List of Volatility Command
volatility -f [image] --profile = [OS Profile] pslist
volatility -f [image] --profile = [OS Profile] psscan
volatility -f [image] --profile = [OS Profile] pstree
volatility -f [image] --profile = [OS Profile] psxview
volatility -f [image] --profile = [OS Profile] psxview --apply-rules
volatility -f [image] --profile = [OS Profile] netscan #Vista or later
volatility -f [image] --profile = [OS Profile] connections #
volatility -f [image] --profile = [OS Profile] connscan #
volatility -f [image] --profile = [OS Profile] sockscan #
volatility -f [image] --profile = [OS Profile] hivelist
volatility -f [image] --profile = [OS Profile] printkey -K "[registry key]"
volatility -f [image] --profile = [OS Profile] userassist
volatility -f [image] --profile = [OS Profile] shellbags
volatility -f [image] --profile = [OS Profile] shellbags --output-file = [shellbags.body] --output = body
volatility -f [image] --profile = [OS Profile] shimcache
volatility -f [image] --profile = [OS Profile] getsids --offset [address]
volatility -f [image] --profile = [OS Profile] privs --offset [address]
volatility -f [image] --profile = [OS Profile] hashdump
volatility -f [image] --profile = [OS Profile] lsadump
volatility -f [image] --profile = [OS Profile] cmdscan
volatility -f [image] --profile = [OS Profile] consoles
volatility -f [image] --profile = [OS Profile] dlllist
volatility -f [image] --profile = [OS Profile] handles -p [pid] -t File
volatility -f [image] --profile = [OS Profile] handles -p [pid] -t Key
volatility -f [image] --profile = [OS Profile] handles -p [pid] -t Directory
volatility -f [image] --profile = [OS Profile] handles -p [pid] -t Port
volatility -f [image] --profile = [OS Profile] handles -p [pid] -t Mutant
volatility -f [image] --profile = [OS Profile] handles --offset [address]
volatility -f [image] --profile = [OS Profile] evtlogs -D [Directory]
volatility -f [image] --profile = [OS Profile] evtlogs --save-evt -D [Directory]
volatility -f [image] --profile = [OS Profile] svcscan
volatility -f [image] --profile = [OS Profile] mftparser --output-file = [outfile.txt]
volatility -f [image] --profile = [OS Profile] mftparser --output-file = [outfile.txt] --output = body # body format can be read by other software
volatility -f [image] --profile = [OS Profile] dlldump -p [pid] -D [Directory]
volatility -f [image] --profile = [OS Profile] procdump -p [pid] -D [Directory]
volatility -f [image] --profile = [OS Profile] dumpfiles -r .evtx $ --ignore-case -D [Directory]
procdump -p [pid] --dump-dir = / tmp
photorec / d [Directory] [image]
volatility -f [image] --profile = [OS Profile] timeliner --output-file = timeliner.body --output = body
cat [BodyFile.1] [BodyFile.2] [BodyFile.3]> [BodyFile]
mactime --help
mactime -b [BodyFile] -d -z UTC
volatility -f [image] --profile = [OS Profile] -p [pid] vadinfo
volatility -f [image] --profile = [OS Profile] -p vaddump -D [Directory]
strings -td -a [image] >> strings.txt # The word "FREE MEMORY" doesn't do anything but seems to be used often
strings -td -el -a [image] >> strings.txt
volatility -f [image] --profile = [OS Profile] strings -s strings.txt> [out.txt]
grep [string] out.txt # Hook with IP address etc. and output before and after with -A -B option and investigate
volatility -f [image] --profile = [OS Profile] ldrmodules -p [pid]
volatility -f [image] --profile = [OS Profile] malfind -p [pid]
volatility -f [image] --profile = [OS Profile] yarascan --yara-rules = "[strings]"
volatility -f [image] --profile = [OS Profile] yarascan -p [pid] --yara-rules = "[binary code]"
volatility -f [image] --profile = [OS Profile] yarascan -p [pid] --yara-rules = "[strings]"
volatility -f [image] --profile = [OS Profile] objtypescan # Object Acan
volatility -f [image] --profile = [OS Profile] Volshell # Volshell
volatility -f [image] --profile = [OS Profile] iehistory # IE history