volatility

volatility -f memory_image --profile=OS_profile plugin [options]

-f memory_image
    Specifies the memory image file to analyze.
Required for most operations.

--profile=OS_profile
    Defines the operating system profile for memory image analysis.
Example: Win7SP1x64 or LinuxUbuntu1604x64. Crucial for proper analysis.

plugin
    The name of the Volatility plugin to execute.
Example: pslist (for listing processes) or netscan (for finding network connections).

-h, --help
    Displays help message

Volatility is a powerful open-source memory forensics framework.
It's primarily used to analyze volatile memory dumps (RAM) to uncover evidence of malware, running processes, network connections, and other system activities.
Instead of analyzing static disk images, Volatility directly inspects the system's memory state at a specific point in time.
This allows investigators to find malicious code that may have never been written to disk, such as rootkits and kernel-level malware.
Volatility is highly extensible, supporting a wide variety of operating systems (including Windows, Linux, macOS, and Android) and memory dump formats.
It uses plugins to perform analysis, allowing users to extend its capabilities and tailor it to specific investigations.
The framework allows you to reconstruct system state by finding running processes, network connections, registry data, loaded DLLs, and more.
It provides a rich set of tools for identifying malicious code, detecting intrusions, and gathering evidence for incident response or malware analysis.
Volatility is frequently employed by digital forensics investigators, incident responders, and malware analysts to understand the behavior of compromised systems and identify threats.

Requires root privileges to access memory images.
The correct OS profile is extremely important to ensure accurate results.

Volatility requires profiles to correctly interpret the memory image's data structures.
These profiles contain information about the kernel's memory layout and data structures.
Profiles are usually determined automatically, but can be manually specified. It is possible to create custom profiles for specific systems.

Plugins are the core of Volatility's functionality.
Each plugin performs a specific type of analysis, like listing processes, dumping memory regions, or reconstructing network connections.
A large number of built-in plugins exist, and custom plugins can be written to extend the framework.

Volatility was initially developed by Aaron Walters and has been an active open-source project for many years.
It gained popularity within the digital forensics community due to its robust capabilities and cross-platform support.
The project has gone through various iterations, improving plugin support and performance.
It is maintained by the Volatility Foundation

dd(1), memdump(1)