooked_system_calls.UnhookedSystemCalls

Detect hooked ntdll.dll stubs: EDR/AV bypass technique.

windows.malware.direct_system_calls

SECTION 8 — CODE INJECTION DETECTION

Vol3Windows

vol3 -f mem.raw windows.malware.direct_system_calls

Detect direct syscall usage bypassing ntdll.dll entirely.

SECTION 9 — ENVIRONMENT, PRIVILEGES & SIDS 6 plugins

windows.envars

SECTION 9 — ENVIRONMENT, PRIVILEGES & SIDS

Vol3Windows

vol3 -f mem.raw windows.envars --pid <PID>

No description provided in source cheat sheet.

windows.getsids.GetSIDs

SECTION 9 — ENVIRONMENT, PRIVILEGES & SIDS

Vol3Windows

vol3 -f mem.raw windows.getsids.GetSIDs

Vol3 SID lister. Show SIDs owning each process.

windows.getservicesids.GetServiceSIDs

SECTION 9 — ENVIRONMENT, PRIVILEGES & SIDS

Vol3Windows

vol3 -f mem.raw windows.getservicesids.GetServiceSIDs

Vol3 service SID mapper.

windows.privileges.Privs

SECTION 9 — ENVIRONMENT, PRIVILEGES & SIDS

Vol3Windows

vol3 -f mem.raw windows.privileges.Privs --pid <PID>

Vol3 process privilege lister.

windows.statistics.Statistics (not core Vol3)

SECTION 9 — ENVIRONMENT, PRIVILEGES & SIDS

Vol3Windows

vol3 -f mem.raw windows.statistics.Statistics
# Verify first: vol -h | grep -i statistics

Marked as not official core Vol3 in current docs. Some builds/community sets may differ.
Use frameworkinfo.FrameworkInfo or plugin-specific outputs for framework/plugin verification.

windows.kpcrs.KPCRs

SECTION 9 — ENVIRONMENT, PRIVILEGES & SIDS

Vol3Windows

vol3 -f mem.raw windows.kpcrs.KPCRs

Print KPCR (Kernel Processor Control Region) for each CPU.

SECTION 10 — KERNEL & HOOKS 6 plugins

windows.ssdt

SECTION 10 — KERNEL & HOOKS

Vol3Windows

vol3 -f mem.raw windows.ssdt

No description provided in source cheat sheet.

windows.driverirp

SECTION 10 — KERNEL & HOOKS

Vol3Windows

vol3 -f mem.raw windows.driverirp

No description provided in source cheat sheet.

windows.callbacks

SECTION 10 — KERNEL & HOOKS

Vol3Windows

vol3 -f mem.raw windows.callbacks

No description provided in source cheat sheet.

windows.threads

SECTION 10 — KERNEL & HOOKS

Vol3Windows

vol3 -f mem.raw windows.threads

No description provided in source cheat sheet.

windows.timers.Timers

SECTION 10 — KERNEL & HOOKS

Vol3Windows

vol3 -f mem.raw windows.timers.Timers

Kernel timers + DPCs. Malware uses for periodic execution.

windows.malware.svcdiff.SvcDiff

SECTION 10 — KERNEL & HOOKS

Vol3Windows

vol3 -f mem.raw windows.malware.svcdiff.SvcDiff

Compare list-walking vs pool-scanning for services. Find rootkit-hidden services.

SECTION 11 — STRING & ARTIFACT HUNTING 7 plugins

windows.clipboard (Vol2/community; not core Vol3)

SECTION 11 — STRING & ARTIFACT HUNTING

Vol3Windows

vol3 -f mem.raw windows.clipboard
# Verify first: vol -h | grep -i clipboard

Marked as not official core Vol3 in current docs. Keep Vol2 clipboard for Volatility 2, or use a community plugin if your Vol3 installation provides it.
Always verify with vol -h before using this command.

windows.strings.Strings

SECTION 11 — STRING & ARTIFACT HUNTING

Vol3Windows

vol3 -f mem.raw windows.strings.Strings

Match physical memory offsets to virtual addresses for strings analysis.

windows.vadregexscan.VadRegExScan

SECTION 11 — STRING & ARTIFACT HUNTING

Vol3Windows

vol3 -f mem.raw windows.vadregexscan.VadRegExScan --pattern "flag\{" --pid <PID>

Scan VAD memory regions with regex. Directly hunt flags/patterns in process memory.

regexscan.RegExScan

SECTION 11 — STRING & ARTIFACT HUNTING

Vol3Windows

vol3 -f mem.raw regexscan.RegExScan --pattern "flag\{"

Scan entire kernel memory with regex pattern. Broadest string hunt.

windows.windows.Windows

SECTION 11 — STRING & ARTIFACT HUNTING

Vol3Windows

vol3 -f mem.raw windows.windows.Windows

Enumerate visible Desktop window elements.

windows.desktops.Desktops

SECTION 11 — STRING & ARTIFACT HUNTING

Vol3Windows

vol3 -f mem.raw windows.desktops.Desktops

Enumerate Desktop instances of each Window Station.

windows.deskscan.DeskScan

SECTION 11 — STRING & ARTIFACT HUNTING

Vol3Windows

vol3 -f mem.raw windows.deskscan.DeskScan

Scan for Desktop instances.

SECTION 12 — VIRTUAL ADDRESS DESCRIPTOR (VAD) 5 plugins

windows.vadinfo

SECTION 12 — VIRTUAL ADDRESS DESCRIPTOR (VAD)

Vol3Windows

vol3 -f mem.raw windows.vadinfo --pid <PID>

No description provided in source cheat sheet.

windows.vadwalk

SECTION 12 — VIRTUAL ADDRESS DESCRIPTOR (VAD)

Vol3Windows

vol3 -f mem.raw windows.vadwalk --pid <PID>

No description provided in source cheat sheet.

windows.memmap.Memmap / windows.vadinfo

SECTION 12 — VIRTUAL ADDRESS DESCRIPTOR (VAD)

Vol3Windows

vol3 -f mem.raw -o ./output/ windows.memmap.Memmap --pid <PID> --dump
vol3 -f mem.raw windows.vadinfo --pid <PID>

Current Vol3 docs include windows.vadinfo and windows.vadwalk, but not windows.memmap.Memmap as a core plugin.
Use windows.memmap.Memmap --dump to dump mapped process memory; use vadinfo/vadwalk for VAD inspection.

windows.virtmap.VirtMap

SECTION 12 — VIRTUAL ADDRESS DESCRIPTOR (VAD)

Vol3Windows

vol3 -f mem.raw windows.virtmap.VirtMap

List virtual mapped sections in memory.

windows.memmap.Memmap

SECTION 12 — VIRTUAL ADDRESS DESCRIPTOR (VAD)

Vol3Windows

vol3 -f mem.raw windows.memmap.Memmap --pid <PID>

Print full memory map of a process.

SECTION 13 — SERVICES, MFT, POOLS & MISC 13 plugins

windows.svcscan

SECTION 13 — SERVICES, MFT, POOLS & MISC

Vol3Windows

vol3 -f mem.raw windows.svcscan

No description provided in source cheat sheet.

windows.svclist.SvcList

SECTION 13 — SERVICES, MFT, POOLS & MISC

Vol3Windows

vol3 -f mem.raw windows.svclist.SvcList

List services from services.exe doubly linked list.

windows.mftscan.MFTScan

SECTION 13 — SERVICES, MFT, POOLS & MISC

Vol3Windows

vol3 -f mem.raw windows.mftscan.MFTScan

Vol3 MFT parser.

windows.mbrscan.MBRScan

SECTION 13 — SERVICES, MFT, POOLS & MISC

Vol3Windows

vol3 -f mem.raw windows.mbrscan.MBRScan

Vol3 MBR scanner for bootkit detection.

windows.bigpools.BigPools

SECTION 13 — SERVICES, MFT, POOLS & MISC

Vol3Windows

vol3 -f mem.raw windows.bigpools.BigPools

Vol3 big page pool scanner.

windows.poolscanner.PoolScanner

SECTION 13 — SERVICES, MFT, POOLS & MISC

Vol3Windows

vol3 -f mem.raw windows.poolscanner.PoolScanner

Generic configurable pool scanner.

windows.verinfo.VerInfo

SECTION 13 — SERVICES, MFT, POOLS & MISC

Vol3Windows

vol3 -f mem.raw windows.verinfo.VerInfo

Vol3 PE version info.

windows.scheduled_tasks.ScheduledTasks

SECTION 13 — SERVICES, MFT, POOLS & MISC

Vol3Windows

vol3 -f mem.raw windows.scheduled_tasks.ScheduledTasks

Find scheduled tasks (persistence mechanism).

windows.truecrypt.Passphrase

SECTION 13 — SERVICES, MFT, POOLS & MISC

Vol3Windows

vol3 -f mem.raw windows.truecrypt.Passphrase

Find TrueCrypt cached passphrase in Windows memory.

windows.debugregisters.DebugRegisters

SECTION 13 — SERVICES, MFT, POOLS & MISC

Vol3Windows

vol3 -f mem.raw windows.debugregisters.DebugRegisters

Show hardware debug registers. Detect hardware breakpoints set by malware.

windows.amcache.Amcache

SECTION 13 — SERVICES, MFT, POOLS & MISC

Vol3Windows

vol3 -f mem.raw windows.amcache.Amcache

Extract AmCache program execution evidence (deprecated — use registry.amcache).

timeliner.Timeliner

SECTION 13 — SERVICES, MFT, POOLS & MISC

Vol3Windows

vol3 -f mem.raw timeliner.Timeliner

Run ALL time-related plugins and order results chronologically.
CTF USE: full timeline of system activity in one command.

vmscan.Vmscan

SECTION 13 — SERVICES, MFT, POOLS & MISC

Vol3Windows

vol3 -f mem.raw vmscan.Vmscan

Scan for Intel VT-d structures. Analyze nested VM environments.

SECTION 17 — VOL3 REMAINING PLUGINS (CHECKED SET) 17 plugins

windows.cachedump

SECTION 17 — VOL3 REMAINING PLUGINS (CHECKED SET)

Vol3Windows

vol3 -f mem.raw windows.cachedump

Dump cached domain credentials (MSCacheV2 hashes). Crack with hashcat mode 2100.

windows.registry.cachedump

SECTION 17 — VOL3 REMAINING PLUGINS (CHECKED SET)

Vol3Windows

vol3 -f mem.raw windows.registry.cachedump

Extract cached domain logon credentials from registry.

windows.registry.hashdump

SECTION 17 — VOL3 REMAINING PLUGINS (CHECKED SET)

Vol3Windows

vol3 -f mem.raw windows.registry.hashdump

Extract NTLM hashes directly from registry SAM/SYSTEM hives.

windows.registry.lsadump

SECTION 17 — VOL3 REMAINING PLUGINS (CHECKED SET)

Vol3Windows

vol3 -f mem.raw windows.registry.lsadump

Extract LSA secrets from registry. Service passwords, auto-logon creds.

windows.direct_system_calls

SECTION 17 — VOL3 REMAINING PLUGINS (CHECKED SET)

Vol3Windows

vol3 -f mem.raw windows.direct_system_calls

Detect direct syscall usage in processes bypassing ntdll.dll (EDR bypass).

windows.indirect_system_calls

SECTION 17 — VOL3 REMAINING PLUGINS (CHECKED SET)

Vol3Windows

vol3 -f mem.raw windows.indirect_system_calls

Detect indirect syscall techniques used by malware.

windows.malware.indirect_system_calls

SECTION 17 — VOL3 REMAINING PLUGINS (CHECKED SET)

Vol3Windows

vol3 -f mem.raw windows.malware.indirect_system_calls

Updated indirect syscall detector focused on malware patterns.

windows.drivermodule

SECTION 17 — VOL3 REMAINING PLUGINS (CHECKED SET)

Vol3Windows

vol3 -f mem.raw windows.drivermodule

Associate driver objects to kernel modules (deprecated — use malware version).

windows.hollowprocesses

SECTION 17 — VOL3 REMAINING PLUGINS (CHECKED SET)

Vol3Windows

vol3 -f mem.raw windows.hollowprocesses

List hollowed processes (deprecated — use malware.hollowprocesses).

windows.processghosting

SECTION 17 — VOL3 REMAINING PLUGINS (CHECKED SET)

Vol3Windows

vol3 -f mem.raw windows.processghosting

Ghost process detector (deprecated — use malware.processghosting).

windows.psxview

SECTION 17 — VOL3 REMAINING PLUGINS (CHECKED SET)

Vol3Windows

vol3 -f mem.raw windows.psxview

Cross-reference process lists (deprecated — use malware.psxview.PsXView).

windows.skeleton_key_check

SECTION 17 — VOL3 REMAINING PLUGINS (CHECKED SET)

Vol3Windows

vol3 -f mem.raw windows.skeleton_key_check

Skeleton Key malware detector (deprecated — use malware.skeleton_key_check).

windows.suspicious_threads

SECTION 17 — VOL3 REMAINING PLUGINS (CHECKED SET)

Vol3Windows

vol3 -f mem.raw windows.suspicious_threads

Suspicious thread lister (deprecated — use malware.suspicious_threads).

windows.svcdiff

SECTION 17 — VOL3 REMAINING PLUGINS (CHECKED SET)

Vol3Windows

vol3 -f mem.raw windows.svcdiff

Service diff (deprecated — use malware.svcdiff).

windows.unhooked_system_calls

SECTION 17 — VOL3 REMAINING PLUGINS (CHECKED SET)

Vol3Windows

vol3 -f mem.raw windows.unhooked_system_calls

Hooked syscall detector (deprecated — use malware.unhooked_system_calls).

windows.vadyarascan

SECTION 17 — VOL3 REMAINING PLUGINS (CHECKED SET)

Vol3Windows

vol3 -f mem.raw windows.vadyarascan --yara-rules /path/to/rules.yar

Scan process VAD regions with YARA rules. Hunt specific malware signatures.

windows.windowstations

SECTION 17 — VOL3 REMAINING PLUGINS (CHECKED SET)

Vol3Windows

vol3 -f mem.raw windows.windowstations

Scan for top-level Window Station objects in memory.

SECTION 1 — IDENTIFY PROFILE / IMAGE INFO 1 plugins

banners.Banners

SECTION 1 — IDENTIFY PROFILE / IMAGE INFO

Vol3Linux

vol3 -f mem.raw banners.Banners

Use banners.Banners to identify Linux/macOS/Windows banner strings when OS type is uncertain.
Current Vol3 Linux plugin list does not include banners.Banners as a core plugin.

SECTION 2 — PROCESS ANALYSIS 8 plugins

linux.pslist

SECTION 2 — PROCESS ANALYSIS

Vol3Linux

vol3 -f mem.raw linux.pslist

Vol3 Linux process list.

linux.pstree

SECTION 2 — PROCESS ANALYSIS

Vol3Linux

vol3 -f mem.raw linux.pstree

Vol3 Linux process tree.

linux.psscan

SECTION 2 — PROCESS ANALYSIS

Vol3Linux

vol3 -f mem.raw linux.psscan

Vol3 deep scan for hidden Linux processes.

linux.psaux.PsAux

SECTION 2 — PROCESS ANALYSIS

Vol3Linux

vol3 -f mem.raw linux.psaux.PsAux

List Linux processes with full command line arguments. Like ps aux.

linux.pidhashtable.PIDHashTable

SECTION 2 — PROCESS ANALYSIS

Vol3Linux

vol3 -f mem.raw linux.pidhashtable.PIDHashTable

Enumerate processes via PID hash table. Finds more hidden processes than pslist.

linux.pscallstack.PsCallStack

SECTION 2 — PROCESS ANALYSIS

Vol3Linux

vol3 -f mem.raw linux.pscallstack.PsCallStack

Show kernel call stack of each task. Deep process inspection.

linux.malware.process_spoofing.ProcessSpoofing

SECTION 2 — PROCESS ANALYSIS

Vol3Linux

vol3 -f mem.raw linux.malware.process_spoofing.ProcessSpoofing

Detect process name spoofing: executable path vs cmdline vs comm field mismatch.

linux.ptrace.Ptrace

SECTION 2 — PROCESS ANALYSIS

Vol3Linux

vol3 -f mem.raw linux.ptrace.Ptrace

Find ptrace tracer/tracee pairs. Spot debugger-attached processes or injection via ptrace.

SECTION 3 — DLL & MODULE ANALYSIS 4 plugins

linux.lsmod

SECTION 3 — DLL & MODULE ANALYSIS

Vol3Linux

vol3 -f mem.raw linux.lsmod

Vol3 Linux kernel module list.

linux.library_list.LibraryList

SECTION 3 — DLL & MODULE ANALYSIS

Vol3Linux

vol3 -f mem.raw linux.library_list.LibraryList

Enumerate shared libraries (.so files) loaded into each process.

linux.elfs.Elfs

SECTION 3 — DLL & MODULE ANALYSIS

Vol3Linux

vol3 -f mem.raw linux.elfs.Elfs

List all memory-mapped ELF files across all processes.

linux.module_extract.ModuleExtract

SECTION 3 — DLL & MODULE ANALYSIS

Vol3Linux

vol3 -f mem.raw linux.module_extract.ModuleExtract --module-address <ADDR>

Recreate ELF file from kernel module in memory for analysis.

SECTION 4 — HANDLES & OPEN FILES 4 plugins

linux.lsof.Lsof

SECTION 4 — HANDLES & OPEN FILES

Vol3Linux

vol3 -f mem.raw linux.lsof.Lsof

List open file descriptors for each process. Like lsof command.

linux.pagecache.Files

SECTION 4 — HANDLES & OPEN FILES

Vol3Linux

vol3 -f mem.raw linux.pagecache.Files

List files currently in page cache.

linux.pagecache.InodePages

SECTION 4 — HANDLES & OPEN FILES

Vol3Linux

vol3 -f mem.raw linux.pagecache.InodePages

List and recover cached inode pages from memory.

linux.pagecache.RecoverFs

SECTION 4 — HANDLES & OPEN FILES

Vol3Linux

vol3 -f mem.raw linux.pagecache.RecoverFs --dump-dir ./output/

Recover entire cached filesystem (dirs, files, symlinks) as compressed tarball.
CTF GOLD: recover deleted/hidden files that were in memory.

SECTION 5 — NETWORK CONNECTIONS 5 plugins

linux.sockstat.Sockstat

SECTION 5 — NETWORK CONNECTIONS

Vol3Linux

vol3 -f mem.raw linux.sockstat.Sockstat

List all network connections per process. Like ss/netstat command.

linux.sockscan.Sockscan

SECTION 5 — NETWORK CONNECTIONS

Vol3Linux

vol3 -f mem.raw linux.sockscan.Sockscan

Scan memory layer for socket objects. Finds more than sockstat.

linux.ip.Addr

SECTION 5 — NETWORK CONNECTIONS

Vol3Linux

vol3 -f mem.raw linux.ip.Addr

Network interface info like ip addr command.

linux.ip.Link

SECTION 5 — NETWORK CONNECTIONS

Vol3Linux

vol3 -f mem.raw linux.ip.Link

Network interface list like ip link show.

linux.malware.netfilter.Netfilter

SECTION 5 — NETWORK CONNECTIONS

Vol3Linux

vol3 -f mem.raw linux.malware.netfilter.Netfilter

List Netfilter hooks. Rootkits hook Netfilter to intercept/modify traffic.

SECTION 7 — MEMORY DUMP / EXTRACTION 1 plugins

linux.proc.Maps

SECTION 7 — MEMORY DUMP / EXTRACTION

Vol3Linux

vol3 -f mem.raw linux.proc.Maps --pid <PID>

Show Linux process memory map regions (like /proc/PID/maps).

SECTION 8 — CODE INJECTION DETECTION 10 plugins

linux.malware.malfind.Malfind

SECTION 8 — CODE INJECTION DETECTION

Vol3Linux

vol3 -f mem.raw linux.malware.malfind.Malfind

Find injected code in Linux process memory regions.

linux.malware.check_syscall.Check_syscall

SECTION 8 — CODE INJECTION DETECTION

Vol3Linux

vol3 -f mem.raw linux.malware.check_syscall.Check_syscall

Check Linux syscall table for hooks.

linux.malware.check_idt.Check_idt

SECTION 8 — CODE INJECTION DETECTION

Vol3Linux

vol3 -f mem.raw linux.malware.check_idt.Check_idt

Check IDT for hooks.

linux.malware.check_afinfo.Check_afinfo

SECTION 8 — CODE INJECTION DETECTION

Vol3Linux

vol3 -f mem.raw linux.malware.check_afinfo.Check_afinfo

Verify network protocol operation function pointers for hooks.

linux.malware.check_creds.Check_creds

SECTION 8 — CODE INJECTION DETECTION

Vol3Linux

vol3 -f mem.raw linux.malware.check_creds.Check_creds

Check if processes share credential structures (rootkit privilege escalation sign).

linux.malware.tty_check.Tty_Check

SECTION 8 — CODE INJECTION DETECTION

Vol3Linux

vol3 -f mem.raw linux.malware.tty_check.Tty_Check

Check TTY device hooks. Rootkits hook TTY to intercept terminal input (keylogger).

linux.malware.keyboard_notifiers.Keyboard_notifiers

SECTION 8 — CODE INJECTION DETECTION

Vol3Linux

vol3 -f mem.raw linux.malware.keyboard_notifiers.Keyboard_notifiers

Check keyboard notifier call chain for hooks. Detect kernel-level keyloggers.

linux.tracing.ftrace.CheckFtrace

SECTION 8 — CODE INJECTION DETECTION

Vol3Linux

vol3 -f mem.raw linux.tracing.ftrace.CheckFtrace

Detect ftrace hooking: rootkits abuse kernel function tracing for stealth.

linux.tracing.tracepoints.CheckTracepoints

SECTION 8 — CODE INJECTION DETECTION

Vol3Linux

vol3 -f mem.raw linux.tracing.tracepoints.CheckTracepoints

Detect tracepoint hooking by rootkits.

linux.ebpf.EBPF

SECTION 8 — CODE INJECTION DETECTION

Vol3Linux

vol3 -f mem.raw linux.ebpf.EBPF

Enumerate eBPF programs. Modern rootkits use eBPF for stealthy hooks.

SECTION 9 — ENVIRONMENT, PRIVILEGES & SIDS 4 plugins

linux.envars.Envars

SECTION 9 — ENVIRONMENT, PRIVILEGES & SIDS

Vol3Linux

vol3 -f mem.raw linux.envars.Envars

List Linux process environment variables.

linux.capabilities.Capabilities

SECTION 9 — ENVIRONMENT, PRIVILEGES & SIDS

Vol3Linux

vol3 -f mem.raw linux.capabilities.Capabilities

List Linux process capabilities (cap_sys_admin etc). Detect privilege escalation.

linux.boottime.Boottime

SECTION 9 — ENVIRONMENT, PRIVILEGES & SIDS

Vol3Linux

vol3 -f mem.raw linux.boottime.Boottime

Show when the Linux system was started.

linux.iomem.IOMem

SECTION 9 — ENVIRONMENT, PRIVILEGES & SIDS

Vol3Linux

vol3 -f mem.raw linux.iomem.IOMem

Show memory map like /proc/iomem.

SECTION 10 — KERNEL & HOOKS 4 plugins

linux.malware.check_modules.Check_modules

SECTION 10 — KERNEL & HOOKS

Vol3Linux

vol3 -f mem.raw linux.malware.check_modules.Check_modules

Vol3 hidden kernel module detector.

linux.malware.modxview.Modxview

SECTION 10 — KERNEL & HOOKS

Vol3Linux

vol3 -f mem.raw linux.malware.modxview.Modxview

Centralize lsmod + check_modules + hidden_modules results. Best rootkit overview.
CTF USE: single command for complete module rootkit analysis.

linux.kthreads.Kthreads

SECTION 10 — KERNEL & HOOKS

Vol3Linux

vol3 -f mem.raw linux.kthreads.Kthreads

Enumerate kernel thread functions.

linux.kallsyms.Kallsyms

SECTION 10 — KERNEL & HOOKS

Vol3Linux

vol3 -f mem.raw linux.kallsyms.Kallsyms

Enumerate kernel symbols from kallsyms.

SECTION 11 — STRING & ARTIFACT HUNTING 4 plugins

linux.bash.Bash

SECTION 11 — STRING & ARTIFACT HUNTING

Vol3Linux

vol3 -f mem.raw linux.bash.Bash

Vol3 bash history recovery.

linux.vmaregexscan.VmaRegExScan

SECTION 11 — STRING & ARTIFACT HUNTING

Vol3Linux

vol3 -f mem.raw linux.vmaregexscan.VmaRegExScan --pattern "flag\{" --pid <PID>

Scan Linux VMA regions with regex. Hunt flags/secrets in process memory.

linux.graphics.fbdev.Fbdev

SECTION 11 — STRING & ARTIFACT HUNTING

Vol3Linux

vol3 -f mem.raw linux.graphics.fbdev.Fbdev --dump-dir ./output/

Extract Linux framebuffer content. Screenshot equivalent for Linux systems.

linux.kmsg.Kmsg

SECTION 11 — STRING & ARTIFACT HUNTING

Vol3Linux

vol3 -f mem.raw linux.kmsg.Kmsg

Read kernel ring buffer log (like dmesg). Find kernel messages/errors.

SECTION 13 — SERVICES, MFT, POOLS & MISC 3 plugins

linux.mountinfo.MountInfo

SECTION 13 — SERVICES, MFT, POOLS & MISC

Vol3Linux

vol3 -f mem.raw linux.mountinfo.MountInfo

List mount points across all process namespaces.

linux.vmcoreinfo.VMCoreInfo

SECTION 13 — SERVICES, MFT, POOLS & MISC

Vol3Linux

vol3 -f mem.raw linux.vmcoreinfo.VMCoreInfo

Enumerate VMCoreInfo tables from Linux crash dump.

linux.tracing.perf_events.PerfEvents

SECTION 13 — SERVICES, MFT, POOLS & MISC

Vol3Linux

vol3 -f mem.raw linux.tracing.perf_events.PerfEvents

List performance monitoring events per process.

SECTION 16 — RARE / SPECIALIZED COMMANDS 1 plugins

linux.malware.hidden_modules.Hidden_modules

SECTION 16 — RARE / SPECIALIZED COMMANDS

Vol3Linux

vol3 -f mem.raw linux.malware.hidden_modules.Hidden_modules

Carve memory to find hidden kernel modules (alternate method).

SECTION 17 — VOL3 REMAINING PLUGINS (CHECKED SET) 12 plugins

linux.check_afinfo

SECTION 17 — VOL3 REMAINING PLUGINS (CHECKED SET)

Vol3Linux

vol3 -f mem.raw linux.check_afinfo

Verify network protocol function pointers for hooks (deprecated — use malware version).

linux.check_creds

SECTION 17 — VOL3 REMAINING PLUGINS (CHECKED SET)

Vol3Linux

vol3 -f mem.raw linux.check_creds

Check shared credential structures (deprecated — use malware version).

linux.check_idt

SECTION 17 — VOL3 REMAINING PLUGINS (CHECKED SET)

Vol3Linux

vol3 -f mem.raw linux.check_idt

Check IDT for hooks (deprecated — use malware version).

linux.check_modules

SECTION 17 — VOL3 REMAINING PLUGINS (CHECKED SET)

Vol3Linux

vol3 -f mem.raw linux.check_modules

Find hidden kernel modules (deprecated — use malware version).

linux.check_syscall

SECTION 17 — VOL3 REMAINING PLUGINS (CHECKED SET)

Vol3Linux

vol3 -f mem.raw linux.check_syscall

Check syscall table for hooks (deprecated — use malware version).

linux.hidden_modules

SECTION 17 — VOL3 REMAINING PLUGINS (CHECKED SET)

Vol3Linux

vol3 -f mem.raw linux.hidden_modules

Carve memory for hidden kernel modules (deprecated — use malware version).

linux.keyboard_notifiers

SECTION 17 — VOL3 REMAINING PLUGINS (CHECKED SET)

Vol3Linux

vol3 -f mem.raw linux.keyboard_notifiers

Parse keyboard notifier chain (deprecated — use malware version).

linux.malfind

SECTION 17 — VOL3 REMAINING PLUGINS (CHECKED SET)

Vol3Linux

vol3 -f mem.raw linux.malfind

Find injected code in Linux (deprecated — use malware.malfind).

linux.modxview

SECTION 17 — VOL3 REMAINING PLUGINS (CHECKED SET)

Vol3Linux

vol3 -f mem.raw linux.modxview

Module cross-view (deprecated — use malware.modxview).

linux.netfilter

SECTION 17 — VOL3 REMAINING PLUGINS (CHECKED SET)

Vol3Linux

vol3 -f mem.raw linux.netfilter

List Netfilter hooks (deprecated — use malware.netfilter).

linux.tty_check

SECTION 17 — VOL3 REMAINING PLUGINS (CHECKED SET)

Vol3Linux

vol3 -f mem.raw linux.tty_check

Check TTY hooks (deprecated — use malware.tty_check).

linux.vmayarascan

SECTION 17 — VOL3 REMAINING PLUGINS (CHECKED SET)

Vol3Linux

vol3 -f mem.raw linux.vmayarascan --yara-rules /path/to/rules.yar

Scan Linux VMA regions with YARA rules. Hunt specific malware signatures.

SECTION 2 — PROCESS ANALYSIS 3 plugins

mac.pslist

SECTION 2 — PROCESS ANALYSIS

Vol3macOS

vol3 -f mem.raw mac.pslist.PsList

Vol3 Mac process list.

mac.pstree

SECTION 2 — PROCESS ANALYSIS

Vol3macOS

vol3 -f mem.raw mac.pstree.PsTree

Vol3 Mac process tree.

mac.psaux.Psaux

SECTION 2 — PROCESS ANALYSIS

Vol3macOS

vol3 -f mem.raw mac.psaux.Psaux

Mac process list with command line arguments.

SECTION 3 — DLL & MODULE ANALYSIS 1 plugins

mac.lsmod

SECTION 3 — DLL & MODULE ANALYSIS

Vol3macOS

vol3 -f mem.raw mac.lsmod.Lsmod

Vol3 Mac kernel extension list.

SECTION 4 — HANDLES & OPEN FILES 2 plugins

mac.lsof.Lsof

SECTION 4 — HANDLES & OPEN FILES

Vol3macOS

vol3 -f mem.raw mac.lsof.Lsof

Vol3 Mac open file descriptor lister.

mac.list_files.List_Files

SECTION 4 — HANDLES & OPEN FILES

Vol3macOS

vol3 -f mem.raw mac.list_files.List_Files

List all open file descriptors for all Mac processes.

SECTION 5 — NETWORK CONNECTIONS 2 plugins

mac.netstat.Netstat

SECTION 5 — NETWORK CONNECTIONS

Vol3macOS

vol3 -f mem.raw mac.netstat.Netstat

Vol3 Mac network connection lister.

mac.ifconfig.Ifconfig

SECTION 5 — NETWORK CONNECTIONS

Vol3macOS

vol3 -f mem.raw mac.ifconfig.Ifconfig

Vol3 Mac network interface info.

SECTION 8 — CODE INJECTION DETECTION 7 plugins

mac.malfind.Malfind

SECTION 8 — CODE INJECTION DETECTION

Vol3macOS

vol3 -f mem.raw mac.malfind.Malfind

Vol3 Mac injected code finder.

mac.check_syscall.Check_syscall

SECTION 8 — CODE INJECTION DETECTION

Vol3macOS

vol3 -f mem.raw mac.check_syscall.Check_syscall

Vol3 Mac syscall table hook check.

mac.check_sysctl.Check_sysctl

SECTION 8 — CODE INJECTION DETECTION

Vol3macOS

vol3 -f mem.raw mac.check_sysctl.Check_sysctl

Vol3 sysctl handler hook check.

mac.check_trap_table.Check_trap_table

SECTION 8 — CODE INJECTION DETECTION

Vol3macOS

vol3 -f mem.raw mac.check_trap_table.Check_trap_table

Vol3 Mach trap table hook check.

mac.trustedbsd.Trustedbsd

SECTION 8 — CODE INJECTION DETECTION

Vol3macOS

vol3 -f mem.raw mac.trustedbsd.Trustedbsd

Check for malicious TrustedBSD policy modules (Mac rootkit mechanism).

mac.timers.Timers

SECTION 8 — CODE INJECTION DETECTION

Vol3macOS

vol3 -f mem.raw mac.timers.Timers

Check for malicious kernel timers in Mac memory.

mac.socket_filters.Socket_filters

SECTION 8 — CODE INJECTION DETECTION

Vol3macOS

vol3 -f mem.raw mac.socket_filters.Socket_filters

List kernel socket filters. Malware uses these to intercept network data.

SECTION 9 — ENVIRONMENT, PRIVILEGES & SIDS 3 plugins

mac.kevents.Kevents

SECTION 9 — ENVIRONMENT, PRIVILEGES & SIDS

Vol3macOS

vol3 -f mem.raw mac.kevents.Kevents

List event handlers registered by Mac processes.

mac.kauth_listeners.Kauth_listeners

SECTION 9 — ENVIRONMENT, PRIVILEGES & SIDS

Vol3macOS

vol3 -f mem.raw mac.kauth_listeners.Kauth_listeners

List kauth authorization listeners and their status.

mac.kauth_scopes.Kauth_scopes

SECTION 9 — ENVIRONMENT, PRIVILEGES & SIDS

Vol3macOS

vol3 -f mem.raw mac.kauth_scopes.Kauth_scopes

List kauth authorization scopes.

SECTION 10 — KERNEL & HOOKS 3 plugins

mac.dmesg.Dmesg

SECTION 10 — KERNEL & HOOKS

Vol3macOS

vol3 -f mem.raw mac.dmesg.Dmesg

Print Mac kernel log buffer (like dmesg).

mac.mount.Mount

SECTION 10 — KERNEL & HOOKS

Vol3macOS

vol3 -f mem.raw mac.mount.Mount

Show mounted filesystems on Mac.

mac.vfsevents.VFSevents

SECTION 10 — KERNEL & HOOKS

Vol3macOS

vol3 -f mem.raw mac.vfsevents.VFSevents

List processes filtering filesystem events (surveillance/rootkit technique).

SECTION 11 — STRING & ARTIFACT HUNTING 2 plugins

mac.bash.Bash

SECTION 11 — STRING & ARTIFACT HUNTING

Vol3macOS

vol3 -f mem.raw mac.bash.Bash

Vol3 Mac bash history recovery.

mac.dmesg.Dmesg

SECTION 11 — STRING & ARTIFACT HUNTING

Vol3macOS

vol3 -f mem.raw mac.dmesg.Dmesg

Print Mac kernel log buffer.

SECTION 16 — RARE / SPECIALIZED COMMANDS 1 plugins

mac.proc_maps.Maps

SECTION 16 — RARE / SPECIALIZED COMMANDS

Vol3macOS

vol3 -f mem.raw mac.proc_maps.Maps

List Mac process memory ranges.

SECTION 1 — IDENTIFY PROFILE / IMAGE INFO 3 plugins

banners.Banners

SECTION 1 — IDENTIFY PROFILE / IMAGE INFO

Vol3Common

vol3 -f mem.raw banners.Banners

Identify OS from banner strings in memory. Good when unsure if Win/Linux/Mac.

isfinfo.IsfInfo

SECTION 1 — IDENTIFY PROFILE / IMAGE INFO

Vol3Common

vol3 -f mem.raw isfinfo.IsfInfo

Show available ISF (symbol) files. Helps debug missing symbols.

frameworkinfo.FrameworkInfo

SECTION 1 — IDENTIFY PROFILE / IMAGE INFO

Vol3Common

vol3 frameworkinfo.FrameworkInfo

Show Volatility 3 version + all loaded modules. Use to verify installation.

SECTION 17 — VOL3 REMAINING PLUGINS (CHECKED SET) 2 plugins

configwriter.ConfigWriter

SECTION 17 — VOL3 REMAINING PLUGINS (CHECKED SET)

Vol3Common

vol3 -f mem.raw configwriter.ConfigWriter

Run automagics and output full configuration JSON. Debug/inspect Vol3 config.

yarascan

SECTION 17 — VOL3 REMAINING PLUGINS (CHECKED SET)

Vol3Common

vol3 -f mem.raw yarascan --yara-rules /path/to/rules.yar

Scan entire memory with YARA rules. Broadest signature-based malware hunt.
CTF USE: if you have YARA rules for specific malware, run this first.

Quick Use Notes

Volatility 2 syntax

vol2 -f <dump> --profile=<PROFILE> <plugin>

Vol2 usually needs a matching profile. Use imageinfo and --info.

Volatility 3 syntax

vol3 -f <dump> <namespace.plugin>

Vol3 does not use Vol2 profiles in the same way, but symbols can still matter.

Verification commands

vol3 -h
vol -h
vol3 -f mem.raw windows.pslist -h
python2 vol.py --info

Use these before publishing or reporting final commands.

CTF mindset

identify OS → processes → hidden processes → network → cmd/bash history → files → strings → dump suspicious artifacts

Cross-check important findings with multiple plugins when possible.

Accuracy, Setup, Error Fix & CTF Guide

SECTION 0 — ACCURACY-FIRST UPDATE NOTE

Accuracy note, source-of-truth commands, command-name notes.

SECTION 0 — ACCURACY-FIRST UPDATE NOTE
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Verified / Updated Date: 06 June 2026
Purpose: CTF + beginner-friendly memory forensics quick reference.
Coverage: Windows + Linux + macOS | Volatility 2 + Volatility 3.

IMPORTANT TRUTH:
  No static cheatsheet can be guaranteed 100% correct forever, because Volatility 3
  is actively developed and plugins/options can change between versions.

What this file means by "accuracy checked":
  ✅ Commands are written in standard Volatility style.
  ✅ Dangerous/unclear "100% forever" claims were softened.
  ✅ Version-check, plugin-check, symbol/profile troubleshooting, install/update,
     and common-error sections were added.
  ✅ CTF workflows are kept practical and beginner-friendly.

Official source-of-truth commands:
  Volatility 3 all available plugins:
    vol -h
    vol3 -h
    python3 vol.py -h

  Volatility 3 plugin-specific help:
    vol <plugin> -h
    vol -f mem.raw windows.pslist -h
    vol -f mem.raw linux.pslist -h
    vol -f mem.raw mac.pslist.PsList -h

  Volatility 2 plugins/profiles:
    python2 vol.py --info
    python2 vol.py -h

Official references checked while updating this file:
  - Volatility 3 GitHub: https://github.com/volatilityfoundation/volatility3
  - Volatility 3 Docs: https://volatility3.readthedocs.io/en/latest/
  - Volatility 3 Parity / Volatility 2 Deprecation notice:
    https://volatilityfoundation.org/announcing-the-official-parity-release-of-volatility-3/

Rule for real investigations:
  Use this cheatsheet first, but always confirm exact plugin name/options using -h
  on YOUR installed Volatility version before final reporting.

HOW TO USE:
  Volatility 2 syntax:  vol2  -f <dump> --profile=<PROFILE> <plugin>
  Volatility 3 syntax:  vol3  -f <dump> <namespace.plugin>

  Vol2 profile needed — Vol3 auto-detects (no --profile needed)

MY SETUP:
  Windows Vol2  →  vol2.exe   (standalone exe)
  Windows Vol3  →  vol.exe    (standalone exe)
  Kali    Vol2  →  vol2       (alias: python2 ~/volatility/vol.py)
  Kali    Vol3  →  vol3       (alias: vol)


NOTE ABOUT COMMAND NAMES:
  Depending on installation, Volatility 3 command may be: vol, vol3, or python3 vol.py.
  In Kali, many people alias it as vol3. Official examples often use vol or python3 vol.py.
  If one does not work, try the others.

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

SECTION 19 — INSTALL / UPDATE / VERIFY VOLATILITY

Install, update, verify Volatility 2/3 and check plugin availability.

SECTION 19 — INSTALL / UPDATE / VERIFY VOLATILITY
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

WHY THIS SECTION MATTERS:
  A command can be correct in one Volatility version but renamed/deprecated in another.
  So before serious CTF/investigation, verify your installed version and plugin list.

─── VOLATILITY 3 INSTALL / UPDATE ────────────────────────────────────────────────

[Recommended stable install]
  python3 -m pip install --upgrade volatility3
  vol -h

[If vol command not found]
  python3 -m volatility3 -h
  python3 vol.py -h

[GitHub development install]
  git clone https://github.com/volatilityfoundation/volatility3.git
  cd volatility3
  python3 -m venv venv
  source venv/bin/activate
  pip install -e ".[dev]"
  python3 vol.py -h

[Check version]
  vol -h | head
  vol3 -h | head
  python3 vol.py -h | head

[Check all Windows plugins]
  vol -h | grep -i "windows\."

[Check all Linux plugins]
  vol -h | grep -i "linux\."

[Check all Mac plugins]
  vol -h | grep -i "mac\."

[Check global plugins]
  vol -h | grep -Ei "banners|regexscan|timeliner|yarascan|frameworkinfo|isfinfo|layerwriter"

[Check one plugin's exact options]
  vol windows.pslist -h
  vol windows.dumpfiles -h
  vol linux.pslist -h
  vol mac.pslist.PsList -h

─── VOLATILITY 2 INSTALL / VERIFY ────────────────────────────────────────────────

[Vol2 status]
  Volatility 2 is deprecated/archived, but it is still very useful in older CTFs.

[Check Vol2 plugins and profiles]
  python2 vol.py --info
  python2 vol.py -h

[Run Vol2]
  python2 vol.py -f mem.raw imageinfo
  python2 vol.py -f mem.raw --profile=Win7SP1x64 pslist

[Create alias in Kali]
  alias vol2='python2 /path/to/volatility/vol.py'
  alias vol3='vol'


━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

SECTION 20 — SYMBOL / PROFILE TROUBLESHOOTING

Fix symbol/profile problems and missing symbol-table errors.

SECTION 20 — SYMBOL / PROFILE TROUBLESHOOTING
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

COMMON ERROR 1:
  Unsatisfied requirement plugins.*.kernel.layer_name
  Unsatisfied requirement plugins.*.kernel.symbol_table_name
  Missing symbol table / cannot construct layer

MEANING:
  Volatility cannot find the correct OS symbols/profile for the memory dump.

GENERAL FIX:
  1. Run OS identification first:
       vol -f mem.raw banners.Banners
       vol -f mem.raw windows.info
       vol -f mem.raw linux.info

  2. Check available symbol tables:
       vol isfinfo.IsfInfo
       vol -f mem.raw isfinfo.IsfInfo

  3. Run plugin help:
       vol <plugin> -h

WINDOWS SYMBOL TIPS:
  - Volatility 3 often downloads/caches Windows symbols automatically.
  - Internet access may be needed the first time.
  - Use --offline only if symbols are already cached.
  - Old/rare Windows builds may fail due to missing/broken public symbols.

LINUX SYMBOL TIPS:
  - Linux needs a matching ISF symbol table for the exact kernel.
  - Kernel version, architecture, and distro build matter.
  - Use banners.Banners to find kernel string.
  - If symbols are missing, create ISF with dwarf2json from matching vmlinux/debug packages.

MAC SYMBOL TIPS:
  - macOS analysis also depends on symbol availability.
  - Older macOS CTF dumps often work better than very new macOS captures.
  - For latest macOS, support can be limited depending on symbols/acquisition method.

VOL2 PROFILE TIPS:
  - Vol2 needs exact --profile.
  - Wrong profile = empty output, errors, or wrong results.
  - Start with imageinfo and kdbgscan.
  - For Linux/Mac Vol2, exact custom profile may be needed.


━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

SECTION 21 — COMMON ERRORS AND FIXES

Common terminal errors and quick fixes for Kali/Windows.

SECTION 21 — COMMON ERRORS AND FIXES
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

[Error] vol: command not found
  Fix:
    python3 -m pip install --upgrade volatility3
    python3 -m volatility3 -h
    or use python3 vol.py -h from cloned repo.

[Error] python2: command not found
  Fix:
    Vol2 needs Python 2. Use Vol3 if possible.
    For old CTFs, install Python2 manually or use a Docker image that has Vol2.

[Error] No suitable address space mapping found / layer error
  Fix:
    Confirm file is really a memory dump.
    Try banners.Banners.
    Try another Vol version.
    If VMware snapshot, use .vmem file when available.

[Error] Plugin exists in cheatsheet but not in your terminal
  Fix:
    Your Volatility version may be old/new or plugin renamed/deprecated.
    Run:
      vol -h | grep -i "keyword"
      vol <plugin> -h

[Error] Dump output file not created in Vol3
  Fix:
    Modern Vol3 usually uses global output directory:
      vol -f mem.raw -o ./output windows.dumpfiles --virtaddr <ADDR>
    Some examples online use --dump-dir, but verify using:
      vol windows.dumpfiles -h

[Error] Too much output
  Fix Linux/Kali:
      vol -f mem.raw windows.pslist | tee pslist.txt
      vol -f mem.raw windows.pslist | grep -i "powershell\|cmd\|chrome"

  Fix Windows CMD:
      vol.exe -f mem.raw windows.pslist > pslist.txt
      vol.exe -f mem.raw windows.pslist | findstr /i "powershell cmd chrome"

[Error] grep not working on Windows
  Use findstr:
      vol.exe -f mem.raw windows.pslist | findstr /i "chrome"

[Error] findstr not working on Kali
  Use grep:
      vol -f mem.raw windows.pslist | grep -i "chrome"


━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

SECTION 22 — SAFE COMMAND VERIFICATION WORKFLOW

Safe workflow before using any command from a cheatsheet.

SECTION 22 — SAFE COMMAND VERIFICATION WORKFLOW
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

BEFORE USING ANY COMMAND FROM ANY CHEATSHEET:

Step 1 — Identify OS:
  vol -f mem.raw banners.Banners
  vol -f mem.raw windows.info
  vol -f mem.raw linux.info

Step 2 — See plugin exists:
  vol -h | grep -i "pslist"
  vol -h | grep -i "netscan"
  vol -h | grep -i "bash"

Step 3 — See exact options:
  vol windows.pslist -h
  vol windows.dumpfiles -h
  vol linux.vmayarascan -h

Step 4 — Run basic plugin first:
  vol -f mem.raw windows.pslist
  vol -f mem.raw linux.pslist
  vol -f mem.raw mac.pslist.PsList

Step 5 — Save output:
  mkdir -p outputs
  vol -f mem.raw windows.pslist | tee outputs/pslist.txt

Step 6 — Only then run heavy dump commands:
  mkdir -p dumps
  vol -f mem.raw -o ./dumps windows.dumpfiles --virtaddr <ADDR>


━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

SECTION 23 — BEGINNER-FRIENDLY CTF DECISION TREE

Beginner CTF decision tree: process, network, files, history, malware, flags.

SECTION 23 — BEGINNER-FRIENDLY CTF DECISION TREE
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

IF YOU NEED PROCESS INFO:
  Windows: windows.pslist, windows.pstree, windows.psscan, windows.cmdline
  Linux:   linux.pslist, linux.pstree, linux.psaux.PsAux
  Mac:     mac.pslist.PsList, mac.pstree.PsTree, mac.psaux.Psaux

IF YOU NEED NETWORK INFO:
  Windows: windows.netscan, windows.netstat
  Linux:   linux.sockstat.Sockstat, linux.sockscan.Sockscan, linux.ip.Addr
  Mac:     mac.netstat.Netstat, mac.ifconfig.Ifconfig

IF YOU NEED FILES:
  Windows: windows.filescan, windows.dumpfiles
  Linux:   linux.lsof.Lsof, linux.pagecache.Files, linux.pagecache.RecoverFs
  Mac:     mac.lsof.Lsof, mac.list_files.List_Files

IF YOU NEED COMMAND HISTORY:
  Windows: windows.cmdline, windows.cmdscan, windows.consoles
  Linux:   linux.bash.Bash
  Mac:     mac.bash.Bash

IF YOU NEED MALWARE / INJECTION:
  Windows: windows.malfind, windows.malware.malfind.Malfind, windows.malware.psxview.PsXView
  Linux:   linux.malware.malfind.Malfind, linux.malware.modxview.Modxview
  Mac:     mac.malfind.Malfind, mac.check_syscall.Check_syscall

IF YOU NEED FLAGS / STRINGS:
  Broad scan:
    vol -f mem.raw regexscan.RegExScan --pattern "flag\{"
    vol -f mem.raw yarascan --yara-rules rules.yar

  Process-specific scan:
    vol -f mem.raw windows.vadregexscan.VadRegExScan --pattern "flag\{" --pid <PID>
    vol -f mem.raw linux.vmaregexscan.VmaRegExScan --pattern "flag\{" --pid <PID>

  External strings after dumping:
    strings dumpfile.dmp | grep -i "flag\|ctf\|password\|secret\|token"


━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

SECTION 24 — IMPORTANT LIMITATIONS

Important limitations and forensic caution points.

SECTION 24 — IMPORTANT LIMITATIONS
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

1. Memory forensics output can be incomplete.
   RAM is volatile. Data may be paged out, overwritten, compressed, or missing.

2. Hidden/rootkit artifacts need cross-checking.
   Never trust only pslist. Compare pslist, psscan, pstree, psxview/modxview.

3. Plugin names change.
   Some plugins move into malware.*, registry.*, tracing.*, or other namespaces.

4. Vol2 is still useful but deprecated.
   Use Vol3 first for modern Windows/Linux. Use Vol2 for old CTF dumps when Vol3 fails.

5. Dump/extraction commands may need version-specific options.
   Always check:
     vol <plugin> -h

6. "No output" does not always mean "nothing found".
   It may mean wrong profile/symbols, unsupported OS, or wrong memory file.

7. Mac support depends heavily on version/symbols.
   Older CTF Mac dumps are usually easier than latest macOS memory images.


━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

SECTION 25 — FINAL ACCURACY CHECKLIST

Final pre-submit checklist for CTF/report accuracy.

SECTION 25 — FINAL ACCURACY CHECKLIST
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Before submitting a CTF answer or forensic report:

[ ] I identified the OS with banners/windows.info/linux.info.
[ ] I checked my Volatility version.
[ ] I verified the plugin exists with vol -h.
[ ] I checked exact options with vol <plugin> -h.
[ ] I saved outputs to files.
[ ] I used at least two methods for important findings.
[ ] I did not trust only one plugin result.
[ ] I recorded PID, process name, timestamp, path, command line, and evidence source.
[ ] I checked strings/regex/YARA when looking for flags/secrets.
[ ] I noted if symbols/profile were uncertain.

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
FINAL NOTE:
  This updated file is accuracy-first and CTF-friendly.
  It should be treated as a very strong master cheatsheet, not a replacement for
  checking your installed Volatility version with -h / --info.
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Counts from uploaded file

{
  "('Vol2', 'Common')": 2,
  "('Vol3', 'Windows')": 112,
  "('Vol3', 'Linux')": 61,
  "('Vol3', 'Common')": 5,
  "('Vol2', 'Windows')": 110,
  "('Vol2', 'Linux')": 63,
  "('Vol2', 'macOS')": 78,
  "('Vol3', 'macOS')": 24
}

Full Updated Cheatsheet Text

╔══════════════════════════════════════════════════════════════════════════════════════╗
║        VOLATILITY 2 & 3 — ULTIMATE COMMAND CHEATSHEET (CTF EDITION)               ║
║              Windows + Linux + Mac | Complete Memory Forensics                     ║
╚══════════════════════════════════════════════════════════════════════════════════════╝


━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
                  SECTION 0 — ACCURACY-FIRST UPDATE NOTE
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Verified / Updated Date: 06 June 2026
Purpose: CTF + beginner-friendly memory forensics quick reference.
Coverage: Windows + Linux + macOS | Volatility 2 + Volatility 3.

IMPORTANT TRUTH:
  No static cheatsheet can be guaranteed 100% correct forever, because Volatility 3
  is actively developed and plugins/options can change between versions.

What this file means by "accuracy checked":
  ✅ Commands are written in standard Volatility style.
  ✅ Dangerous/unclear "100% forever" claims were softened.
  ✅ Version-check, plugin-check, symbol/profile troubleshooting, install/update,
     and common-error sections were added.
  ✅ CTF workflows are kept practical and beginner-friendly.

Official source-of-truth commands:
  Volatility 3 all available plugins:
    vol -h
    vol3 -h
    python3 vol.py -h

  Volatility 3 plugin-specific help:
    vol <plugin> -h
    vol -f mem.raw windows.pslist -h
    vol -f mem.raw linux.pslist -h
    vol -f mem.raw mac.pslist.PsList -h

  Volatility 2 plugins/profiles:
    python2 vol.py --info
    python2 vol.py -h

Official references checked while updating this file:
  - Volatility 3 GitHub: https://github.com/volatilityfoundation/volatility3
  - Volatility 3 Docs: https://volatility3.readthedocs.io/en/latest/
  - Volatility 3 Parity / Volatility 2 Deprecation notice:
    https://volatilityfoundation.org/announcing-the-official-parity-release-of-volatility-3/

Rule for real investigations:
  Use this cheatsheet first, but always confirm exact plugin name/options using -h
  on YOUR installed Volatility version before final reporting.

HOW TO USE:
  Volatility 2 syntax:  vol2  -f <dump> --profile=<PROFILE> <plugin>
  Volatility 3 syntax:  vol3  -f <dump> <namespace.plugin>

  Vol2 profile needed — Vol3 auto-detects (no --profile needed)

MY SETUP:
  Windows Vol2  →  vol2.exe   (standalone exe)
  Windows Vol3  →  vol.exe    (standalone exe)
  Kali    Vol2  →  vol2       (alias: python2 ~/volatility/vol.py)
  Kali    Vol3  →  vol3       (alias: vol)


NOTE ABOUT COMMAND NAMES:
  Depending on installation, Volatility 3 command may be: vol, vol3, or python3 vol.py.
  In Kali, many people alias it as vol3. Official examples often use vol or python3 vol.py.
  If one does not work, try the others.

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
                  SECTION 1 — IDENTIFY PROFILE / IMAGE INFO
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

─── WINDOWS / LINUX ───────────────────────────────────────────────────────────────

[Vol2] imageinfo
  vol2 -f mem.raw imageinfo
  >> Detect OS, suggested profiles, build info. FIRST step always.
  >> CTF: always run this before anything else.

[Vol2] kdbgscan
  vol2 -f mem.raw kdbgscan
  >> Scan for KDBG structure manually. Use if imageinfo gives wrong/multiple profiles.

[Vol3] windows.info
  vol3 -f mem.raw windows.info
  >> Show Windows OS version, build number, architecture, kernel base. First step for Win dumps.

[Vol3] windows.crashinfo
  vol3 -f mem.raw windows.crashinfo
  >> Show crash dump metadata: date, uptime, crash reason, bugcheck code.

[Vol3] linux.info
  vol3 -f mem.raw linux.info
  >> Show Linux kernel version info from dump.

[Vol3] banners.Banners
  vol3 -f mem.raw banners.Banners
  >> Identify OS from banner strings in memory. Good when unsure if Win/Linux/Mac.

[Vol3] isfinfo.IsfInfo
  vol3 -f mem.raw isfinfo.IsfInfo
  >> Show available ISF (symbol) files. Helps debug missing symbols.

[Vol3] frameworkinfo.FrameworkInfo
  vol3 frameworkinfo.FrameworkInfo
  >> Show Volatility 3 version + all loaded modules. Use to verify installation.

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
                  SECTION 2 — PROCESS ANALYSIS
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

─── WINDOWS ───────────────────────────────────────────────────────────────────────

[Vol2] pslist
  vol2 -f mem.raw --profile=Win7SP1x64 pslist
  >> List running processes via EPROCESS linked list. Fast but rootkits can hide from it.

[Vol2] pstree
  vol2 -f mem.raw --profile=Win7SP1x64 pstree
  >> Show processes as parent-child tree. Spot orphan processes or malware spawned from Word/Excel.

[Vol2] psscan
  vol2 -f mem.raw --profile=Win7SP1x64 psscan
  >> Scan memory for EPROCESS structures directly. Finds hidden and terminated processes.

[Vol2] psxview
  vol2 -f mem.raw --profile=Win7SP1x64 psxview
  >> Compare process lists from 7 sources. FALSE column = hidden from that source.
  >> CTF GOLD: instantly spot rootkit-hidden processes.

[Vol3] windows.pslist
  vol3 -f mem.raw windows.pslist
  >> Vol3 process list.

[Vol3] windows.pstree
  vol3 -f mem.raw windows.pstree
  >> Vol3 process tree view.

[Vol3] windows.psscan
  vol3 -f mem.raw windows.psscan
  >> Vol3 deep EPROCESS scan — finds hidden/terminated processes.

[Vol3] windows.malware.psxview.PsXView
  vol3 -f mem.raw windows.malware.psxview.PsXView
  >> Vol3 psxview — cross-reference 4 process listing methods to find hidden processes.

[Vol3] windows.malware.pebmasquerade.PebMasquerade
  vol3 -f mem.raw windows.malware.pebmasquerade.PebMasquerade
  >> Detect process name spoofing: EPROCESS name vs PEB name mismatch. Malware hides this way.

[Vol3] windows.malware.processghosting.ProcessGhosting
  vol3 -f mem.raw windows.malware.processghosting.ProcessGhosting
  >> Find ghost processes: executable deleted from disk but still running in memory.

[Vol3] windows.sessions.Sessions
  vol3 -f mem.raw windows.sessions.Sessions
  >> List processes with session/logon info from environment variables.

[Vol3] windows.joblinks.JobLinks
  vol3 -f mem.raw windows.joblinks.JobLinks
  >> Show process job link info. Useful for sandbox/container detection.

[Vol3] windows.thrdscan.ThrdScan
  vol3 -f mem.raw windows.thrdscan.ThrdScan
  >> Scan for thread objects in memory pool.

[Vol3] windows.threads.Threads
  vol3 -f mem.raw windows.threads
  >> List process threads with details.

[Vol3] windows.orphan_kernel_threads.Threads
  vol3 -f mem.raw windows.orphan_kernel_threads.Threads
  >> Find orphan kernel threads — injected threads with no legitimate parent process.

[Vol3] windows.suspended_threads.SuspendedThreads
  vol3 -f mem.raw windows.suspended_threads.SuspendedThreads
  >> List suspended threads. Malware suspends threads during injection.

─── LINUX ─────────────────────────────────────────────────────────────────────────

[Vol2] linux_pslist
  vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_pslist
  >> List Linux processes from task_struct linked list.

[Vol2] linux_pstree
  vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_pstree
  >> Linux process parent-child tree.

[Vol2] linux_psscan
  vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_psscan
  >> Scan memory for hidden Linux processes.

[Vol3] linux.pslist
  vol3 -f mem.raw linux.pslist
  >> Vol3 Linux process list.

[Vol3] linux.pstree
  vol3 -f mem.raw linux.pstree
  >> Vol3 Linux process tree.

[Vol3] linux.psscan
  vol3 -f mem.raw linux.psscan
  >> Vol3 deep scan for hidden Linux processes.

[Vol3] linux.psaux.PsAux
  vol3 -f mem.raw linux.psaux.PsAux
  >> List Linux processes with full command line arguments. Like ps aux.

[Vol3] linux.pidhashtable.PIDHashTable
  vol3 -f mem.raw linux.pidhashtable.PIDHashTable
  >> Enumerate processes via PID hash table. Finds more hidden processes than pslist.

[Vol3] linux.pscallstack.PsCallStack
  vol3 -f mem.raw linux.pscallstack.PsCallStack
  >> Show kernel call stack of each task. Deep process inspection.

[Vol3] linux.malware.process_spoofing.ProcessSpoofing
  vol3 -f mem.raw linux.malware.process_spoofing.ProcessSpoofing
  >> Detect process name spoofing: executable path vs cmdline vs comm field mismatch.

[Vol3] linux.ptrace.Ptrace
  vol3 -f mem.raw linux.ptrace.Ptrace
  >> Find ptrace tracer/tracee pairs. Spot debugger-attached processes or injection via ptrace.

─── MAC ───────────────────────────────────────────────────────────────────────────

[Vol2] mac_pslist
  vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_pslist
  >> List Mac processes.

[Vol2] mac_pstree
  vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_pstree
  >> Mac process tree.

[Vol3] mac.pslist
  vol3 -f mem.raw mac.pslist.PsList
  >> Vol3 Mac process list.

[Vol3] mac.pstree
  vol3 -f mem.raw mac.pstree.PsTree
  >> Vol3 Mac process tree.

[Vol3] mac.psaux.Psaux
  vol3 -f mem.raw mac.psaux.Psaux
  >> Mac process list with command line arguments.

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
                  SECTION 3 — DLL & MODULE ANALYSIS
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

─── WINDOWS ───────────────────────────────────────────────────────────────────────

[Vol2] dlllist
  vol2 -f mem.raw --profile=Win7SP1x64 dlllist
  vol2 -f mem.raw --profile=Win7SP1x64 dlllist -p <PID>
  >> List DLLs loaded by each process. -p to filter by PID.

[Vol2] ldrmodules
  vol2 -f mem.raw --profile=Win7SP1x64 ldrmodules -p <PID>
  >> Cross-check 3 DLL load lists (InLoad, InInit, InMem). FALSE = DLL hiding via injection.

[Vol2] modules
  vol2 -f mem.raw --profile=Win7SP1x64 modules
  >> List loaded kernel drivers/modules via linked list.

[Vol2] modscan
  vol2 -f mem.raw --profile=Win7SP1x64 modscan
  >> Scan memory for kernel module structures. Finds unlinked/hidden drivers.

[Vol2] moddump
  vol2 -f mem.raw --profile=Win7SP1x64 moddump -D ./output/
  >> Dump kernel driver to file for analysis in IDA/Ghidra.

[Vol2] unloadedmodules
  vol2 -f mem.raw --profile=Win7SP1x64 unloadedmodules
  >> List previously loaded but now unloaded kernel modules. Forensic trace.

[Vol2] drivermodule
  vol2 -f mem.raw --profile=Win7SP1x64 drivermodule
  >> Associate driver objects to kernel modules. Spot orphan drivers.

[Vol3] windows.dlllist
  vol3 -f mem.raw windows.dlllist
  vol3 -f mem.raw windows.dlllist --pid <PID>

[Vol3] windows.ldrmodules.LdrModules
  vol3 -f mem.raw windows.ldrmodules.LdrModules
  >> Vol3 DLL load order cross-check.

[Vol3] windows.malware.ldrmodules.LdrModules
  vol3 -f mem.raw windows.malware.ldrmodules.LdrModules
  >> Updated ldrmodules focused on malware detection.

[Vol3] windows.modules
  vol3 -f mem.raw windows.modules
  >> Vol3 kernel module list.

[Vol3] windows.modscan
  vol3 -f mem.raw windows.modscan
  >> Vol3 deep kernel module scan.

[Vol3] windows.driverscan
  vol3 -f mem.raw windows.driverscan
  >> Scan memory for driver objects. Finds hidden drivers.

[Vol3] windows.unloadedmodules
  vol3 -f mem.raw windows.unloadedmodules
  >> Vol3 unloaded module list.

[Vol3] windows.malware.drivermodule.DriverModule
  vol3 -f mem.raw windows.malware.drivermodule.DriverModule
  >> Find drivers hidden by rootkit (not in normal module list).

[Vol3] windows.iat.IAT
  vol3 -f mem.raw windows.iat.IAT --pid <PID>
  >> Extract Import Address Table: see what API functions a process uses. Spot suspicious imports.

[Vol3] windows.pe_symbols.PESymbols
  vol3 -f mem.raw windows.pe_symbols.PESymbols --pid <PID>
  >> Print symbols from PE files in process/kernel memory.

[Vol3] windows.devicetree.DeviceTree
  vol3 -f mem.raw windows.devicetree.DeviceTree
  >> Show driver + attached device tree. Find malicious device stacks.

─── LINUX ─────────────────────────────────────────────────────────────────────────

[Vol2] linux_lsmod
  vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_lsmod
  >> List Linux kernel modules (like lsmod command).

[Vol3] linux.lsmod
  vol3 -f mem.raw linux.lsmod
  >> Vol3 Linux kernel module list.

[Vol3] linux.library_list.LibraryList
  vol3 -f mem.raw linux.library_list.LibraryList
  >> Enumerate shared libraries (.so files) loaded into each process.

[Vol3] linux.elfs.Elfs
  vol3 -f mem.raw linux.elfs.Elfs
  >> List all memory-mapped ELF files across all processes.

[Vol3] linux.module_extract.ModuleExtract
  vol3 -f mem.raw linux.module_extract.ModuleExtract --module-address <ADDR>
  >> Recreate ELF file from kernel module in memory for analysis.

─── MAC ───────────────────────────────────────────────────────────────────────────

[Vol2] mac_lsmod
  vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_lsmod
  >> List Mac kernel extensions (kexts).

[Vol3] mac.lsmod
  vol3 -f mem.raw mac.lsmod.Lsmod
  >> Vol3 Mac kernel extension list.

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
                  SECTION 4 — HANDLES & OPEN FILES
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

─── WINDOWS ───────────────────────────────────────────────────────────────────────

[Vol2] handles
  vol2 -f mem.raw --profile=Win7SP1x64 handles -p <PID>
  vol2 -f mem.raw --profile=Win7SP1x64 handles -p <PID> -t File
  >> List open handles per process. Filter by type: File, Process, Thread, Key,
  >> Event, Mutant, Section, Token. Find open files, registry keys, mutexes.

[Vol2] filescan
  vol2 -f mem.raw --profile=Win7SP1x64 filescan
  >> Scan memory for FILE_OBJECT structures. Finds all file refs including closed ones.

[Vol2] mutantscan
  vol2 -f mem.raw --profile=Win7SP1x64 mutantscan
  >> Scan for mutex objects. Malware uses mutexes as infection markers (only infect once).

[Vol2] symlinkscan
  vol2 -f mem.raw --profile=Win7SP1x64 symlinkscan
  >> Scan for symbolic link objects in memory.

[Vol2] userhandles
  vol2 -f mem.raw --profile=Win7SP1x64 userhandles
  >> Dump USER handle tables (windows, menus, cursors).

[Vol2] gahti
  vol2 -f mem.raw --profile=Win7SP1x64 gahti
  >> Dump USER handle type information from kernel.

[Vol3] windows.handles
  vol3 -f mem.raw windows.handles --pid <PID>

[Vol3] windows.filescan
  vol3 -f mem.raw windows.filescan
  >> Vol3 file object scanner.

[Vol3] windows.mutantscan
  vol3 -f mem.raw windows.mutantscan
  >> Vol3 mutex scanner.

[Vol3] windows.symlinkscan
  vol3 -f mem.raw windows.symlinkscan
  >> Vol3 symlink scanner.

─── LINUX ─────────────────────────────────────────────────────────────────────────

[Vol2] linux_find_file -L
  vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_find_file -L
  >> List all files cached in Linux memory (VFS page cache).

[Vol2] linux_find_file -i <INODE> -O <output_file>
  vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_find_file -i 0xINODEADDR -O saved_file
  >> Extract specific file from memory by inode address.

[Vol3] linux.lsof.Lsof
  vol3 -f mem.raw linux.lsof.Lsof
  >> List open file descriptors for each process. Like lsof command.

[Vol3] linux.pagecache.Files
  vol3 -f mem.raw linux.pagecache.Files
  >> List files currently in page cache.

[Vol3] linux.pagecache.InodePages
  vol3 -f mem.raw linux.pagecache.InodePages
  >> List and recover cached inode pages from memory.

[Vol3] linux.pagecache.RecoverFs
  vol3 -f mem.raw linux.pagecache.RecoverFs --dump-dir ./output/
  >> Recover entire cached filesystem (dirs, files, symlinks) as compressed tarball.
  >> CTF GOLD: recover deleted/hidden files that were in memory.

─── MAC ───────────────────────────────────────────────────────────────────────────

[Vol2] mac_lsof
  vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_lsof
  >> List open files for Mac processes.

[Vol3] mac.lsof.Lsof
  vol3 -f mem.raw mac.lsof.Lsof
  >> Vol3 Mac open file descriptor lister.

[Vol3] mac.list_files.List_Files
  vol3 -f mem.raw mac.list_files.List_Files
  >> List all open file descriptors for all Mac processes.

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
                  SECTION 5 — NETWORK CONNECTIONS
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

─── WINDOWS ───────────────────────────────────────────────────────────────────────

[Vol2] connections  (XP/2003 only)
  vol2 -f mem.raw --profile=WinXPSP3x86 connections
  >> Active TCP connections. Windows XP/2003 only.

[Vol2] connscan  (XP/2003 only)
  vol2 -f mem.raw --profile=WinXPSP3x86 connscan
  >> Scan for TCP connection structures including closed ones. XP/2003 only.

[Vol2] sockets  (XP/2003 only)
  vol2 -f mem.raw --profile=WinXPSP3x86 sockets
  >> List open sockets. XP/2003 only.

[Vol2] sockscan  (XP/2003 only)
  vol2 -f mem.raw --profile=WinXPSP3x86 sockscan
  >> Pool scanner for socket objects. XP/2003 only.

[Vol2] netscan  (Vista+ / Win7+)
  vol2 -f mem.raw --profile=Win7SP1x64 netscan
  >> Active + closed TCP/UDP connections for Win7+.
  >> Shows PID, local/remote IP:port, state, process name.

[Vol3] windows.netscan
  vol3 -f mem.raw windows.netscan
  >> Vol3 network object scanner.

[Vol3] windows.netstat
  vol3 -f mem.raw windows.netstat
  >> Vol3 netstat-style output — traverses network tracking structures directly.

─── LINUX ─────────────────────────────────────────────────────────────────────────

[Vol2] linux_netstat
  vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_netstat
  >> Show active Linux network connections.

[Vol2] linux_ifconfig
  vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_ifconfig
  >> Show Linux network interface configuration from memory.

[Vol3] linux.sockstat.Sockstat
  vol3 -f mem.raw linux.sockstat.Sockstat
  >> List all network connections per process. Like ss/netstat command.

[Vol3] linux.sockscan.Sockscan
  vol3 -f mem.raw linux.sockscan.Sockscan
  >> Scan memory layer for socket objects. Finds more than sockstat.

[Vol3] linux.ip.Addr
  vol3 -f mem.raw linux.ip.Addr
  >> Network interface info like ip addr command.

[Vol3] linux.ip.Link
  vol3 -f mem.raw linux.ip.Link
  >> Network interface list like ip link show.

[Vol3] linux.malware.netfilter.Netfilter
  vol3 -f mem.raw linux.malware.netfilter.Netfilter
  >> List Netfilter hooks. Rootkits hook Netfilter to intercept/modify traffic.

─── MAC ───────────────────────────────────────────────────────────────────────────

[Vol2] mac_netstat
  vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_netstat
  >> List Mac network connections.

[Vol2] mac_ifconfig
  vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_ifconfig
  >> Show Mac network interface config.

[Vol3] mac.netstat.Netstat
  vol3 -f mem.raw mac.netstat.Netstat
  >> Vol3 Mac network connection lister.

[Vol3] mac.ifconfig.Ifconfig
  vol3 -f mem.raw mac.ifconfig.Ifconfig
  >> Vol3 Mac network interface info.

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
                  SECTION 6 — REGISTRY (WINDOWS ONLY)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

[Vol2] hivelist
  vol2 -f mem.raw --profile=Win7SP1x64 hivelist
  >> List all loaded registry hives with memory addresses.

[Vol2] hivescan
  vol2 -f mem.raw --profile=Win7SP1x64 hivescan
  >> Scan memory pool for registry hive objects. Finds more than hivelist.

[Vol2] hivedump
  vol2 -f mem.raw --profile=Win7SP1x64 hivedump -o <HIVE_OFFSET>
  >> Dump entire registry hive to file for offline analysis.

[Vol2] printkey
  vol2 -f mem.raw --profile=Win7SP1x64 printkey -K "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
  >> Print registry key + subkeys + values.
  >> CTF USE: check Run keys for persistence, startup malware.

[Vol2] hashdump
  vol2 -f mem.raw --profile=Win7SP1x64 hashdump
  vol2 -f mem.raw --profile=Win7SP1x64 hashdump -y <SYSTEM_OFFSET> -s <SAM_OFFSET>
  >> Extract NTLM password hashes from SAM/SYSTEM hive. Crack with hashcat/john.

[Vol2] lsadump
  vol2 -f mem.raw --profile=Win7SP1x64 lsadump
  >> Dump LSA secrets: service passwords, cached domain credentials.

[Vol2] userassist
  vol2 -f mem.raw --profile=Win7SP1x64 userassist
  >> Show recently executed programs from UserAssist registry key.

[Vol2] shimcachemem
  vol2 -f mem.raw --profile=Win7SP1x64 shimcachemem
  >> Extract shimcache from registry: program execution evidence.

[Vol2] amcache  (Win8+)
  vol2 -f mem.raw --profile=Win8SP0x64 amcache
  >> Parse AmCache hive: detailed program execution history.

[Vol3] windows.registry.hivelist
  vol3 -f mem.raw windows.registry.hivelist
  >> Vol3 registry hive list.

[Vol3] windows.registry.hivescan
  vol3 -f mem.raw windows.registry.hivescan
  >> Vol3 registry hive scanner (finds more hives).

[Vol3] windows.registry.printkey
  vol3 -f mem.raw windows.registry.printkey --key "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
  >> Vol3 registry key printer.

[Vol3] windows.registry.userassist
  vol3 -f mem.raw windows.registry.userassist
  >> Show recently executed programs from UserAssist registry keys.

[Vol3] windows.registry.amcache.Amcache
  vol3 -f mem.raw windows.registry.amcache.Amcache
  >> Extract executed app info from AmCache registry hive.

[Vol3] windows.registry.certificates.Certificates
  vol3 -f mem.raw windows.registry.certificates.Certificates
  >> List certificates from registry Certificate Store. Find rogue certs.

[Vol3] windows.registry.scheduled_tasks.ScheduledTasks
  vol3 -f mem.raw windows.registry.scheduled_tasks.ScheduledTasks
  >> Decode scheduled tasks from registry: triggers, actions, run times.

[Vol3] windows.registry.getcellroutine.GetCellRoutine
  vol3 -f mem.raw windows.registry.getcellroutine.GetCellRoutine
  >> Find registry hives with hooked GetCellRoutine handler (rootkit sign).

[Vol3] windows.hashdump
  vol3 -f mem.raw windows.hashdump
  >> Vol3 NTLM hash extractor.

[Vol3] windows.lsadump
  vol3 -f mem.raw windows.lsadump
  >> Vol3 LSA secrets dumper.

[Vol3] windows.shimcachemem.ShimcacheMem
  vol3 -f mem.raw windows.shimcachemem.ShimcacheMem
  >> Read Shimcache entries from ahcache.sys AVL tree.

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
                  SECTION 7 — MEMORY DUMP / EXTRACTION
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

─── WINDOWS ───────────────────────────────────────────────────────────────────────

[Vol2] memdump
  vol2 -f mem.raw --profile=Win7SP1x64 memdump -p <PID> -D ./output/
  >> Dump full addressable memory of a process. Run strings on result to find flags.

[Vol2] procdump
  vol2 -f mem.raw --profile=Win7SP1x64 procdump -p <PID> -D ./output/
  >> Dump process as reconstructed .exe file. Analyze in IDA/Ghidra/CFF Explorer.

[Vol2] dlldump
  vol2 -f mem.raw --profile=Win7SP1x64 dlldump -p <PID> -D ./output/
  vol2 -f mem.raw --profile=Win7SP1x64 dlldump --base=0xBASEADDR -D ./output/
  >> Dump specific DLL from process memory.

[Vol2] moddump
  vol2 -f mem.raw --profile=Win7SP1x64 moddump -D ./output/
  >> Dump kernel driver/module to file.

[Vol2] dumpfiles
  vol2 -f mem.raw --profile=Win7SP1x64 dumpfiles -Q <PHYSOFFSET> -D ./output/
  vol2 -f mem.raw --profile=Win7SP1x64 dumpfiles -r \.txt -D ./output/
  >> Extract file from memory cache by physical offset or regex filename pattern.

[Vol2] dumpcerts
  vol2 -f mem.raw --profile=Win7SP1x64 dumpcerts -D ./output/
  >> Dump RSA private and public SSL/TLS certificates from memory.

[Vol2] imagecopy
  vol2 -f mem.raw --profile=Win7SP1x64 imagecopy -O output.raw
  >> Copy physical address space as raw DD image.

[Vol3] windows.memdump
  vol3 -f mem.raw windows.memdump --pid <PID> --dump-dir ./output/

[Vol3] windows.procdump
  vol3 -f mem.raw windows.procdump --pid <PID> --dump-dir ./output/

[Vol3] windows.dumpfiles
  vol3 -f mem.raw windows.dumpfiles --virtaddr <ADDR>
  vol3 -f mem.raw windows.dumpfiles --physaddr <ADDR>

[Vol3] windows.pedump.PEDump
  vol3 -f mem.raw windows.pedump.PEDump --pid <PID> --base <BASE_ADDR>
  >> Dump PE file from specific virtual address in process memory.

[Vol3] layerwriter.LayerWriter
  vol3 -f mem.raw layerwriter.LayerWriter --dump-dir ./output/
  >> Write out the primary memory layer as raw file. Full memory extraction.

─── LINUX ─────────────────────────────────────────────────────────────────────────

[Vol2] linux_dump_map
  vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_dump_map -p <PID> -D ./output/
  >> Dump memory map regions of a Linux process.

[Vol2] linux_procdump
  vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_procdump -p <PID> -D ./output/
  >> Dump Linux process ELF binary reconstructed from memory.

[Vol3] linux.proc.Maps
  vol3 -f mem.raw linux.proc.Maps --pid <PID>
  >> Show Linux process memory map regions (like /proc/PID/maps).

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
                  SECTION 8 — CODE INJECTION DETECTION
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

─── WINDOWS ───────────────────────────────────────────────────────────────────────

[Vol2] malfind
  vol2 -f mem.raw --profile=Win7SP1x64 malfind
  vol2 -f mem.raw --profile=Win7SP1x64 malfind -p <PID> -D ./output/
  >> Find injected code: RWX memory regions with MZ/PE headers or shellcode patterns.
  >> CTF #1 TOOL for finding malware injections. Dump with -D for further analysis.

[Vol2] hollowfind
  vol2 -f mem.raw --profile=Win7SP1x64 hollowfind
  >> Detect process hollowing: legitimate process replaced with malicious executable.

[Vol2] cmdline
  vol2 -f mem.raw --profile=Win7SP1x64 cmdline
  >> Show command-line arguments for all processes. Find suspicious execution.

[Vol2] cmdscan
  vol2 -f mem.raw --profile=Win7SP1x64 cmdscan
  >> Scan for COMMAND_HISTORY structures. Recover typed commands from cmd.exe.

[Vol2] consoles
  vol2 -f mem.raw --profile=Win7SP1x64 consoles
  >> Recover full console I/O (both input typed + output shown) from cmd.exe.
  >> CTF USE: see exactly what attacker typed and what output appeared.

[Vol2] impscan
  vol2 -f mem.raw --profile=Win7SP1x64 impscan -p <PID>
  >> Scan process for calls to imported functions. Find hidden API calls.

[Vol3] windows.malfind
  vol3 -f mem.raw windows.malfind
  vol3 -f mem.raw windows.malfind --pid <PID>

[Vol3] windows.malware.malfind.Malfind
  vol3 -f mem.raw windows.malware.malfind.Malfind
  >> Updated malfind with improved shellcode/injection detection.

[Vol3] windows.malware.hollowprocesses.HollowProcesses
  vol3 -f mem.raw windows.malware.hollowprocesses.HollowProcesses
  >> Vol3 process hollowing detector.

[Vol3] windows.cmdline
  vol3 -f mem.raw windows.cmdline
  >> Vol3 process command line args.

[Vol3] windows.cmdscan
  vol3 -f mem.raw windows.cmdscan
  >> Vol3 command history scanner.

[Vol3] windows.consoles
  vol3 -f mem.raw windows.consoles
  >> Vol3 console I/O recovery.

[Vol3] windows.malware.suspicious_threads.SuspiciousThreads
  vol3 -f mem.raw windows.malware.suspicious_threads.SuspiciousThreads
  >> Find suspicious userland threads: injected thread indicators.

[Vol3] windows.malware.skeleton_key_check.Skeleton_Key_Check
  vol3 -f mem.raw windows.malware.skeleton_key_check.Skeleton_Key_Check
  >> Detect Skeleton Key malware: LSASS patch to bypass all domain authentication.

[Vol3] windows.etwpatch.EtwPatch
  vol3 -f mem.raw windows.etwpatch.EtwPatch
  >> Detect ETW (Event Tracing) patching by malware to blind security tools.

[Vol3] windows.malware.unhooked_system_calls.UnhookedSystemCalls
  vol3 -f mem.raw windows.malware.unhooked_system_calls.UnhookedSystemCalls
  >> Detect hooked ntdll.dll stubs: EDR/AV bypass technique.

[Vol3] windows.malware.direct_system_calls
  vol3 -f mem.raw windows.malware.direct_system_calls
  >> Detect direct syscall usage bypassing ntdll.dll entirely.

─── LINUX ─────────────────────────────────────────────────────────────────────────

[Vol2] linux_malfind
  vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_malfind
  >> Find suspicious RWX memory regions in Linux processes.

[Vol2] linux_check_syscall
  vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_check_syscall
  >> Check syscall table for hooks. Rootkits replace syscall pointers.

[Vol2] linux_check_idt
  vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_check_idt
  >> Check IDT (Interrupt Descriptor Table) for hooks.

[Vol2] linux_check_fop
  vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_check_fop
  >> Check file operation function pointers for hooks.

[Vol3] linux.malware.malfind.Malfind
  vol3 -f mem.raw linux.malware.malfind.Malfind
  >> Find injected code in Linux process memory regions.

[Vol3] linux.malware.check_syscall.Check_syscall
  vol3 -f mem.raw linux.malware.check_syscall.Check_syscall
  >> Check Linux syscall table for hooks.

[Vol3] linux.malware.check_idt.Check_idt
  vol3 -f mem.raw linux.malware.check_idt.Check_idt
  >> Check IDT for hooks.

[Vol3] linux.malware.check_afinfo.Check_afinfo
  vol3 -f mem.raw linux.malware.check_afinfo.Check_afinfo
  >> Verify network protocol operation function pointers for hooks.

[Vol3] linux.malware.check_creds.Check_creds
  vol3 -f mem.raw linux.malware.check_creds.Check_creds
  >> Check if processes share credential structures (rootkit privilege escalation sign).

[Vol3] linux.malware.tty_check.Tty_Check
  vol3 -f mem.raw linux.malware.tty_check.Tty_Check
  >> Check TTY device hooks. Rootkits hook TTY to intercept terminal input (keylogger).

[Vol3] linux.malware.keyboard_notifiers.Keyboard_notifiers
  vol3 -f mem.raw linux.malware.keyboard_notifiers.Keyboard_notifiers
  >> Check keyboard notifier call chain for hooks. Detect kernel-level keyloggers.

[Vol3] linux.tracing.ftrace.CheckFtrace
  vol3 -f mem.raw linux.tracing.ftrace.CheckFtrace
  >> Detect ftrace hooking: rootkits abuse kernel function tracing for stealth.

[Vol3] linux.tracing.tracepoints.CheckTracepoints
  vol3 -f mem.raw linux.tracing.tracepoints.CheckTracepoints
  >> Detect tracepoint hooking by rootkits.

[Vol3] linux.ebpf.EBPF
  vol3 -f mem.raw linux.ebpf.EBPF
  >> Enumerate eBPF programs. Modern rootkits use eBPF for stealthy hooks.

─── MAC ───────────────────────────────────────────────────────────────────────────

[Vol2] mac_malfind
  vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_malfind
  >> Find injected code in Mac process memory.

[Vol2] mac_check_syscall
  vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_check_syscall
  >> Check Mac BSD syscall table for hooks.

[Vol2] mac_check_sysctl
  vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_check_sysctl
  >> Check sysctl handlers for hooks.

[Vol2] mac_check_trap_table
  vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_check_trap_table
  >> Check Mach trap table for hooks.

[Vol3] mac.malfind.Malfind
  vol3 -f mem.raw mac.malfind.Malfind
  >> Vol3 Mac injected code finder.

[Vol3] mac.check_syscall.Check_syscall
  vol3 -f mem.raw mac.check_syscall.Check_syscall
  >> Vol3 Mac syscall table hook check.

[Vol3] mac.check_sysctl.Check_sysctl
  vol3 -f mem.raw mac.check_sysctl.Check_sysctl
  >> Vol3 sysctl handler hook check.

[Vol3] mac.check_trap_table.Check_trap_table
  vol3 -f mem.raw mac.check_trap_table.Check_trap_table
  >> Vol3 Mach trap table hook check.

[Vol3] mac.trustedbsd.Trustedbsd
  vol3 -f mem.raw mac.trustedbsd.Trustedbsd
  >> Check for malicious TrustedBSD policy modules (Mac rootkit mechanism).

[Vol3] mac.timers.Timers
  vol3 -f mem.raw mac.timers.Timers
  >> Check for malicious kernel timers in Mac memory.

[Vol3] mac.socket_filters.Socket_filters
  vol3 -f mem.raw mac.socket_filters.Socket_filters
  >> List kernel socket filters. Malware uses these to intercept network data.

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
                  SECTION 9 — ENVIRONMENT, PRIVILEGES & SIDS
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

─── WINDOWS ───────────────────────────────────────────────────────────────────────

[Vol2] envars
  vol2 -f mem.raw --profile=Win7SP1x64 envars
  vol2 -f mem.raw --profile=Win7SP1x64 envars -p <PID>
  >> Show environment variables of processes. Can contain passwords, paths, flags.

[Vol2] getsids
  vol2 -f mem.raw --profile=Win7SP1x64 getsids -p <PID>
  >> Show Security IDs (SIDs) for processes. Check if running as SYSTEM or admin.
  >> CTF USE: find which user/group context malware is running under.

[Vol2] getservicesids
  vol2 -f mem.raw --profile=Win7SP1x64 getservicesids
  >> Map Windows service names to their SIDs.

[Vol2] privs
  vol2 -f mem.raw --profile=Win7SP1x64 privs -p <PID>
  >> Show process token privileges (SeDebugPrivilege, SeImpersonatePrivilege etc).
  >> Detect privilege escalation: enabled dangerous privileges.

[Vol3] windows.envars
  vol3 -f mem.raw windows.envars --pid <PID>

[Vol3] windows.getsids.GetSIDs
  vol3 -f mem.raw windows.getsids.GetSIDs
  >> Vol3 SID lister. Show SIDs owning each process.

[Vol3] windows.getservicesids.GetServiceSIDs
  vol3 -f mem.raw windows.getservicesids.GetServiceSIDs
  >> Vol3 service SID mapper.

[Vol3] windows.privileges.Privs
  vol3 -f mem.raw windows.privileges.Privs --pid <PID>
  >> Vol3 process privilege lister.

[Vol3] windows.statistics.Statistics
  vol3 -f mem.raw windows.statistics.Statistics
  >> Show memory space statistics: page counts, layer sizes, etc.

[Vol3] windows.kpcrs.KPCRs
  vol3 -f mem.raw windows.kpcrs.KPCRs
  >> Print KPCR (Kernel Processor Control Region) for each CPU.

─── LINUX ─────────────────────────────────────────────────────────────────────────

[Vol2] linux_psenv
  vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_psenv -p <PID>
  >> Show environment variables of Linux processes.

[Vol2] linux_getcwd
  vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_getcwd
  >> Show current working directory of each Linux process.

[Vol3] linux.envars.Envars
  vol3 -f mem.raw linux.envars.Envars
  >> List Linux process environment variables.

[Vol3] linux.capabilities.Capabilities
  vol3 -f mem.raw linux.capabilities.Capabilities
  >> List Linux process capabilities (cap_sys_admin etc). Detect privilege escalation.

[Vol3] linux.boottime.Boottime
  vol3 -f mem.raw linux.boottime.Boottime
  >> Show when the Linux system was started.

[Vol3] linux.iomem.IOMem
  vol3 -f mem.raw linux.iomem.IOMem
  >> Show memory map like /proc/iomem.

─── MAC ───────────────────────────────────────────────────────────────────────────

[Vol2] mac_psenv
  vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_psenv
  >> Show environment variables of Mac processes.

[Vol3] mac.kevents.Kevents
  vol3 -f mem.raw mac.kevents.Kevents
  >> List event handlers registered by Mac processes.

[Vol3] mac.kauth_listeners.Kauth_listeners
  vol3 -f mem.raw mac.kauth_listeners.Kauth_listeners
  >> List kauth authorization listeners and their status.

[Vol3] mac.kauth_scopes.Kauth_scopes
  vol3 -f mem.raw mac.kauth_scopes.Kauth_scopes
  >> List kauth authorization scopes.

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
                  SECTION 10 — KERNEL & HOOKS
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

─── WINDOWS ───────────────────────────────────────────────────────────────────────

[Vol2] ssdt
  vol2 -f mem.raw --profile=Win7SP1x64 ssdt
  >> Show System Service Descriptor Table. Hooked entries = rootkit replacing syscalls.

[Vol2] idt
  vol2 -f mem.raw --profile=Win7SP1x64 idt
  >> Dump Interrupt Descriptor Table. Hooked IDT entries = rootkit.

[Vol2] driverirp
  vol2 -f mem.raw --profile=Win7SP1x64 driverirp
  >> Show IRP (I/O Request Packet) handler pointers for drivers. Hooked = rootkit.

[Vol2] callbacks
  vol2 -f mem.raw --profile=Win7SP1x64 callbacks
  >> List kernel notification callbacks. Malware registers callbacks for persistence/monitoring.

[Vol2] gdt
  vol2 -f mem.raw --profile=Win7SP1x64 gdt
  >> Display Global Descriptor Table. Advanced rootkit analysis.

[Vol2] threads
  vol2 -f mem.raw --profile=Win7SP1x64 threads -F OrphanThread
  >> List threads. OrphanThread filter = injected threads with no legitimate parent.

[Vol2] timers
  vol2 -f mem.raw --profile=Win7SP1x64 timers
  >> Print kernel timers and DPCs. Malware uses timers for scheduled execution.

[Vol2] gditimers
  vol2 -f mem.raw --profile=Win7SP1x64 gditimers
  >> Print GDI timers and callbacks.

[Vol3] windows.ssdt
  vol3 -f mem.raw windows.ssdt

[Vol3] windows.driverirp
  vol3 -f mem.raw windows.driverirp

[Vol3] windows.callbacks
  vol3 -f mem.raw windows.callbacks

[Vol3] windows.threads
  vol3 -f mem.raw windows.threads

[Vol3] windows.timers.Timers
  vol3 -f mem.raw windows.timers.Timers
  >> Kernel timers + DPCs. Malware uses for periodic execution.

[Vol3] windows.malware.svcdiff.SvcDiff
  vol3 -f mem.raw windows.malware.svcdiff.SvcDiff
  >> Compare list-walking vs pool-scanning for services. Find rootkit-hidden services.

─── LINUX ─────────────────────────────────────────────────────────────────────────

[Vol2] linux_check_modules
  vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_check_modules
  >> Find hidden kernel modules not in official module list.

[Vol3] linux.malware.check_modules.Check_modules
  vol3 -f mem.raw linux.malware.check_modules.Check_modules
  >> Vol3 hidden kernel module detector.

[Vol3] linux.malware.modxview.Modxview
  vol3 -f mem.raw linux.malware.modxview.Modxview
  >> Centralize lsmod + check_modules + hidden_modules results. Best rootkit overview.
  >> CTF USE: single command for complete module rootkit analysis.

[Vol3] linux.kthreads.Kthreads
  vol3 -f mem.raw linux.kthreads.Kthreads
  >> Enumerate kernel thread functions.

[Vol3] linux.kallsyms.Kallsyms
  vol3 -f mem.raw linux.kallsyms.Kallsyms
  >> Enumerate kernel symbols from kallsyms.

─── MAC ───────────────────────────────────────────────────────────────────────────

[Vol2] mac_check_syscall
  vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_check_syscall
  >> Check Mac syscall table for hooks.

[Vol2] mac_check_sysctl
  vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_check_sysctl
  >> Check sysctl handlers.

[Vol3] mac.dmesg.Dmesg
  vol3 -f mem.raw mac.dmesg.Dmesg
  >> Print Mac kernel log buffer (like dmesg).

[Vol3] mac.mount.Mount
  vol3 -f mem.raw mac.mount.Mount
  >> Show mounted filesystems on Mac.

[Vol3] mac.vfsevents.VFSevents
  vol3 -f mem.raw mac.vfsevents.VFSevents
  >> List processes filtering filesystem events (surveillance/rootkit technique).

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
                  SECTION 11 — STRING & ARTIFACT HUNTING
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

─── WINDOWS ───────────────────────────────────────────────────────────────────────

[Vol2] strings (external tool + memdump)
  strings ./output/PID.dmp | grep -i "flag\|CTF\|password\|http"
  >> After memdump, run strings tool on output. Find flags, URLs, credentials, keys.

[Vol2] clipboard
  vol2 -f mem.raw --profile=Win7SP1x64 clipboard
  >> Extract Windows clipboard content. Attacker may have copied flag/password.

[Vol2] screenshot
  vol2 -f mem.raw --profile=Win7SP1x64 screenshot -D ./output/
  >> Capture GDI-based screenshots of all windows from memory. See what was on screen.

[Vol2] iehistory
  vol2 -f mem.raw --profile=Win7SP1x64 iehistory
  >> Recover Internet Explorer cache/history from memory.

[Vol2] notepad
  vol2 -f mem.raw --profile=Win7SP1x64 notepad
  >> Show text currently displayed in open Notepad windows. Flags sometimes left here.

[Vol2] editbox
  vol2 -f mem.raw --profile=Win7SP1x64 editbox
  >> Show text in Win32 Edit controls: text fields, input boxes in any application.

[Vol2] messagehooks
  vol2 -f mem.raw --profile=Win7SP1x64 messagehooks
  >> List desktop and thread window message hooks. Keyloggers use these.

[Vol2] eventhooks
  vol2 -f mem.raw --profile=Win7SP1x64 eventhooks
  >> Print Windows event hook details. Malware uses for UI monitoring.

[Vol2] atoms
  vol2 -f mem.raw --profile=Win7SP1x64 atoms
  >> Show Windows atom tables (global + session). Can contain strings/code refs.

[Vol2] atomscan
  vol2 -f mem.raw --profile=Win7SP1x64 atomscan
  >> Pool scanner for atom tables. Finds more than atoms plugin.

[Vol2] deskscan
  vol2 -f mem.raw --profile=Win7SP1x64 deskscan
  >> Pool scanner for Desktop objects.

[Vol2] wintree
  vol2 -f mem.raw --profile=Win7SP1x64 wintree
  >> Print Z-order desktop window tree. See layered window arrangement.

[Vol2] windows
  vol2 -f mem.raw --profile=Win7SP1x64 windows
  >> Print Desktop windows with verbose details.

[Vol2] wndscan
  vol2 -f mem.raw --profile=Win7SP1x64 wndscan
  >> Pool scanner for window station objects.

[Vol3] windows.clipboard
  vol3 -f mem.raw windows.clipboard

[Vol3] windows.strings.Strings
  vol3 -f mem.raw windows.strings.Strings
  >> Match physical memory offsets to virtual addresses for strings analysis.

[Vol3] windows.vadregexscan.VadRegExScan
  vol3 -f mem.raw windows.vadregexscan.VadRegExScan --pattern "flag\{" --pid <PID>
  >> Scan VAD memory regions with regex. Directly hunt flags/patterns in process memory.

[Vol3] regexscan.RegExScan
  vol3 -f mem.raw regexscan.RegExScan --pattern "flag\{"
  >> Scan entire kernel memory with regex pattern. Broadest string hunt.

[Vol3] windows.windows.Windows
  vol3 -f mem.raw windows.windows.Windows
  >> Enumerate visible Desktop window elements.

[Vol3] windows.desktops.Desktops
  vol3 -f mem.raw windows.desktops.Desktops
  >> Enumerate Desktop instances of each Window Station.

[Vol3] windows.deskscan.DeskScan
  vol3 -f mem.raw windows.deskscan.DeskScan
  >> Scan for Desktop instances.

─── LINUX ─────────────────────────────────────────────────────────────────────────

[Vol2] linux_bash
  vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_bash
  >> Recover bash command history from memory buffers.
  >> CTF GOLD: see exactly what commands attacker typed.

[Vol2] linux_truecrypt_passphrase
  vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_truecrypt_passphrase
  >> Find TrueCrypt/VeraCrypt passphrase cached in memory.

[Vol3] linux.bash.Bash
  vol3 -f mem.raw linux.bash.Bash
  >> Vol3 bash history recovery.

[Vol3] linux.vmaregexscan.VmaRegExScan
  vol3 -f mem.raw linux.vmaregexscan.VmaRegExScan --pattern "flag\{" --pid <PID>
  >> Scan Linux VMA regions with regex. Hunt flags/secrets in process memory.

[Vol3] linux.graphics.fbdev.Fbdev
  vol3 -f mem.raw linux.graphics.fbdev.Fbdev --dump-dir ./output/
  >> Extract Linux framebuffer content. Screenshot equivalent for Linux systems.

[Vol3] linux.kmsg.Kmsg
  vol3 -f mem.raw linux.kmsg.Kmsg
  >> Read kernel ring buffer log (like dmesg). Find kernel messages/errors.

─── MAC ───────────────────────────────────────────────────────────────────────────

[Vol2] mac_bash
  vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_bash
  >> Recover bash command history from Mac memory.

[Vol3] mac.bash.Bash
  vol3 -f mem.raw mac.bash.Bash
  >> Vol3 Mac bash history recovery.

[Vol3] mac.dmesg.Dmesg
  vol3 -f mem.raw mac.dmesg.Dmesg
  >> Print Mac kernel log buffer.

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
                  SECTION 12 — VIRTUAL ADDRESS DESCRIPTOR (VAD)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

─── WINDOWS ───────────────────────────────────────────────────────────────────────

[Vol2] vadinfo
  vol2 -f mem.raw --profile=Win7SP1x64 vadinfo -p <PID>
  >> Show VAD tree entries: memory regions, permissions (RWX), mapped files.

[Vol2] vadtree
  vol2 -f mem.raw --profile=Win7SP1x64 vadtree -p <PID>
  >> Show VAD tree in visual tree format.

[Vol2] vadwalk
  vol2 -f mem.raw --profile=Win7SP1x64 vadwalk -p <PID>
  >> Walk VAD tree and show each node.

[Vol2] vaddump
  vol2 -f mem.raw --profile=Win7SP1x64 vaddump -p <PID> -D ./output/
  >> Dump all VAD memory regions of a process to files.

[Vol3] windows.vadinfo
  vol3 -f mem.raw windows.vadinfo --pid <PID>

[Vol3] windows.vadwalk
  vol3 -f mem.raw windows.vadwalk --pid <PID>

[Vol3] windows.vaddump
  vol3 -f mem.raw windows.vaddump --pid <PID> --dump-dir ./output/

[Vol3] windows.virtmap.VirtMap
  vol3 -f mem.raw windows.virtmap.VirtMap
  >> List virtual mapped sections in memory.

[Vol3] windows.memmap.Memmap
  vol3 -f mem.raw windows.memmap.Memmap --pid <PID>
  >> Print full memory map of a process.

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
                  SECTION 13 — SERVICES, MFT, POOLS & MISC
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

─── WINDOWS ───────────────────────────────────────────────────────────────────────

[Vol2] svcscan
  vol2 -f mem.raw --profile=Win7SP1x64 svcscan
  >> List Windows services. Find malicious services installed for persistence.

[Vol2] mftparser
  vol2 -f mem.raw --profile=Win7SP1x64 mftparser
  >> Parse NTFS $MFT (Master File Table). Find deleted files, creation timestamps.

[Vol2] bigpools
  vol2 -f mem.raw --profile=Win7SP1x64 bigpools
  >> Dump big page pool allocations. Find large kernel memory structures.

[Vol2] poolpeek
  vol2 -f mem.raw --profile=Win7SP1x64 poolpeek
  >> Configurable pool scanner for custom object hunting.

[Vol2] multiscan
  vol2 -f mem.raw --profile=Win7SP1x64 multiscan
  >> Scan for multiple object types simultaneously. Faster than running separately.

[Vol2] objtypescan
  vol2 -f mem.raw --profile=Win7SP1x64 objtypescan
  >> Scan for Windows object type objects in pool memory.

[Vol2] verinfo
  vol2 -f mem.raw --profile=Win7SP1x64 verinfo
  >> Print version info from PE images. Detect tampered/fake binary versions.

[Vol2] mbrscan / mbrparser
  vol2 -f mem.raw --profile=Win7SP1x64 mbrparser
  >> Scan for Master Boot Records. Detect bootkit infections.

[Vol2] bioskbd
  vol2 -f mem.raw --profile=Win7SP1x64 bioskbd
  >> Read keyboard buffer from BIOS Real Mode memory. Sometimes contains typed passwords.

[Vol2] qemuinfo
  vol2 -f mem.raw --profile=Win7SP1x64 qemuinfo
  >> Dump QEMU hypervisor information.

[Vol2] vboxinfo
  vol2 -f mem.raw --profile=Win7SP1x64 vboxinfo
  >> Dump VirtualBox hypervisor information.

[Vol2] vmwareinfo
  vol2 -f mem.raw --profile=Win7SP1x64 vmwareinfo
  >> Dump VMware VMSS/VMSN hypervisor information.

[Vol2] volshell
  vol2 -f mem.raw --profile=Win7SP1x64 volshell
  >> Interactive Python shell with memory access. Advanced custom analysis.

[Vol3] windows.svcscan
  vol3 -f mem.raw windows.svcscan

[Vol3] windows.svclist.SvcList
  vol3 -f mem.raw windows.svclist.SvcList
  >> List services from services.exe doubly linked list.

[Vol3] windows.mftscan.MFTScan
  vol3 -f mem.raw windows.mftscan.MFTScan
  >> Vol3 MFT parser.

[Vol3] windows.mbrscan.MBRScan
  vol3 -f mem.raw windows.mbrscan.MBRScan
  >> Vol3 MBR scanner for bootkit detection.

[Vol3] windows.bigpools.BigPools
  vol3 -f mem.raw windows.bigpools.BigPools
  >> Vol3 big page pool scanner.

[Vol3] windows.poolscanner.PoolScanner
  vol3 -f mem.raw windows.poolscanner.PoolScanner
  >> Generic configurable pool scanner.

[Vol3] windows.verinfo.VerInfo
  vol3 -f mem.raw windows.verinfo.VerInfo
  >> Vol3 PE version info.

[Vol3] windows.scheduled_tasks.ScheduledTasks
  vol3 -f mem.raw windows.scheduled_tasks.ScheduledTasks
  >> Find scheduled tasks (persistence mechanism).

[Vol3] windows.truecrypt.Passphrase
  vol3 -f mem.raw windows.truecrypt.Passphrase
  >> Find TrueCrypt cached passphrase in Windows memory.

[Vol3] windows.debugregisters.DebugRegisters
  vol3 -f mem.raw windows.debugregisters.DebugRegisters
  >> Show hardware debug registers. Detect hardware breakpoints set by malware.

[Vol3] windows.amcache.Amcache
  vol3 -f mem.raw windows.amcache.Amcache
  >> Extract AmCache program execution evidence (deprecated — use registry.amcache).

[Vol3] timeliner.Timeliner
  vol3 -f mem.raw timeliner.Timeliner
  >> Run ALL time-related plugins and order results chronologically.
  >> CTF USE: full timeline of system activity in one command.

[Vol3] vmscan.Vmscan
  vol3 -f mem.raw vmscan.Vmscan
  >> Scan for Intel VT-d structures. Analyze nested VM environments.

─── LINUX ─────────────────────────────────────────────────────────────────────────

[Vol2] linux_enumerate_files
  vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_enumerate_files
  >> Enumerate all files from Linux VFS (virtual filesystem) cache.

[Vol2] linux_mount
  vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_mount
  >> Show mounted filesystems from memory.

[Vol2] linux_dmesg
  vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_dmesg
  >> Recover kernel ring buffer log from memory.

[Vol3] linux.mountinfo.MountInfo
  vol3 -f mem.raw linux.mountinfo.MountInfo
  >> List mount points across all process namespaces.

[Vol3] linux.vmcoreinfo.VMCoreInfo
  vol3 -f mem.raw linux.vmcoreinfo.VMCoreInfo
  >> Enumerate VMCoreInfo tables from Linux crash dump.

[Vol3] linux.tracing.perf_events.PerfEvents
  vol3 -f mem.raw linux.tracing.perf_events.PerfEvents
  >> List performance monitoring events per process.

─── MAC ───────────────────────────────────────────────────────────────────────────

[Vol2] mac_dmesg
  vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_dmesg
  >> Print Mac kernel log buffer.

[Vol2] mac_mount
  vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_mount
  >> Show Mac mounted filesystems.

[Vol2] mac_netstat
  vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_netstat
  >> List Mac network connections.

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
                  SECTION 14 — CTF QUICK WORKFLOW
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

WINDOWS CTF WORKFLOW (Vol2):
  Step 1:  vol2 -f mem.raw imageinfo                           → get profile
  Step 2:  vol2 -f mem.raw --profile=X pslist                  → running processes
  Step 3:  vol2 -f mem.raw --profile=X psscan                  → hidden processes
  Step 4:  vol2 -f mem.raw --profile=X pstree                  → parent-child tree
  Step 5:  vol2 -f mem.raw --profile=X psxview                 → cross-check all sources
  Step 6:  vol2 -f mem.raw --profile=X netscan                 → network connections
  Step 7:  vol2 -f mem.raw --profile=X consoles                → cmd history (input+output)
  Step 8:  vol2 -f mem.raw --profile=X cmdline                 → process arguments
  Step 9:  vol2 -f mem.raw --profile=X malfind -D out/         → injected code dump
  Step 10: vol2 -f mem.raw --profile=X filescan                → all file references
  Step 11: vol2 -f mem.raw --profile=X dumpfiles -r flag       → extract files by name
  Step 12: vol2 -f mem.raw --profile=X hashdump                → NTLM hashes
  Step 13: vol2 -f mem.raw --profile=X clipboard               → clipboard data
  Step 14: vol2 -f mem.raw --profile=X screenshot -D out/      → screen capture

WINDOWS CTF WORKFLOW (Vol3):
  Step 1:  vol3 -f mem.raw windows.info                        → OS info
  Step 2:  vol3 -f mem.raw windows.pslist                      → processes
  Step 3:  vol3 -f mem.raw windows.psscan                      → hidden processes
  Step 4:  vol3 -f mem.raw windows.pstree                      → process tree
  Step 5:  vol3 -f mem.raw windows.malware.psxview.PsXView     → cross-check sources
  Step 6:  vol3 -f mem.raw windows.netscan                     → network
  Step 7:  vol3 -f mem.raw windows.consoles                    → cmd history
  Step 8:  vol3 -f mem.raw windows.cmdline                     → process args
  Step 9:  vol3 -f mem.raw windows.malfind                     → injected code
  Step 10: vol3 -f mem.raw windows.filescan                    → file references
  Step 11: vol3 -f mem.raw windows.dumpfiles --virtaddr <A>    → extract file
  Step 12: vol3 -f mem.raw windows.hashdump                    → NTLM hashes
  Step 13: vol3 -f mem.raw windows.clipboard                   → clipboard

LINUX CTF WORKFLOW (Vol2):
  Step 1: vol2 -f mem.raw imageinfo                             → get profile
  Step 2: vol2 -f mem.raw --profile=X linux_pslist              → processes
  Step 3: vol2 -f mem.raw --profile=X linux_pstree              → process tree
  Step 4: vol2 -f mem.raw --profile=X linux_bash                → bash history
  Step 5: vol2 -f mem.raw --profile=X linux_netstat             → connections
  Step 6: vol2 -f mem.raw --profile=X linux_malfind             → injected code
  Step 7: vol2 -f mem.raw --profile=X linux_find_file -L        → file list
  Step 8: vol2 -f mem.raw --profile=X linux_check_syscall       → syscall hooks

LINUX CTF WORKFLOW (Vol3):
  Step 1: vol3 -f mem.raw banners.Banners                       → identify OS
  Step 2: vol3 -f mem.raw linux.pslist                          → processes
  Step 3: vol3 -f mem.raw linux.pstree                          → tree
  Step 4: vol3 -f mem.raw linux.bash.Bash                       → bash history
  Step 5: vol3 -f mem.raw linux.sockstat.Sockstat               → connections
  Step 6: vol3 -f mem.raw linux.malware.malfind.Malfind         → injected code
  Step 7: vol3 -f mem.raw linux.lsof.Lsof                       → open files
  Step 8: vol3 -f mem.raw linux.malware.modxview.Modxview       → rootkit overview
  Step 9: vol3 -f mem.raw linux.malware.check_syscall.Check_syscall → syscall hooks

MAC CTF WORKFLOW (Vol2):
  Step 1: vol2 -f mem.raw imageinfo                             → get profile
  Step 2: vol2 -f mem.raw --profile=X mac_pslist                → processes
  Step 3: vol2 -f mem.raw --profile=X mac_pstree                → process tree
  Step 4: vol2 -f mem.raw --profile=X mac_bash                  → bash history
  Step 5: vol2 -f mem.raw --profile=X mac_netstat               → connections
  Step 6: vol2 -f mem.raw --profile=X mac_malfind               → injected code
  Step 7: vol2 -f mem.raw --profile=X mac_check_syscall         → syscall hooks

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
                  SECTION 15 — USEFUL FLAGS & TIPS
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

OUTPUT TO FILE:
  vol2 [cmd] > output.txt                    → save Vol2 output
  vol3 [cmd] > output.txt                    → save Vol3 output
  vol2 [cmd] 2>&1 | tee output.txt           → save + show on screen simultaneously

FILTER OUTPUT (Linux/Kali):
  vol2 [cmd] | grep -i "suspicious_name"
  vol3 [cmd] | grep -i "\.exe\|cmd\|powershell"
  vol3 [cmd] | grep -i "45.9.74.32"          → filter by IP

FILTER OUTPUT (Windows CMD):
  vol2.exe [cmd] | findstr "suspicious"
  vol.exe  [cmd] | findstr "45.9.74.32"

VOL2 COMMON FLAGS:
  -f           → memory dump file path
  --profile    → OS profile (required, from imageinfo)
  -p / --pid   → filter by process ID
  -D           → output directory for dumps
  -o           → hive offset (registry commands)
  -Q           → physical offset (dumpfiles)
  -r           → regex pattern (dumpfiles)
  -v           → verbose output
  --output-file=FILE  → write output to specific file

VOL3 COMMON FLAGS / OPTIONS:
  -f / --single-location  → memory dump file path
  --pid                  → filter by process ID (plugin-specific)
  --virtaddr             → virtual address (plugin-specific)
  --physaddr             → physical address (plugin-specific)
  --pattern              → regex pattern (regexscan/vmaregexscan)
  -r / --renderer         → output renderer, e.g., pretty, quick, csv, json, jsonl
  -o / --output-dir       → output directory for dumped files (modern Vol3 global option)
  --dump-dir              → may exist in some older/plugin-specific examples; verify with <plugin> -h
  -q / --quiet            → quiet mode / less progress output
  --offline               → don't download/search online for symbol files

PROFILE FINDING HELP (Vol2):
  Common Windows: WinXPSP2x86, WinXPSP3x86, Win7SP0x86, Win7SP1x64,
                  Win8SP1x64, Win10x64, Win10x64_19041, Win10x64_19042
  Common Linux:   LinuxUbuntu1404x64, LinuxUbuntu1604x64,
                  LinuxDebian9x64, LinuxKali2019x64
  Common Mac:     MacSierra_10_12_6_AMDx64, MacHighSierra_10_13_6_AMDx64,
                  MacMojave_10_14_6_AMDx64
  Custom Linux:   build profile with dwarf2json + zip

MEMORY DUMP FILE TYPES:
  .raw    → mem.raw, dump.raw (most common)
  .vmem   → Windows.vmem (VMware snapshot)
  .dmp    → memory.dmp, crash.dmp (Windows crash dump)
  .img    → ram.img
  .bin    → mem.bin
  .mem    → ram.mem
  .lime   → linux.lime (LiME tool — Linux live acquisition)
  .vmss   → VMware suspended state
  .vmsn   → VMware snapshot

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
END OF CHEATSHEET — Happy Hunting! CTF{good_luck_hacker}
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━


━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
                  SECTION 16 — RARE / SPECIALIZED COMMANDS
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

─── WINDOWS (Vol2) ────────────────────────────────────────────────────────────────

[Vol2] patcher
  vol2 -f mem.raw --profile=Win7SP1x64 patcher
  >> Patch memory based on page scans. Advanced memory modification tool.

[Vol2] raw2dmp
  vol2 -f mem.raw --profile=Win7SP1x64 raw2dmp -O output.dmp
  >> Convert raw memory image to WinDbg crash dump format for debugger analysis.

[Vol2] hibinfo
  vol2 -f hiberfil.sys --profile=Win7SP1x64 hibinfo
  >> Parse Windows hibernation file (hiberfil.sys). Show hibernation metadata.

[Vol2] hpakinfo
  vol2 -f mem.hpak hpakinfo
  >> Show info about HPAK format memory file (FTK Imager format).

[Vol2] hpakextract
  vol2 -f mem.hpak hpakextract -O output.raw
  >> Extract physical memory from HPAK file to raw format.

[Vol2] machoinfo
  vol2 -f mem.raw --profile=Win7SP1x64 machoinfo
  >> Dump Mach-O file format information from memory.

[Vol2] joblinks
  vol2 -f mem.raw --profile=Win7SP1x64 joblinks
  >> Print process job link information (Vol2 version).

[Vol2] kpcrscan
  vol2 -f mem.raw --profile=Win7SP1x64 kpcrscan
  >> Search for and dump potential KPCR values. Use if kdbgscan fails.

[Vol2] raw2dmp
  vol2 -f mem.raw --profile=Win7SP1x64 raw2dmp -O memory.dmp
  >> Convert raw image to WinDbg crash dump (.dmp) format.

─── LINUX (Vol2) ──────────────────────────────────────────────────────────────────

[Vol2] linux_volshell
  vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_volshell
  >> Interactive Python shell with Linux memory access. Advanced custom analysis.

[Vol2] linux_apihooks
  vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_apihooks
  >> Detect userland API hooks in Linux processes (LD_PRELOAD style hooks).

[Vol2] linux_keyboard_notifiers
  vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_keyboard_notifiers
  >> Parse keyboard notifier call chain. Detect kernel keyloggers.

[Vol2] linux_check_creds
  vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_check_creds
  >> Check if processes share credential structures (rootkit privilege escalation).

[Vol2] linux_check_afinfo
  vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_check_afinfo
  >> Verify network protocol operation function pointers for hooks.

[Vol2] linux_check_tty
  vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_check_tty
  >> Check TTY devices for hooks. Rootkit keylogger detection.

[Vol2] linux_library_list
  vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_library_list
  >> List shared libraries loaded per process.

[Vol2] linux_proc_maps
  vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_proc_maps -p <PID>
  >> Show memory maps of Linux process (like /proc/PID/maps).

[Vol2] linux_memmap
  vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_memmap -p <PID>
  >> Print memory map of a Linux process.

[Vol2] linux_plthook
  vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_plthook
  >> Scan PLT (Procedure Linkage Table) for hooks in Linux processes.

[Vol2] linux_threads
  vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_threads
  >> List threads of Linux processes.

[Vol2] linux_tmpfs
  vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_tmpfs
  >> Recover files from tmpfs (memory-based filesystem). Find in-memory files.

[Vol2] linux_recover_filesystem
  vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_recover_filesystem -D ./output/
  >> Recover cached Linux filesystem to disk.

[Vol3] linux.malware.hidden_modules.Hidden_modules
  vol3 -f mem.raw linux.malware.hidden_modules.Hidden_modules
  >> Carve memory to find hidden kernel modules (alternate method).

─── MAC (Vol2 — Extra) ────────────────────────────────────────────────────────────

[Vol2] mac_volshell
  vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_volshell
  >> Interactive Python shell for Mac memory analysis.

[Vol2] mac_dump_maps
  vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_dump_maps -p <PID> -D ./output/
  >> Dump memory maps of Mac process.

[Vol2] mac_procdump
  vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_procdump -p <PID> -D ./output/
  >> Dump Mac process binary from memory.

[Vol2] mac_memdump
  vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_memdump -p <PID> -D ./output/
  >> Dump full memory of Mac process.

[Vol2] mac_find_files
  vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_find_files
  >> Find files in Mac VFS cache.

[Vol2] mac_recover_filesystem
  vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_recover_filesystem -D ./output/
  >> Recover Mac cached filesystem.

[Vol2] mac_dead_procs
  vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_dead_procs
  >> List terminated Mac processes still in memory.

[Vol2] mac_pid_hashmap
  vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_pid_hashmap
  >> List Mac processes via PID hash map (finds hidden procs).

[Vol2] mac_tasks
  vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_tasks
  >> List Mac Mach tasks (low-level process representation).

[Vol2] mac_threads
  vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_threads
  >> List Mac threads.

[Vol2] mac_handles
  vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_handles
  >> List open handles for Mac processes.

[Vol2] mac_apihooks
  vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_apihooks
  >> Find userland API hooks in Mac processes.

[Vol2] mac_apihooks_kernel
  vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_apihooks_kernel
  >> Find kernel-level API hooks on Mac.

[Vol2] mac_ip_filters
  vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_ip_filters
  >> List IP filters registered in Mac kernel (network interception).

[Vol2] mac_notifiers
  vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_notifiers
  >> Print Mac IOKit notification handlers.

[Vol2] mac_pgrp_hash_table
  vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_pgrp_hash_table
  >> List Mac processes via process group hash table.

[Vol2] mac_route
  vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_route
  >> Print Mac routing table from memory.

[Vol2] mac_arp
  vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_arp
  >> Print Mac ARP table from memory.

[Vol2] mac_socket_filters
  vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_socket_filters
  >> List Mac kernel socket filters.

[Vol2] mac_strings
  vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_strings -p <PID>
  >> Find strings in Mac process memory.

[Vol2] mac_list_sessions
  vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_list_sessions
  >> List Mac login sessions.

[Vol2] mac_list_zones
  vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_list_zones
  >> List Mac kernel memory zones (allocator zones).

[Vol3] mac.proc_maps.Maps
  vol3 -f mem.raw mac.proc_maps.Maps
  >> List Mac process memory ranges.

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
END OF BASE CHEATSHEET — EXTRA ACCURACY SECTIONS ADDED BELOW
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━


━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
                  SECTION 17 — VOL3 REMAINING PLUGINS (CHECKED SET)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

─── WINDOWS (Vol3 — Previously Missing) ──────────────────────────────────────────

[Vol3] windows.cachedump
  vol3 -f mem.raw windows.cachedump
  >> Dump cached domain credentials (MSCacheV2 hashes). Crack with hashcat mode 2100.

[Vol3] windows.registry.cachedump
  vol3 -f mem.raw windows.registry.cachedump
  >> Extract cached domain logon credentials from registry.

[Vol3] windows.registry.hashdump
  vol3 -f mem.raw windows.registry.hashdump
  >> Extract NTLM hashes directly from registry SAM/SYSTEM hives.

[Vol3] windows.registry.lsadump
  vol3 -f mem.raw windows.registry.lsadump
  >> Extract LSA secrets from registry. Service passwords, auto-logon creds.

[Vol3] windows.direct_system_calls
  vol3 -f mem.raw windows.direct_system_calls
  >> Detect direct syscall usage in processes bypassing ntdll.dll (EDR bypass).

[Vol3] windows.indirect_system_calls
  vol3 -f mem.raw windows.indirect_system_calls
  >> Detect indirect syscall techniques used by malware.

[Vol3] windows.malware.indirect_system_calls
  vol3 -f mem.raw windows.malware.indirect_system_calls
  >> Updated indirect syscall detector focused on malware patterns.

[Vol3] windows.drivermodule
  vol3 -f mem.raw windows.drivermodule
  >> Associate driver objects to kernel modules (deprecated — use malware version).

[Vol3] windows.hollowprocesses
  vol3 -f mem.raw windows.hollowprocesses
  >> List hollowed processes (deprecated — use malware.hollowprocesses).

[Vol3] windows.processghosting
  vol3 -f mem.raw windows.processghosting
  >> Ghost process detector (deprecated — use malware.processghosting).

[Vol3] windows.psxview
  vol3 -f mem.raw windows.psxview
  >> Cross-reference process lists (deprecated — use malware.psxview.PsXView).

[Vol3] windows.skeleton_key_check
  vol3 -f mem.raw windows.skeleton_key_check
  >> Skeleton Key malware detector (deprecated — use malware.skeleton_key_check).

[Vol3] windows.suspicious_threads
  vol3 -f mem.raw windows.suspicious_threads
  >> Suspicious thread lister (deprecated — use malware.suspicious_threads).

[Vol3] windows.svcdiff
  vol3 -f mem.raw windows.svcdiff
  >> Service diff (deprecated — use malware.svcdiff).

[Vol3] windows.unhooked_system_calls
  vol3 -f mem.raw windows.unhooked_system_calls
  >> Hooked syscall detector (deprecated — use malware.unhooked_system_calls).

[Vol3] windows.vadyarascan
  vol3 -f mem.raw windows.vadyarascan --yara-rules /path/to/rules.yar
  >> Scan process VAD regions with YARA rules. Hunt specific malware signatures.

[Vol3] windows.windowstations
  vol3 -f mem.raw windows.windowstations
  >> Scan for top-level Window Station objects in memory.

─── LINUX (Vol3 — Previously Missing) ────────────────────────────────────────────

[Vol3] linux.check_afinfo
  vol3 -f mem.raw linux.check_afinfo
  >> Verify network protocol function pointers for hooks (deprecated — use malware version).

[Vol3] linux.check_creds
  vol3 -f mem.raw linux.check_creds
  >> Check shared credential structures (deprecated — use malware version).

[Vol3] linux.check_idt
  vol3 -f mem.raw linux.check_idt
  >> Check IDT for hooks (deprecated — use malware version).

[Vol3] linux.check_modules
  vol3 -f mem.raw linux.check_modules
  >> Find hidden kernel modules (deprecated — use malware version).

[Vol3] linux.check_syscall
  vol3 -f mem.raw linux.check_syscall
  >> Check syscall table for hooks (deprecated — use malware version).

[Vol3] linux.hidden_modules
  vol3 -f mem.raw linux.hidden_modules
  >> Carve memory for hidden kernel modules (deprecated — use malware version).

[Vol3] linux.keyboard_notifiers
  vol3 -f mem.raw linux.keyboard_notifiers
  >> Parse keyboard notifier chain (deprecated — use malware version).

[Vol3] linux.malfind
  vol3 -f mem.raw linux.malfind
  >> Find injected code in Linux (deprecated — use malware.malfind).

[Vol3] linux.modxview
  vol3 -f mem.raw linux.modxview
  >> Module cross-view (deprecated — use malware.modxview).

[Vol3] linux.netfilter
  vol3 -f mem.raw linux.netfilter
  >> List Netfilter hooks (deprecated — use malware.netfilter).

[Vol3] linux.tty_check
  vol3 -f mem.raw linux.tty_check
  >> Check TTY hooks (deprecated — use malware.tty_check).

[Vol3] linux.vmayarascan
  vol3 -f mem.raw linux.vmayarascan --yara-rules /path/to/rules.yar
  >> Scan Linux VMA regions with YARA rules. Hunt specific malware signatures.

─── GLOBAL (Vol3) ─────────────────────────────────────────────────────────────────

[Vol3] configwriter.ConfigWriter
  vol3 -f mem.raw configwriter.ConfigWriter
  >> Run automagics and output full configuration JSON. Debug/inspect Vol3 config.

[Vol3] yarascan
  vol3 -f mem.raw yarascan --yara-rules /path/to/rules.yar
  >> Scan entire memory with YARA rules. Broadest signature-based malware hunt.
  >> CTF USE: if you have YARA rules for specific malware, run this first.

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
  STATIC COVERAGE CLAIM FROM ORIGINAL FILE:
  Vol3 plugin set checked in the original file | Windows + Linux + Mac | Vol2 + Vol3
  IMPORTANT: verify current installed plugin list with vol -h / vol3 -h before final use
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━


━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
                  SECTION 18 — VOL2 REMAINING PLUGINS (CHECKED SET)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

─── WINDOWS Vol2 (Previously Missing) ────────────────────────────────────────────

[Vol2] bigpagepools
  vol2 -f mem.raw --profile=Win7SP1x64 bigpagepools
  >> Dump big page pool allocations using BigPagePoolScanner.

[Vol2] evtlogs
  vol2 -f mem.raw --profile=WinXPSP3x86 evtlogs -D ./output/
  >> Extract Windows Event Logs (.evt format). XP/2003 only.

[Vol2] heaps
  vol2 -f mem.raw --profile=Win7SP1x64 heaps -p <PID>
  >> Show process heap information. Find heap spray attacks.

[Vol2] patchguard
  vol2 -f mem.raw --profile=Win7SP1x64 patchguard
  >> Analyze PatchGuard structures. Detect kernel tampering on x64 Windows.

[Vol2] pooltracker
  vol2 -f mem.raw --profile=Win7SP1x64 pooltracker
  >> Show pool tag usage statistics. Advanced kernel memory analysis.

[Vol2] taskmods
  vol2 -f mem.raw --profile=Win7SP1x64 taskmods
  >> Display process command-line arguments (alternative to cmdline).

[Vol2] tcaudit
  vol2 -f mem.raw --profile=Win7SP1x64 tcaudit
  >> Audit TrueCrypt driver presence in memory.

[Vol2] malware/cmdhistory
  vol2 -f mem.raw --profile=Win7SP1x64 cmdhistory
  >> Recover command history from console host processes.

[Vol2] malware/servicediff
  vol2 -f mem.raw --profile=Win7SP1x64 servicediff
  >> Compare services from list-walking vs scanning to find hidden rootkit services.

[Vol2] registry/auditpol
  vol2 -f mem.raw --profile=Win7SP1x64 auditpol
  >> Print audit policy from registry. See what events were being logged.

[Vol2] registry/dumpregistry
  vol2 -f mem.raw --profile=Win7SP1x64 dumpregistry -D ./output/
  >> Dump all registry hives to disk as raw files.

[Vol2] registry/registryapi
  vol2 -f mem.raw --profile=Win7SP1x64 registryapi
  >> Internal registry API plugin (used by other registry plugins).

[Vol2] registry/shellbags
  vol2 -f mem.raw --profile=Win7SP1x64 shellbags
  >> Extract ShellBags from registry. Shows folders user browsed via Explorer.
  >> CTF USE: find accessed directories/paths even if deleted.

[Vol2] registry/shutdown
  vol2 -f mem.raw --profile=Win7SP1x64 shutdown
  >> Get last shutdown time from registry.

─── LINUX Vol2 (Previously Missing) ──────────────────────────────────────────────

[Vol2] linux_aslr_shift
  vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_aslr_shift
  >> Find the ASLR shift applied to the kernel. Needed for some profile builds.

[Vol2] linux_bash_hash
  vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_bash_hash
  >> Recover bash hash table (cached command locations) from memory.

[Vol2] linux_check_evt_arm
  vol2 -f mem.raw --profile=LinuxARM linux_check_evt_arm
  >> Check ARM event table for hooks. ARM architecture specific.

[Vol2] linux_check_fops
  vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_check_fops
  >> Check file operation function pointers for hooks (rootkit detection).

[Vol2] linux_check_inline_kernel
  vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_check_inline_kernel
  >> Check for inline kernel function hooks (direct code patching rootkits).

[Vol2] linux_cpuinfo
  vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_cpuinfo
  >> Print CPU info from Linux memory (like /proc/cpuinfo).

[Vol2] linux_dentry_cache
  vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_dentry_cache
  >> Enumerate Linux dentry cache (directory entry cache). Find cached file paths.

[Vol2] linux_kernel_opened_files
  vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_kernel_opened_files
  >> List files opened by the kernel itself.

[Vol2] linux_ld_env
  vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_ld_env
  >> Show LD_PRELOAD and LD_LIBRARY_PATH env vars. Detect userland rootkit injection.
  >> CTF USE: LD_PRELOAD hook is common Linux malware technique.

[Vol2] linux_libc_env
  vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_libc_env
  >> Show libc environment variables for processes.

[Vol2] linux_librarydump
  vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_librarydump -p <PID> -D ./output/
  >> Dump shared libraries (.so files) loaded by a process.

[Vol2] linux_linux_strings
  vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_linux_strings -p <PID>
  >> Match strings to virtual addresses in Linux process memory.

[Vol2] linux_linux_yarascan
  vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_linux_yarascan --yara-rules rules.yar
  >> Scan Linux process memory with YARA rules.

[Vol2] linux_list_raw
  vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_list_raw
  >> List processes with raw socket access. Packet sniffers/network tools.

[Vol2] linux_mount_cache
  vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_mount_cache
  >> List mounts from kernel mount cache.

[Vol2] linux_pkt_queues
  vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_pkt_queues
  >> Show packet queues for network sockets. Network forensics.

[Vol2] linux_proc_maps_rb
  vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_proc_maps_rb -p <PID>
  >> Show process memory maps via red-black tree (alternate method).

[Vol2] linux_process_hollow
  vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_process_hollow
  >> Detect process hollowing on Linux (process with replaced executable).

[Vol2] linux_process_info
  vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_process_info -p <PID>
  >> Show detailed info about a Linux process.

[Vol2] linux_process_stack
  vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_process_stack -p <PID>
  >> Show stack contents of a Linux process.

[Vol2] linux_pslist_cache
  vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_pslist_cache
  >> List Linux processes from kernel slab cache (alternative method).

[Vol2] linux_route_cache
  vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_route_cache
  >> Show Linux routing cache from memory.

[Vol2] linux_sk_buff_cache
  vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_sk_buff_cache
  >> Show socket buffer cache. Network packet analysis.

[Vol2] linux_slab_info
  vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_slab_info
  >> Show Linux kernel slab allocator info (memory allocator statistics).

[Vol2] linux_vma_cache
  vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_vma_cache
  >> Show VMA (Virtual Memory Area) cache entries.

[Vol2] linux_info_regs
  vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_info_regs -p <PID>
  >> Show CPU register values for Linux process. Advanced crash analysis.

[Vol2] linux_flags
  vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_flags
  >> Show Linux kernel flags and compile options.

─── MAC Vol2 (Previously Missing) ────────────────────────────────────────────────

[Vol2] mac_adiummsgs
  vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_adiummsgs
  >> Extract Adium (Mac chat app) messages from memory.

[Vol2] mac_bash_env
  vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_bash_env
  >> Show bash environment variables for Mac processes.

[Vol2] mac_bash_hash
  vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_bash_hash
  >> Recover bash hash table from Mac memory.

[Vol2] mac_calendar
  vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_calendar
  >> Extract Mac Calendar app data from memory.

[Vol2] mac_check_mig_table
  vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_check_mig_table
  >> Check Mach Interface Generator table for hooks.

[Vol2] mac_check_syscall_shadow
  vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_check_syscall_shadow
  >> Check for shadow syscall table (rootkit technique).

[Vol2] mac_check_syscall_table
  vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_check_syscall_table
  >> Check BSD syscall table for hooks/modifications.

[Vol2] mac_classes
  vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_classes
  >> List Objective-C classes loaded in Mac processes.

[Vol2] mac_compressed_swap
  vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_compressed_swap
  >> Analyze Mac compressed swap (memory compression) data.

[Vol2] mac_contacts
  vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_contacts
  >> Extract Mac Contacts app data from memory.

[Vol2] mac_dead_sockets
  vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_dead_sockets
  >> List closed/dead network sockets still in memory.

[Vol2] mac_dead_vnodes
  vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_dead_vnodes
  >> List dead vnode objects (closed file references) in Mac memory.

[Vol2] mac_devfs
  vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_devfs
  >> List Mac devfs (device filesystem) entries.

[Vol2] mac_dlyd_maps
  vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_dlyd_maps
  >> Show dyld (dynamic linker) memory maps for Mac processes.

[Vol2] mac_dump_files
  vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_dump_files -D ./output/
  >> Dump cached files from Mac memory.

[Vol2] mac_find_aslr_shift
  vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_find_aslr_shift
  >> Find KASLR (kernel ASLR) shift value for Mac.

[Vol2] mac_get_profile
  vol2 -f mem.raw mac_get_profile
  >> Auto-detect Mac profile from memory dump.

[Vol2] mac_gkextmap
  vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_gkextmap
  >> Show Mac kernel extension (kext) map.

[Vol2] mac_interest_handlers
  vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_interest_handlers
  >> List IOKit interest handlers. Malware registers these for device notifications.

[Vol2] mac_keychaindump
  vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_keychaindump
  >> Dump Mac keychain master key from memory.
  >> CTF USE: may contain credentials/passwords.

[Vol2] mac_ldrmodules
  vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_ldrmodules
  >> Cross-check Mac process library load lists. Find hidden/injected libraries.

[Vol2] mac_librarydump
  vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_librarydump -p <PID> -D ./output/
  >> Dump Mac process dylib (dynamic library) from memory.

[Vol2] mac_list_kauth_listeners
  vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_list_kauth_listeners
  >> List kauth authorization listeners.

[Vol2] mac_list_kauth_scopes
  vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_list_kauth_scopes
  >> List kauth authorization scopes.

[Vol2] mac_list_raw
  vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_list_raw
  >> List Mac processes with raw socket access.

[Vol2] mac_list_zones
  vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_list_zones
  >> List Mac kernel memory zones (allocator zones).

[Vol2] mac_lsmod_iokit
  vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_lsmod_iokit
  >> List Mac IOKit kexts (driver framework extensions).

[Vol2] mac_mac_yarascan
  vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_mac_yarascan --yara-rules rules.yar
  >> Scan Mac process memory with YARA rules.

[Vol2] mac_machine_info
  vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_machine_info
  >> Show Mac hardware/machine information from memory.

[Vol2] mac_netconns
  vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_netconns
  >> List active network connections on Mac (alternative to mac_netstat).

[Vol2] mac_notesapp
  vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_notesapp
  >> Extract Mac Notes app content from memory.
  >> CTF USE: notes sometimes contain flags or sensitive data.

[Vol2] mac_notifiers
  vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_notifiers
  >> Print Mac IOKit notification handlers.

[Vol2] mac_orphan_threads
  vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_orphan_threads
  >> Find orphan threads with no parent process. Injected thread detection.

[Vol2] mac_pgrp_hash_table
  vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_pgrp_hash_table
  >> List Mac processes via process group hash table.

[Vol2] mac_pid_hash_table
  vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_pid_hash_table
  >> List Mac processes via PID hash table. Finds hidden processes.

[Vol2] mac_print_boot_cmdline
  vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_print_boot_cmdline
  >> Print Mac kernel boot command line arguments.

[Vol2] mac_pstasks
  vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_pstasks
  >> List Mac processes via Mach task structures (low-level).

[Vol2] mac_session_hash_table
  vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_session_hash_table
  >> List Mac processes via session hash table.

[Vol2] mac_threads_simple
  vol2 -f mem.raw --profile=MacSierra_10_12_6_AMDx64 mac_threads_simple
  >> List Mac threads with simplified output format.

[Vol2] linux_lime
  vol2 -f mem.raw --profile=LinuxUbuntu16x64 linux_lime
  >> Show LiME (Linux Memory Extractor) acquisition info embedded in dump.

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
  ACCURACY-CHECKED END NOTE:
  This file is designed to be complete for the checked official/plugin set at update time.
  Volatility 3 changes over time, so always verify live plugin names/options with -h.
  For CTF use: this is a highly complete practical master cheatsheet.
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
                  SECTION 19 — INSTALL / UPDATE / VERIFY VOLATILITY
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

WHY THIS SECTION MATTERS:
  A command can be correct in one Volatility version but renamed/deprecated in another.
  So before serious CTF/investigation, verify your installed version and plugin list.

─── VOLATILITY 3 INSTALL / UPDATE ────────────────────────────────────────────────

[Recommended stable install]
  python3 -m pip install --upgrade volatility3
  vol -h

[If vol command not found]
  python3 -m volatility3 -h
  python3 vol.py -h

[GitHub development install]
  git clone https://github.com/volatilityfoundation/volatility3.git
  cd volatility3
  python3 -m venv venv
  source venv/bin/activate
  pip install -e ".[dev]"
  python3 vol.py -h

[Check version]
  vol -h | head
  vol3 -h | head
  python3 vol.py -h | head

[Check all Windows plugins]
  vol -h | grep -i "windows\."

[Check all Linux plugins]
  vol -h | grep -i "linux\."

[Check all Mac plugins]
  vol -h | grep -i "mac\."

[Check global plugins]
  vol -h | grep -Ei "banners|regexscan|timeliner|yarascan|frameworkinfo|isfinfo|layerwriter"

[Check one plugin's exact options]
  vol windows.pslist -h
  vol windows.dumpfiles -h
  vol linux.pslist -h
  vol mac.pslist.PsList -h

─── VOLATILITY 2 INSTALL / VERIFY ────────────────────────────────────────────────

[Vol2 status]
  Volatility 2 is deprecated/archived, but it is still very useful in older CTFs.

[Check Vol2 plugins and profiles]
  python2 vol.py --info
  python2 vol.py -h

[Run Vol2]
  python2 vol.py -f mem.raw imageinfo
  python2 vol.py -f mem.raw --profile=Win7SP1x64 pslist

[Create alias in Kali]
  alias vol2='python2 /path/to/volatility/vol.py'
  alias vol3='vol'


━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
                  SECTION 20 — SYMBOL / PROFILE TROUBLESHOOTING
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

COMMON ERROR 1:
  Unsatisfied requirement plugins.*.kernel.layer_name
  Unsatisfied requirement plugins.*.kernel.symbol_table_name
  Missing symbol table / cannot construct layer

MEANING:
  Volatility cannot find the correct OS symbols/profile for the memory dump.

GENERAL FIX:
  1. Run OS identification first:
       vol -f mem.raw banners.Banners
       vol -f mem.raw windows.info
       vol -f mem.raw linux.info

  2. Check available symbol tables:
       vol isfinfo.IsfInfo
       vol -f mem.raw isfinfo.IsfInfo

  3. Run plugin help:
       vol <plugin> -h

WINDOWS SYMBOL TIPS:
  - Volatility 3 often downloads/caches Windows symbols automatically.
  - Internet access may be needed the first time.
  - Use --offline only if symbols are already cached.
  - Old/rare Windows builds may fail due to missing/broken public symbols.

LINUX SYMBOL TIPS:
  - Linux needs a matching ISF symbol table for the exact kernel.
  - Kernel version, architecture, and distro build matter.
  - Use banners.Banners to find kernel string.
  - If symbols are missing, create ISF with dwarf2json from matching vmlinux/debug packages.

MAC SYMBOL TIPS:
  - macOS analysis also depends on symbol availability.
  - Older macOS CTF dumps often work better than very new macOS captures.
  - For latest macOS, support can be limited depending on symbols/acquisition method.

VOL2 PROFILE TIPS:
  - Vol2 needs exact --profile.
  - Wrong profile = empty output, errors, or wrong results.
  - Start with imageinfo and kdbgscan.
  - For Linux/Mac Vol2, exact custom profile may be needed.


━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
                  SECTION 21 — COMMON ERRORS AND FIXES
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

[Error] vol: command not found
  Fix:
    python3 -m pip install --upgrade volatility3
    python3 -m volatility3 -h
    or use python3 vol.py -h from cloned repo.

[Error] python2: command not found
  Fix:
    Vol2 needs Python 2. Use Vol3 if possible.
    For old CTFs, install Python2 manually or use a Docker image that has Vol2.

[Error] No suitable address space mapping found / layer error
  Fix:
    Confirm file is really a memory dump.
    Try banners.Banners.
    Try another Vol version.
    If VMware snapshot, use .vmem file when available.

[Error] Plugin exists in cheatsheet but not in your terminal
  Fix:
    Your Volatility version may be old/new or plugin renamed/deprecated.
    Run:
      vol -h | grep -i "keyword"
      vol <plugin> -h

[Error] Dump output file not created in Vol3
  Fix:
    Modern Vol3 usually uses global output directory:
      vol -f mem.raw -o ./output windows.dumpfiles --virtaddr <ADDR>
    Some examples online use --dump-dir, but verify using:
      vol windows.dumpfiles -h

[Error] Too much output
  Fix Linux/Kali:
      vol -f mem.raw windows.pslist | tee pslist.txt
      vol -f mem.raw windows.pslist | grep -i "powershell\|cmd\|chrome"

  Fix Windows CMD:
      vol.exe -f mem.raw windows.pslist > pslist.txt
      vol.exe -f mem.raw windows.pslist | findstr /i "powershell cmd chrome"

[Error] grep not working on Windows
  Use findstr:
      vol.exe -f mem.raw windows.pslist | findstr /i "chrome"

[Error] findstr not working on Kali
  Use grep:
      vol -f mem.raw windows.pslist | grep -i "chrome"


━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
                  SECTION 22 — SAFE COMMAND VERIFICATION WORKFLOW
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

BEFORE USING ANY COMMAND FROM ANY CHEATSHEET:

Step 1 — Identify OS:
  vol -f mem.raw banners.Banners
  vol -f mem.raw windows.info
  vol -f mem.raw linux.info

Step 2 — See plugin exists:
  vol -h | grep -i "pslist"
  vol -h | grep -i "netscan"
  vol -h | grep -i "bash"

Step 3 — See exact options:
  vol windows.pslist -h
  vol windows.dumpfiles -h
  vol linux.vmayarascan -h

Step 4 — Run basic plugin first:
  vol -f mem.raw windows.pslist
  vol -f mem.raw linux.pslist
  vol -f mem.raw mac.pslist.PsList

Step 5 — Save output:
  mkdir -p outputs
  vol -f mem.raw windows.pslist | tee outputs/pslist.txt

Step 6 — Only then run heavy dump commands:
  mkdir -p dumps
  vol -f mem.raw -o ./dumps windows.dumpfiles --virtaddr <ADDR>


━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
                  SECTION 23 — BEGINNER-FRIENDLY CTF DECISION TREE
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

IF YOU NEED PROCESS INFO:
  Windows: windows.pslist, windows.pstree, windows.psscan, windows.cmdline
  Linux:   linux.pslist, linux.pstree, linux.psaux.PsAux
  Mac:     mac.pslist.PsList, mac.pstree.PsTree, mac.psaux.Psaux

IF YOU NEED NETWORK INFO:
  Windows: windows.netscan, windows.netstat
  Linux:   linux.sockstat.Sockstat, linux.sockscan.Sockscan, linux.ip.Addr
  Mac:     mac.netstat.Netstat, mac.ifconfig.Ifconfig

IF YOU NEED FILES:
  Windows: windows.filescan, windows.dumpfiles
  Linux:   linux.lsof.Lsof, linux.pagecache.Files, linux.pagecache.RecoverFs
  Mac:     mac.lsof.Lsof, mac.list_files.List_Files

IF YOU NEED COMMAND HISTORY:
  Windows: windows.cmdline, windows.cmdscan, windows.consoles
  Linux:   linux.bash.Bash
  Mac:     mac.bash.Bash

IF YOU NEED MALWARE / INJECTION:
  Windows: windows.malfind, windows.malware.malfind.Malfind, windows.malware.psxview.PsXView
  Linux:   linux.malware.malfind.Malfind, linux.malware.modxview.Modxview
  Mac:     mac.malfind.Malfind, mac.check_syscall.Check_syscall

IF YOU NEED FLAGS / STRINGS:
  Broad scan:
    vol -f mem.raw regexscan.RegExScan --pattern "flag\{"
    vol -f mem.raw yarascan --yara-rules rules.yar

  Process-specific scan:
    vol -f mem.raw windows.vadregexscan.VadRegExScan --pattern "flag\{" --pid <PID>
    vol -f mem.raw linux.vmaregexscan.VmaRegExScan --pattern "flag\{" --pid <PID>

  External strings after dumping:
    strings dumpfile.dmp | grep -i "flag\|ctf\|password\|secret\|token"


━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
                  SECTION 24 — IMPORTANT LIMITATIONS
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

1. Memory forensics output can be incomplete.
   RAM is volatile. Data may be paged out, overwritten, compressed, or missing.

2. Hidden/rootkit artifacts need cross-checking.
   Never trust only pslist. Compare pslist, psscan, pstree, psxview/modxview.

3. Plugin names change.
   Some plugins move into malware.*, registry.*, tracing.*, or other namespaces.

4. Vol2 is still useful but deprecated.
   Use Vol3 first for modern Windows/Linux. Use Vol2 for old CTF dumps when Vol3 fails.

5. Dump/extraction commands may need version-specific options.
   Always check:
     vol <plugin> -h

6. "No output" does not always mean "nothing found".
   It may mean wrong profile/symbols, unsupported OS, or wrong memory file.

7. Mac support depends heavily on version/symbols.
   Older CTF Mac dumps are usually easier than latest macOS memory images.


━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
                  SECTION 25 — FINAL ACCURACY CHECKLIST
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Before submitting a CTF answer or forensic report:

[ ] I identified the OS with banners/windows.info/linux.info.
[ ] I checked my Volatility version.
[ ] I verified the plugin exists with vol -h.
[ ] I checked exact options with vol <plugin> -h.
[ ] I saved outputs to files.
[ ] I used at least two methods for important findings.
[ ] I did not trust only one plugin result.
[ ] I recorded PID, process name, timestamp, path, command line, and evidence source.
[ ] I checked strings/regex/YARA when looking for flags/secrets.
[ ] I noted if symbols/profile were uncertain.

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
FINAL NOTE:
  This updated file is accuracy-first and CTF-friendly.
  It should be treated as a very strong master cheatsheet, not a replacement for
  checking your installed Volatility version with -h / --info.
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━