Introduction to Memory Forensics with Volatility 3

Learn how to perform memory forensics using Volatility 3 in this comprehensive tutorial video. Explore installation, basic commands, and essential analysis tasks including process listing, network connection checking, file extraction, and Windows Registry analysis. Follow along to master Volatility 3's command structure and extract critical information from memory dumps of Windows, macOS, and Linux systems. Gain practical skills in memory acquisition and analysis that are crucial for digital forensic investigations. By the end, you'll be equipped to leverage Volatility 3's powerful capabilities and tap into its extensive community of third-party plugins for advanced memory analysis.

Introduction to Volatility 3
Install Volatility 3 on Windows
Volatility first run check
Find the path of your target memory image
Get RAM image info with windows.info
Listing installed plugins
Get process list from RAM with windows.pslist
Filter Volatility output with PowerShell Select-String
Find process handles with windows.handles
Dump a specific file from RAm with windows.dumpfile
Dump all files related to a PID
Check executable run options with windows.cmdline
Find active network connections with windows.netstat
Find local user password hash with windows.hashdump
Analyze user actions with windows.registry.userassist
Find and dump Registry hives from RAM with windows.registry.hivelist
Analyze a specific Registry key from RAM with windows.registry.printkey
Intro to Volatility 3 review