Skip to content

SSF Toolkit User Guide Template

Overview

The volatility command automates the task of extracting useful information from a memory dump using the Volatility Framework.

Workflow

The volatility command performs these steps:

  1. Extract Process List: Runs volatility pslist to get all processes
  2. Match Interesting Processes: Finds PIDs for your specified processes (interesting-processes.txt) with interactive PID deconflict
  3. Extract File Handles: Gets file handles for each interesting process
  4. Extract Memory Dumps: Creates memory dumps for each process

Output Files

Analysis results are saved to the results directory:

volatility/<ram-file-name>/
├── pid-list.txt           # Raw volatility pslist output
├── interesting_pids.json  # Matched processes with PIDs
├── handles.txt            # File handles for all processes
└── *.dmp                  # Memory dump files (one per process)

Quick Start

# Get help on the Volatility sub-command
ssf_tools volatility --help

# Basic usage
ssf_tools volatility memory-dump.raw windows interesting-processes.txt

Usage

Common Commands

# With custom options
# Override results path
# Override default pid-list extract file
ssf_tools volatility \
    --results-dir ./analysis_results \
    --pid-list-file custom-pids.txt \
    memory.dd windows interesting-processes.txt

Required Arguments:

  • IMAGE_FILE: Path to the RAM image file (e.g., memory.dd)
  • PLATFORM: Target platform (windows, mac, or linux)
  • INTERESTING_PROCESSES_FILE: Text file with process names to analyze (one per line)

Optional Arguments:

  • --results-dir, -r: Directory to save results (default: <image_dir>/volatility/<image_name>)
  • --pid-list-file, -p: Filename for PID list output (default: pid-list.txt)

Creating an Interesting Processes File

Create a text file with process names you want to analyze:

notepad
chrome
firefox
svchost
explorer
powershell
lsass

The tool handles: - Case-insensitive matching - Partial matches (for truncated output) - Extension flexibility (matches both notepad and notepad.exe) - Multiple instances (automatically numbered: svchost, svchost_2, etc.)

Examples

# Windows memory analysis
ssf_tools volatility memory.dd windows processes.txt

# Linux memory analysis with custom output
ssf_tools volatility --results-dir /tmp/analysis memory.lime linux interesting.txt

# macOS analysis
ssf_tools volatility osx_memory.dmg mac processes.txt

Advanced Features

As the full installation of Volatility is installed as part of the ssf-tools package, all Volatility features are available through the vol command. See their documentation.

Troubleshooting

This command is stable and built on Volatility-provided capabilties.

  • PID-matching is Regex-driven. If the utility finds more than one match for a given PID name, you will be prompted to choose the best option.