Anthropic-Cybersecurity-Skills/skills/performing-memory-forensics-with-volatility3/references/api-reference.md

API Reference: Memory Forensics with Volatility 3

Volatility 3 CLI

Plugin	Description
windows.info	OS version, kernel base, system time
windows.pslist	List processes via EPROCESS linked list
windows.pstree	Process tree with parent-child relationships
windows.psscan	Pool scan for processes (finds hidden)
windows.malfind	Detect injected code in process memory
windows.netscan	Active network connections and listening ports
windows.cmdline	Command line arguments for all processes
windows.dlllist	DLLs loaded per process
windows.hashdump	Extract cached NTLM password hashes
windows.lsadump	LSA secrets from memory
windows.svcscan	Windows services enumeration
windows.modules	Loaded kernel modules
windows.modscan	Pool scan for kernel modules (finds hidden)
windows.registry.hivelist	List registry hives in memory
windows.registry.printkey	Print specific registry key values
yarascan	Scan memory with YARA rules
windows.memmap	Dump process memory to disk

Common Flags

Flag	Description
-f <file>	Memory dump file path
--pid <pid>	Filter by process ID
--dump	Dump matched content to files
-o <dir>	Output directory for dumps
--yara-file <file>	YARA rules file for scanning

Python Libraries

Library	Version	Purpose
subprocess	stdlib	Execute Volatility 3 CLI commands
re	stdlib	Parse plugin output

References

• Volatility 3: https://github.com/volatilityfoundation/volatility3
• Symbol tables: https://downloads.volatilityfoundation.org/volatility3/symbols/
• LiME: https://github.com/504ensicsLabs/LiME
• MemProcFS: https://github.com/ufrisk/MemProcFS