Skip to content

Volatility

Volatility is a python based command line tool that helps in analyzing virtual memory dumps. It provides a very good way to understand the importance as well as the complexities involved in Memory Forensics.

If you are using any Linux/Unix machine you can install volatility, by running the below command.

$ sudo apt install volatility -y

If you are Using Windows you can download the executable here

Offset

The start of a file or the start of a memory address is called offset(by default, virtual offset).

PID

When a process is started, it is given a unique number called process ID (PID) that identifies that process to the system. If you ever need to kill a process, for example, you can refer to it by its PID. Since each PID is unique, there is no ambiguity or risk of accidentally killing the wrong process (unless you enter the wrong PID).

PPID

The PPID is the PID of the process’s parent. To understand this, let us look at an example. Consider a process A with a PID 1. Suppose this process calls upon another process say B. So as far as this scenario is considered, B is actually a child process of A. So the PPID of B will be the PID of A.