# volatility3
> Memory forensics framework — analyze RAM dumps to find malware, hidden processes, network connections, and injected code

**Category:** [[categories/perform-memory-forensics|Perform Memory Forensics]] | **Tier:** Rich (FOR610)
**Docs:** [https://docs.remnux.org/discover-the-tools/perform+memory+forensics](https://docs.remnux.org/discover-the-tools/perform+memory+forensics)

## Usage
```bash
vol3 -f <memory_dump> windows.info
vol3 -f <memory_dump> windows.pslist
vol3 -f <memory_dump> windows.pstree
vol3 -f <memory_dump> windows.netscan
vol3 -f <memory_dump> windows.malfind
vol3 -f <memory_dump> windows.dlllist --pid <PID>
vol3 -f <memory_dump> windows.dumpfiles --pid <PID>
```

## Recipes
- [[recipes/volatility-quick-triage|Quick Memory Dump Triage]]

## Workflows
- [[workflows/memory-forensics-workflow|Memory Forensics]] — Step 1: Image Identification

## Related Tools
- [[tools/aeskeyfinder|AESKeyFinder]] — Find 128-bit and 256-bit AES keys in a memory image.
- [[tools/rsakeyfinder|RSAKeyFinder]] — Find BER-encoded RSA private keys in a memory image.

#memory #forensics #volatility #incident-response