tobias
e62a14dafc
Generate interlinked wiki from master inventory: 397 tool pages, 15 workflow pages, 27 recipe pages, 33 category pages, plus index. All pages use [[wiki-links]] for cross-navigation between tools, workflows, recipes, and categories (1782 links total). Install zk for interactive browsing with fzf search, tag filtering, and backlink discovery. Add 'fhelp wiki' command and Makefile target. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
29 lines
1.1 KiB
Markdown
29 lines
1.1 KiB
Markdown
# volatility3
|
|
> Memory forensics framework — analyze RAM dumps to find malware, hidden processes, network connections, and injected code
|
|
|
|
**Category:** [[categories/perform-memory-forensics|Perform Memory Forensics]] | **Tier:** Rich (FOR610)
|
|
**Docs:** [https://docs.remnux.org/discover-the-tools/perform+memory+forensics](https://docs.remnux.org/discover-the-tools/perform+memory+forensics)
|
|
|
|
## Usage
|
|
```bash
|
|
vol3 -f <memory_dump> windows.info
|
|
vol3 -f <memory_dump> windows.pslist
|
|
vol3 -f <memory_dump> windows.pstree
|
|
vol3 -f <memory_dump> windows.netscan
|
|
vol3 -f <memory_dump> windows.malfind
|
|
vol3 -f <memory_dump> windows.dlllist --pid <PID>
|
|
vol3 -f <memory_dump> windows.dumpfiles --pid <PID>
|
|
```
|
|
|
|
## Recipes
|
|
- [[recipes/volatility-quick-triage|Quick Memory Dump Triage]]
|
|
|
|
## Workflows
|
|
- [[workflows/memory-forensics-workflow|Memory Forensics]] — Step 1: Image Identification
|
|
|
|
## Related Tools
|
|
- [[tools/aeskeyfinder|AESKeyFinder]] — Find 128-bit and 256-bit AES keys in a memory image.
|
|
- [[tools/rsakeyfinder|RSAKeyFinder]] — Find BER-encoded RSA private keys in a memory image.
|
|
|
|
#memory #forensics #volatility #incident-response
|