← 返回命令列表

Linux command

volatility 命令

文本

复制后可按需替换文件名、目录或参数。

常用示例

List available plugins

volatility --info

List processes

volatility -f [memory.img] --profile=[LinuxProfile] linux_pslist

Show network connections

volatility -f [memory.img] --profile=[Profile] linux_netstat

Recover bash history

volatility -f [memory.img] --profile=[Profile] linux_bash

List open files

volatility -f [memory.img] --profile=[Profile] linux_lsof

Show process command lines

volatility -f [memory.img] --profile=[Profile] linux_cmdline

Scan for Yara rules

volatility -f [memory.img] --profile=[Profile] linux_yarascan -y [rules.yar]

说明

volatility is an open-source memory forensics framework for extracting digital artifacts from RAM dumps. It analyzes memory images to recover running processes, network connections, command history, and other volatile data not available on disk. The framework supports Windows, Linux, and macOS memory analysis. Linux plugins are prefixed with linux_ and require a profile matching the exact distribution, kernel version, and architecture of the system that created the dump. Volatility 3 simplifies profile management with automatic symbol detection, while Volatility 2 requires manually building or obtaining profiles. Memory dumps can be acquired using tools like LiME (Linux Memory Extractor) or VMware snapshots.

参数

-f _FILE_, --file _FILE_
Memory image file to analyze
--profile _PROFILE_
Operating system profile (required for Volatility 2)
--info
List available plugins and profiles
-d, --debug
Enable debug output
-h, --help
Show help message
-p _PID_
Filter by process ID
-o _OFFSET_
Physical offset in memory
--output _FORMAT_
Output format (text, json, html)
--output-file _FILE_
Write output to file

FAQ

What is the volatility command used for?

volatility is an open-source memory forensics framework for extracting digital artifacts from RAM dumps. It analyzes memory images to recover running processes, network connections, command history, and other volatile data not available on disk. The framework supports Windows, Linux, and macOS memory analysis. Linux plugins are prefixed with linux_ and require a profile matching the exact distribution, kernel version, and architecture of the system that created the dump. Volatility 3 simplifies profile management with automatic symbol detection, while Volatility 2 requires manually building or obtaining profiles. Memory dumps can be acquired using tools like LiME (Linux Memory Extractor) or VMware snapshots.

How do I run a basic volatility example?

Run `volatility --info` in a terminal, then adjust file names, paths, flags, or remote targets for your system.

What does -f _FILE_, --file _FILE_ do in volatility?

Memory image file to analyze