Last updated: April 26, 2026
Volatility is the canonical memory-forensics framework. When an incident hits and the affected host is still running, capturing memory before reboot preserves evidence that disk forensics misses — credentials in process memory, decrypted file contents, network connections, malware artefacts that never touch disk. This article covers the Volatility 3 workflow for incident response, the high-leverage plugins, and the analysis pattern that surfaces malware quickly.
Capturing memory
Before analysis, capture the memory image:
- Windows: WinPmem, FTK Imager Lite, DumpIt
- Linux: AVML, LiME (kernel module)
- VMs: snapshot the VM’s vmem file directly (instant, no agent)
Capture before reboot. Once the host reboots, in-memory artefacts are gone.
Volatility 3 workflow
Volatility 3 (release 2020+) auto-detects OS and kernel symbols, simplifying the workflow vs Volatility 2.
# Install
pip install volatility3
# List processes
vol -f memory.raw windows.pslist
# Pstree (process tree)
vol -f memory.raw windows.pstree
# Network connections
vol -f memory.raw windows.netscan
# Loaded DLLs per process
vol -f memory.raw windows.dlllist --pid 1234
# Search memory for strings
vol -f memory.raw windows.cmdline
# Extract specific process memory
vol -f memory.raw windows.memmap --pid 1234 --dump
The high-leverage plugins
For initial triage
windows.pstree— visual process tree. Anomalies stand out (unusual parent-child relationships).windows.netscan— network connections at capture time. Outbound to suspicious IPs is immediate forensic value.windows.cmdline— command line of every process. Encoded PowerShell, base64 commands, anything weird.
For credential extraction
windows.hashdump— local SAM hashes from memory.windows.lsadump— LSA secrets (cached domain credentials, service account passwords).windows.cachedump— cached domain credentials.
For malware hunting
windows.malfind— finds memory regions with executable permissions and no associated file (process injection signature).windows.modules+windows.modscan— kernel modules; rootkits often hide here.yarascanwith malware signatures.
For lateral movement traces
windows.sessions— logged-on users and sessions.windows.handles— file/registry handles per process; identifies what files a malicious process touched.
Analysis pattern
- Get oriented.
pstree+netscan. Identify processes that look anomalous. - Investigate suspicious processes.
cmdlinefor full command,dlllistfor loaded modules,handlesfor file activity. - Extract suspicious binaries.
windows.dumpfiles --pid Xwrites files to disk for static analysis. - YARA scan. Run community / commercial YARA rules against memory.
- Correlate with disk artefacts — file timestamps, registry modifications, scheduled tasks.
- Document findings for the incident report.
Real-world example
An Indian fintech IR engagement: ransomware encrypted production. Captured memory pre-reboot. Volatility analysis showed:
pstree:cmd.exespawned bywinword.exe— clearly anomalous (Word doesn’t legitimately spawn cmd).cmdline:cmd.exeshowed Base64-encoded PowerShell that decoded to a Cobalt Strike loader.netscan: outbound HTTPS tocdn-static-static.com— known C2 domain.malfind: identified RWX memory regions inspoolsv.exe— process injection.
From memory dump to root-cause conclusion (phishing email with macro-enabled docx → PowerShell loader → Cobalt Strike → ransomware) in 4 hours.
Compliance angle
- RBI Cyber Framework — incident response capability with forensic depth.
- SEBI CSCRF — IR playbook that includes memory capture procedure.
- DPDP §8(6) — breach notification often requires forensic evidence of scope.
The takeaway
Memory forensics is one of the highest-leverage IR skills. Volatility’s plugin set covers most malware artefacts. The workflow is repeatable — pstree, netscan, cmdline, then deep-dive — and produces evidence for board-level reporting. Practice on retired servers; have the runbook ready before the incident.
Get a free attack-surface review
We check what an attacker would see about your business — leaked credentials, exposed services, dark-web mentions. 30 minutes, no obligation.