Volatility: The volatile memory forensic extraction framework
Source: Hacker News
Why Volatility 3?
In 2019 the Volatility Foundation released Volatility 3, a complete rewrite of the original code base. The new version addresses many technical and performance challenges that had emerged over the previous decade. Additional benefits include:
- A modern, modular architecture that is easier to extend and maintain.
- Improved performance and scalability for large memory images.
- Distribution under the Volatility Software License (VSL), a custom license that better aligns with the goals of the Volatility community.
For the full license text, see the VSL v1.0 license file.
Quick Start
1. Install the required dependencies
pip install --user -e ".[full]"2. See the available options
vol -h3. Verify a Windows memory sample
Run the windows.info plugin to make sure Volatility supports the sample type:
vol -f /home/user/samples/stuxnet.vmem windows.info4. Run other plugins
Most plugins work with a single memory image, so you’ll usually need the -f (or --single-location) flag:
vol -f [plugin_options]Some plugins may require or accept additional options.
To view the help for a specific plugin, use:
vol -hInstalling
Volatility 3 requires Python 3.8.0 or later and is published on the PyPI registry.
From PyPI
pip install volatility3From source (latest development version)
We recommend using a virtual environment to keep the dependencies isolated from system packages.
# Clone the repository
git clone https://github.com/volatilityfoundation/volatility3.git
cd volatility3/
# Create and activate a virtual environment
python3 -m venv venv
source venv/bin/activate # on Windows use `venv\Scripts\activate`
# Install the package in editable mode with development extras
pip install -e ".[dev]"- The stable branch of the GitHub repository always contains the latest stable release.
- The default branch (
develop) contains the most recent development changes.
Symbol Tables
Download the symbol packs
| Operating System | Download |
|---|---|
| Windows | |
| macOS | |
| Linux |
Verify the downloads
| Hash type | File |
|---|---|
| SHA‑256 | |
| SHA‑1 | |
| MD5 |
Installation
- Extract each zip file.
- Place the extracted directories (named
windows,mac,linux) into thevolatility3/symbolsfolder or into asymbolsfolder located next to the Volatility 3 executable.
Note:
- Windows symbols that are missing will be automatically queried, downloaded, generated, and cached on‑the‑fly.
- macOS and Linux symbol tables must be generated manually (e.g., with the dwarf2json tool).
First‑run cache update
- The first time Volatility 3 runs with a new symbol pack, it builds a cache.
- Because the packs contain many files, this step can take several minutes.
- The process is interrupt‑safe – if it stops, the next run will resume where it left off.
- The cache only needs to be built once per symbol set, provided the files remain in the same location.
Caveats
- The Windows and macOS symbol packs are representative and are complete up to the date of their creation.
- Linux kernels are frequently re‑compiled and cannot be uniquely identified, so an exhaustive Linux symbol set is not provided.
Documentation
The framework is documented through docstrings and can be built using Sphinx.
The latest generated copy of the documentation is available at:
Volatility 3 Documentation (latest)
Licensing and Copyright
© 2007‑2026 Volatility Foundation. All Rights Reserved.
Volatility Foundation License (VSL v1.0)
Bugs and Support {#bugs-and-support}
If you think you’ve found a bug, please report it on the Volatility 3 GitHub issue tracker.
When filing a bug, include the following information to help us resolve the issue quickly:
- Volatility version you are using
- Operating system on which Volatility is running
- Python version used to run Volatility
- Suspected OS of the memory sample being analyzed
- The complete command line you executed (copy‑paste it, preferably in a code block)
vol -f memory.raw --profile=Win10x64_19041 pslistFor community support, join us on Slack:
Contact {#contact}
For information or requests, please reach out to the Volatility Foundation:
- Website:
- Blog:
- Email: volatility@volatilityfoundation.org
- Twitter: @volatility