The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. The extraction techniques are performed completely independent of the system being investigated but offer unprecedented visibilty into the runtime state of the system. The framework is intended to introduce people to the techniques and complexities associated with extracting digital artifacts from volatile memory samples and provide a platform for further work into this exciting area of research.
The following video and command list are not created by me, I just copied them for the reference. Please credit to the video maker.
Commands list
./vol.py –f zeus.vmem pslist
To list the processes of a system, use the pslist command.
./vol.py –f zeus.vmem malfind
You can use it to find hidden or injected code/DLLs in user mode memory
./vol.py –f zeus.vmem ldrmodules
To find out the hidden dll
./vol.py –f zeus.vmem apihooks
To find API hooks in user mode or kernel mode
./vol.py –f zeus.vmem idt
IDT (Interrupt Descriptor Table)
./vol.py –f zeus.vmem gdt
Gdt (Global Descriptor Table)
./vol.py –f zeus.vmem threads –L
The command gives you extensive details on threads
./vol.py –f zeus.vmem callbacks
Callbacks for detecting Windows kernel use of these callbacks to monitor and/or react to events.
./vol.py –f zeus.vmem driverirp
To print a driver's IRP Major Function table
./vol.py –f zeus.vmem devicetree
Windows uses a layered driver architecture
./vol.py –f zeus.vmem psxview
This plugin helps you detect hidden processes.
Source : - Volatility Wiki
That's all! See you.
