Memory forensics automation for Windows, Linux, and macOS. Auto-detects the OS, runs the right plugins in parallel, extracts IOCs, and generates structured reports.
Built for DFIR practitioners who are tired of running the same 20+
volcommands manually on every case.Note: Windows dumps work out of the box. Linux and macOS analysis requires kernel symbols to be installed first.
TODO: Record a demo with a real memory dump, then replace this section.
git clone https://github.com/gl0bal01/volatility-toolkit.git
cd volatility-toolkit
# Option A: install system-wide
sudo make install
vol-analyze memory.raw # auto-detects OS
# Option B: run directly
chmod +x scripts/vol-analyze.sh
./scripts/vol-analyze.sh memory.rawPrerequisite: Volatility 3 must be installed and available as
volin your PATH. For Linux/macOS memory dumps, you also need matching kernel symbols.
- Auto-detects whether the dump is Windows, Linux, or macOS
- Computes MD5 + SHA256 for chain of custody
- Runs all relevant plugins in parallel batches
- Separates stdout from stderr (errors never corrupt output)
- Shows per-plugin timing and success/failure status
- Generates a structured summary report (text + optional JSON)
- Optionally extracts IOC strings (IPs, URLs, domains, emails, file paths)
- Optionally dumps files and registry hives (Windows)
| OS | Plugins | Highlights | Prerequisites |
|---|---|---|---|
| Windows | 30 | Processes, DLLs, network, registry, services, malware detection, kernel drivers, SSDT | None (symbols bundled with Volatility 3) |
| Linux | 21 | Processes, bash history, kernel modules, network, rootkit checks (syscall/IDT/creds) | Kernel symbols required |
| macOS | 20 | Processes, kexts, network, TrustedBSD, kauth listeners, syscall/sysctl checks | Kernel symbols required |
| Feature | Description |
|---|---|
| OS auto-detection | Probes the dump to select the right plugin set |
| Parallel execution | Run up to N plugins simultaneously (-j 8) |
| Colored output | Green for success, yellow for warnings, per-plugin timing |
| IOC extraction | Pull IPs, URLs, domains, emails, and file paths from strings |
| JSON reports | Machine-readable summary with per-plugin status |
| Chain of custody | MD5 + SHA256 computed before analysis begins |
| Non-interactive | No prompts by default — safe for scripts and CI |
| Registry export | Dump raw hive files for offline analysis (Windows) |
| Error isolation | stderr captured to .err files — never mixed into results |
vol-analyze <memory_dump> [options]
OPTIONS
--os TYPE Target OS: windows, linux, mac, auto (default: auto)
-o, --output DIR Output directory (default: volatility_output)
-j, --jobs N Max parallel plugins (default: 4)
--dump-registry Dump registry hives to disk (Windows only)
--dump-files Dump files from memory (Windows only)
--extract-strings Extract and categorize IOC strings
--json Generate JSON summary report
--interactive Enable interactive prompts
--no-color Disable colored output
-h, --help Show help
-v, --version Show version
ENVIRONMENT
VOL3_CMD Volatility 3 command (default: vol)
MAX_PARALLEL Default parallel jobs (default: 4)
NO_COLOR Set to disable colors (any value)
# Auto-detect OS, default output
vol-analyze memory.raw
# Windows analysis with all extras
vol-analyze memory.raw --os windows \
-o case-001/ -j 8 \
--dump-files --dump-registry --extract-strings --json
# Linux dump (LiME format) — requires kernel symbols
vol-analyze memory.lime --os linux --extract-strings --json
# macOS analysis — requires kernel symbols
vol-analyze memory.raw --os mac -o mac-case/
# CI-friendly — no colors, JSON output
vol-analyze memory.raw --json --no-color 2>/dev/nullvolatility_output/
├── info.txt # OS info plugin output
├── pslist.txt # Process listing
├── pstree.txt # Process tree
├── netscan.txt / sockstat.txt # Network (OS-dependent)
├── malfind.txt # Malware detection
├── *.err # Per-plugin error logs
├── ... # (all plugin outputs)
├── strings/ # (with --extract-strings)
│ ├── all.txt # Raw strings
│ ├── ipv4.txt # IPv4 addresses
│ ├── urls.txt # URLs
│ ├── domains.txt # Domain names (by frequency)
│ ├── emails.txt # Email addresses
│ └── windows_paths.txt # Windows paths (Windows)
│ └── unix_paths.txt # Unix paths (Linux/macOS)
├── dump_files/ # (Windows --dump-files)
├── registry_dump/ # (Windows --dump-registry)
├── analysis_summary.txt # Human-readable report
└── analysis_summary.json # (with --json)
Practical, opinionated guides — not just command references.
- Windows Cheatsheet — 30 plugins with workflow context
- Linux Cheatsheet — 21 plugins including rootkit detection
- macOS Cheatsheet — 20 plugins including TrustedBSD and kauth
- Malware Analysis Guide — Hunting malware in memory
- Investigation Methodology — Structured DFIR workflow
Bash and Zsh completions are included — completes flags, --os values, and memory dump files.
# Bash — installed automatically by `make install`, or source manually:
source completions/vol-analyze.bash
# Zsh — copy to your fpath:
cp completions/vol-analyze.zsh ~/.zsh/completions/_vol-analyze- SOP: Malware Analysis — Standard operating procedures
- Analysis Knowledge Base — Guides and writeups
- Binary Refinery — Practical Guide — Binary analysis workflows
- Volatility 3 Documentation
- Volatility Foundation
- Volatility 3 —
volin PATH (or setVOL3_CMD) - Bash 4.0+
- Standard Unix tools:
strings,md5sum,sha256sum,grep,sort,uniq
Linux and macOS analysis requires matching kernel symbols. See the cheatsheets for setup:
Issues, feature requests, and pull requests are welcome.
AGPL-3.0 — Free for open-source and personal use.
If you want to use this in a commercial product or closed-source service without releasing your modifications, a commercial license is available. Contact @gl0bal01 for details.
Built by @gl0bal01 | gl0bal01.com