Volatility 3 — Install, Use, Optimise (2026)

Memory forensics framework — extracts processes, network connections, registry, and credentials from RAM dumps.

Installation

Pick the install method that matches your stack. The Docker option is the cleanest for one-off scans where you don’t want to pollute your workstation.

pipx (recommended)

pipx install volatility3

Source

git clone https://github.com/volatilityfoundation/volatility3 && pip install .

Linux (apt — Vol2 only)

sudo apt install volatility

Core commands

The handful of invocations you’ll actually run on 90% of engagements:

List processes

vol -f memory.raw windows.pslist

Network connections

vol -f memory.raw windows.netscan

Loaded DLLs per process

vol -f memory.raw windows.dlllist --pid 1234

Hidden processes (DKOM)

vol -f memory.raw windows.psscan

Registry hives

vol -f memory.raw windows.registry.printkey --key "SoftwareMicrosoftWindowsCurrentVersionRun"

Hash extraction

vol -f memory.raw windows.hashdump

Linux process list

vol -f memory.raw linux.pslist

Performance optimisation

What separates a junior who runs the default invocation from a practitioner who knows the knobs:

• First run on a memory dump: profile detection takes 1-3 min. Cache symbol tables locally (~/.cache/volatility3) to skip re-download.
• --single-location file://path avoids URI parsing overhead on big plugin chains.
• Plugin parallelism: not built-in. Run multiple vol -f X & for unrelated plugins simultaneously.
• For Windows 10/11: ensure ISF (Intermediate Symbol File) is current. Out-of-date ISF = wrong offsets = incorrect output.
• Compress raw dumps: ZSTD compression on raw images saves 70%+ disk and Vol3 reads transparently if you use file://path.zst.

Common pitfalls

Real failure modes that bite people on engagements. Most are recoverable; a few are reputation-damaging.

• Vol2 vs Vol3: Vol3 is the active branch. Most online tutorials reference Vol2 syntax which doesn’t work in Vol3.
• Symbol files for very recent Windows builds may not exist yet — check Vol3’s symbol downloader for 22H2/23H2 support.
• Linux/macOS profiles are user-built — generate with dwarf2json from your distro’s vmlinux + symbol files.
• Memory acquisition matters more than analysis: bad acquisition (missing pages, smearing) = useless analysis. Use FTK Imager, DumpIt, or LIME.

Modern alternatives in 2026

The ecosystem moves fast. These are tools you should at least be aware of:

• Rekall — fork of Vol2, abandoned but useful for some plugins.
• MemProcFS — virtual filesystem for memory dumps, very fast, GUI-friendly.

India context and engagement notes

For CERT-In incident response: memory acquisition + Volatility analysis is the canonical first 24-hour artifact. Run windows.malfind, windows.netscan, windows.cmdline in parallel — 90% of investigation findings come from these three plugins.

⚖️ Legal: Use only on systems you own or have explicit written authorisation to test. In India, unauthorised access is punishable under Section 66 of the IT Act, 2000 (up to 3 years imprisonment + fine). Pair every engagement with a signed Statement of Work or Rules of Engagement before running anything from this page.