Volatility 3
Plugins Windows essentiels
Analyse mémoire moderne, symboles automatiques, plugins Windows/Linux et workflow d’investigation reproductible.
Vue système
vol -f memory.raw windows.info
vol -f memory.raw windows.envars
vol -f memory.raw windows.sessions
Processus
vol -f memory.raw windows.pslist
vol -f memory.raw windows.pstree
vol -f memory.raw windows.psscan
vol -f memory.raw windows.cmdline
vol -f memory.raw windows.getsids --pid 1234
Réseau
vol -f memory.raw windows.netscan
vol -f memory.raw windows.netstat
Fichiers et DLL
vol -f memory.raw windows.filescan
vol -f memory.raw windows.dlllist --pid 1234
vol -f memory.raw windows.handles --pid 1234
vol -f memory.raw windows.dumpfiles --pid 1234
Détection de code suspect
vol -f memory.raw windows.malfind
vol -f memory.raw windows.vadinfo --pid 1234
vol -f memory.raw windows.vadyarascan --pid 1234 --yara-rules 'rule mz { strings: $mz = {4d 5a} condition: $mz at 0 }'
Registry
vol -f memory.raw windows.registry.hivelist
vol -f memory.raw windows.registry.printkey --key 'Software\Microsoft\Windows\CurrentVersion\Run'
vol -f memory.raw windows.registry.userassist
Ordre de triage conseillé
info → pslist/pstree/psscan → cmdline → netscan
→ dlllist/handles → malfind/vadinfo → filescan/dumpfiles
→ registry → chronologie et validation externe