Setup
pip3 install volatility3
# Download Windows symbol tables
wget https://downloads.volatilityfoundation.org/volatility3/symbols/windows.zip
unzip windows.zip -d ~/.local/lib/python3/site-packages/volatility3/symbols/
Process Investigation
# System overview
vol -f infected.raw windows.info
vol -f infected.raw windows.pslist
vol -f infected.raw windows.pstree
# Anomalies to hunt:
# svchost.exe without parent services.exe
# cmd.exe spawned from Word, Excel, or PowerPoint
# processes with random or misspelled names
# Hidden processes (rootkits unlink EPROCESS from the list)
vol -f infected.raw windows.psscan
# PID in psscan but not pslist = actively hidden
Network Connections
# Active and recently closed connections
vol -f infected.raw windows.netscan | grep -v CLOSED
vol -f infected.raw windows.netstat
# Indicators: unusual IPs from system processes, non-standard port usage, high-frequency beaconing
Detect Code Injection
# Malfind finds RWX memory with PE headers
vol -f infected.raw windows.malfind
# Dump suspicious regions for further analysis
vol -f infected.raw windows.malfind --dump --pid SUSPICIOUS_PID
file pid.*.dmp | grep PE # look for injected PE executables
Credential Extraction
# Dump LSASS process memory
vol -f infected.raw windows.dumpfiles --pid LSASS_PID
# pypykatz (pure Python implementation of mimikatz)
pypykatz lsa minidump lsass.dmp
Timeline Reconstruction
# MFT timeline โ filesystem activity
vol -f infected.raw windows.mftscan.MFTScan
# Prefetch โ what was executed and when
vol -f infected.raw windows.prefetch
# Registry last-write timestamps
vol -f infected.raw windows.registry.hivelist