Volatility

Runs the automagics and both prints and outputs configuration in the output directory.

configwriter.Configwriter

Plugin to list the various modular components of Volatility

frameworkinfo.FrameworkInfo

Determines information about the currently available ISF files, or a specific one

isfinfo.IsfInfo

Runs the automagics and writes out the primary layer produced by the stacker.

layerwriter.Layerwriter

Runs all relevant plugins that provide time related information and orders the results by time.

Timeliner.Timeliner

Attempts to identify potential linux banners in an image

banners.Banners

Determines information about the currently available ISF files, or a specific one

isfinfo.IsfInfo

Runs the automagics and writes out the primary layer produced by the stacker

layerwriter.Layerwriter

Recovers bash command history from memory

linux.bash.Bash

Verifies the operation function pointers of network protocols.

linux.check_afinfo.Check_afinfo

Checks if any processes are sharing credential structures

linux.check_creds.Check._creds

Checks if the IDT has been altered

linux.check_idt.Check_idt

Compares module list to sysfs info, if available

linux.check_modules.Check_modules

Check system call table for hooks.

linux.check_syscall.Check_syscall

Lists all memory mapped ELF files for all processes.

linux.elfs.Elfs

Lists processes with their environment variables

linux.envars.Envars linux.enwvars.Enwvars

Generates an output similar to /proc/iomem on a running system.

linux.iomem.IOMem

Parses the keyboard notifier call chain

linux.keyboard_notifiers.Keyboard_notifiers

Kernel log buffer reader

linux.kmsg.Kmsg

Lists loaded kernel modules

linux.Ismod.Lsmod

Lists all memory maps for all processes.

linux.lsof.Lsof

Lists process memory ranges that potentially contain injected code.

linux.malfind.Malfind

Lists mount points on processes mount namespaces

linux.mountinfo.MountInfo

Lists all memory maps for all processes.

linux.proc.Maps

Lists processes with their command line arguments

linux.psaux.PsAux

Lists the processes present in a particular linux memory image.

linux.pslist.PsList

Scans for processes present in a particular linux image.

linux.psscan.PsScan

Plugin for listing processes in a tree based on their parent process ID.

linux.pstree.PsTree

Lists all network connections for all processes.

linux.sockstat.Sockstat

Checks tty devices for hooks

linux.tty_check.tty_check

Recovers bash command history from memory.

mac.bash.Bash

Check system call table for hooks.

mac.check_Syscall.Check_Syscall

Check sysctl handlers for hooks.

mac.check_sysctl.Check_sysctl

Check mac trap table for hooks.

mac.check_trap_table.Check_trap_table

Lists network interface information for all devices

Lists network interface information for all devices

Lists kauth listeners and their status

mac. kauth_listeners.Kauth_listeners

Lists kauth scopes and their status

mac. kauth_scopes.Kauth.scopes

Lists event handlers registered by processes

mac.kevents.Kevents

Lists all open file descriptors for all processes.

mac.list_files.List_Files

Lists loaded kernel modules

mac.lsmod.Lsmod

Lists all open file descriptors for all processes.

mac.lsof.Lsof

Lists process memory ranges that potentially contain injected code.

mac.malfind.Malfind

A module containing a collection of plugins that produce data typically found in Mac’s mount command

mac.mount.Mount

Lists all network connections for all processes

mac.netstat.Netsta

Lists process memory ranges that potentially contain injected code

mac.proc_maps.Maps

Recovers program command line arguments.

mac.psaux.Psaux

Lists the processes present in a particular mac memory image

mac.pslist.PsList

Plugin for listing processes in a tree based on their parent process ID.

mac.pstree.Pstree

Enumerates kernel socket filters

mac.socket_filters.Socket_filters

Check for malicious kernel timers.

mac.timers.Timers

Checks for malicious trustedbsd modules

mac.trustedbsd.Trustedbsd

Lists processes that are filtering file system events

mac.ufsevents.VFSevents

List big page pools.

windows.bigpools.BigPools

Lists kernel callbacks and notification routines.

windows.callbacks.Callbacks

Lists process command line arguments.

windows.cmdline.CmdLine

Lists the information from a Windows crash dump.

windows.crashinfo.Crashinfo

Listing tree based on drivers and attached devices in a particular windows memory image.

windows.devicetree.DeviceTree

Lists the loaded modules in a particular windows memory image.

windows.dillist.DIlList

List IRPs for drivers in a particular windows memory image.

windows.driverirp.DriverIrp

Determines if any loaded drivers were hidden by a rootkit

windows.drivermodule.DriverModule

Scans for drivers present in a particular windows memory image.

windows.driverscan.DriverScan

Dumps cached file contents from Windows memory samples.

windows.dumpfiles.DumpFiles

Display process environment variables

windows.envars.Envars

Lists process token sids.

windows.getservicesids.GetServiceSIDs

Print the SIDs owning each process

windows.getsids.GetSIDs

Lists process open handles.

windows.handles.Handles

Show OS & kernel details of the memory sample being analyzed.

windows.info.Info

Print process job link information

windows.joblinks.Joblinks

Lists the loaded modules in a particular windows memory image.

windows.ldrmodules.LdrModules

Lists process memory ranges that potentially contain injected code.

windows.malfind.Malfind

Scans for and parses potential Master Boot Records (MBRs)

windows.mbrscan.MBRScan

Prints the memory map

windows.memmap.Memmap

Scans for modules present in a particular windows memory image.

windows.modscan.Modscan

Lists the loaded kernel modules.

windows.modules.Modules

Scans for mutexes present in a particular windows memory image.

windows.mutantscan.MutantScan

Scans for network objects present in a particular windows memory image.

windows.netscan.Netscan

Traverses network tracking structures present in a particular windows memory image.

windows.netstat.NetStat

A generic pool scanner plugin.

windows.poolscanner.Poolscanner

Lists process token privileges

windows.privileges.Privs

Lists the processes present in a particular windows memory image.

windows.pslist.PsList

Scans for processes present in a particular windows memory image.

windows.psscan.Psscan

Plugin for listing processes in a tree based on their parent process ID.

windows.pstree.PsTree

Lists the certificates in the registry's Certificate Store.

windows.registry.certificates.Certificates

Lists the registry hives present in a particular memory image.

windows.registry.hivelist.Hivelist

Scans for registry hives present in a particular windows memory image.

windows.registry.hivescan.Hivescan

Lists the registry keys under a hive or specific key value.

windows.registry printkey.PrintKey

Print userassist registry keys and information.

windows.registry.userassist.UserAssist

lists Processes with Session information extracted from Environmental Variables

windows.sessions.Sessions

Looks for signs of Skeleton Key malware

windows.skeleton_key_check.Skeleton_Key_Check

Lists the system call table.

windows.ssdt.SSDT

Lists statistics about the memory space.

windows.statistics.Statistics

Reads output from the strings command and indicates which process(es) each string belongs to.

windows.strings.Strings

Scans for links present in a particular windows memory image.

windows.symlinkscan.Symlinkscan

Lists process memory ranges.

windows.vadinfo.VadInfo

Walk the VAD tree.

windows.wadwalk.Vadwalk

Lists version information from PE files.

windows.verinfo.VerInfo

Lists virtual mapped sections.

windows.wirtmap.VirtMap