Volatility is an open-source framework for analyzing RAM dumps (memory forensics). It reconstructs running processes, open network connections, loaded kernel modules, and data fragments that never reached disk. After a reboot, all of this is gone — processes hidden by rootkits, C&C connections, in-memory passwords, decompressed malware, shell history. A RAM dump captured before reboot preserves this evidence for analysis.

How Does Volatility Work?

The analysis process consists of two main elements:

  1. Memory Dump: First, we need to get a “copy” of the entire contents of RAM. This can be done with tools like LiME (Linux Memory Extractor) or by taking a snapshot of a virtual machine.
  2. System Profile: Volatility needs to know how to interpret the raw data. Each version of the Linux kernel has a slightly different data structure in memory. A “profile” is a set of information that tells Volatility how to find processes, network connections, etc., in a dump from a specific system version (e.g., Linux_5_4_0-42-generic_x64).

Basic Commands (Plugins)

Volatility works based on plugins. The examples below use Volatility 2 syntax. The newer Volatility 3 has a different command-line interface (e.g., vol -f dump.raw linux.pslist) and does not use profiles. Here are some of the most important Volatility 2 plugins:

  • imageinfo: Tries to automatically identify the system profile from the dump. The first step in any analysis.
  • pslist: Displays a list of processes running at the time of the dump (similar to ps -ef).
  • pstree: Shows processes in a tree format, making it easier to find parent processes.
  • netscan: Scans for active network connections.
  • cmdline: Shows the arguments with which a given process was launched.
  • filescan: Tries to find open files in memory.
  • linux_bash: Recovers the history of commands typed in the bash shell.

Practical Example

Imagine your server has been compromised. You managed to get a memory dump to a file dump.raw.

  1. System Identification:

    volatility -f dump.raw imageinfo

    Volatility suggests the profile Linux_5_15_0-generic_x64.

  2. Listing Processes:

    volatility -f dump.raw --profile=Linux_5_15_0-generic_x64 pslist

    On the list, you notice a suspicious process kworkerds, which looks like a typo meant to imitate the legitimate kworker process.

  3. Checking Network Connections:

    volatility -f dump.raw --profile=Linux_5_15_0-generic_x64 netscan

    It turns out that the kworkerds process is maintaining an active connection to an IP address in China.

  4. Checking the Command Line:

    volatility -f dump.raw --profile=Linux_5_15_0-generic_x64 cmdline

    You see that the process was launched with suspicious arguments: /tmp/kworkerds -o stratum+tcp://pool.example.com:1234 -u ... - this looks like a crypto miner!

For the newer version, see the Volatility 3 article which covers the updated command-line interface and symbol table approach.