Note: Depending on what version of volatility you are using and where you may need to substitute volatility with vol.py)
Find out what profiles you have available
volatility --info
Find out the originating OS profile to be used from the memory dump.
volatility -f memorydump.mem imageinfo volatility -f memorydump.mem kdbgscan
Determine what plugins are available for use.
volatility -f memorydump.mem --profile=<profilename> -h
Check what processes were running.
(Note: Any entires for svchost.exe should always have services.exe as a parent process and parameters such as /k should always be present)
volatility -f memorydump.mem --profile=pslist volatility -f memorydump.mem --profile= psscan volatility -f memorydump.mem --profile= tree
Check what commands have been run and their output.
volatility -f memorydump.mem --profile=cmdscan volatility -f memorydump.mem --profile= consoles
Dump process files which were running from memory.
volatility -f memorydump.mem --profile=<profilename> procdump -p <processid> --dump-dir=./
Dump the memory associated with a process file.
volatility -f memorydump.mem --profile=<profilename> memdump -p <processid> --dump-dir=./
Dump all cached files from memory.
volatility -f memorydump.mem --profile=<profilename> dumpfiles --dump-dir=./
Check what drivers or kernal modules were unloaded or hidden.
volatility -f memorydump.mem --profile=<profilename> modscan
Check what network connectivity has occurred.
volatility -f memorydump.mem --profile=<profilename> netscan
Check what network connectivity has occurred (Windows XP/Server 2003).
volatility -f memorydump.mem --profile=connections volatility -f memorydump.mem --profile= conscan volatility -f memorydump.mem --profile= sockets volatility -f memorydump.mem --profile= sockscan
Check what information exists within registry from memory.
volatility -f memorydump.mem --profile=hivelist volatility -f memorydump.mem --profile= hivescan volatility -f memorydump.mem --profile= hivedump --dump-dir=./ volatility -f memorydump.mem --profile= userassist volatility -f memorydump.mem --profile= shellbags volatility -f memorydump.mem --profile= shimcache volatility -f memorydump.mem --profile= shimcachemem
Duplicate image space out as a raw DD file (e.g. dump files such as hiberfil.sys memory from memory).
volatility -f memorydump.mem --profile=<profilename> imagecopy
Dump timelined artifacts from memory.
volatility -f memorydump.mem --profile=<profilename> timeliner
credit-"jpminty.github.io"