Volatility consists of various plugins that can extract different information from the memory image. The python vol.py -h option displays the supported plugins. For instance, if you wish to list the running processes from the memory image, you can use a plugin such a pslist, or if you wish to list the network connections, you can use a different plugin. Irrespective of the plugin that you use, you will use the following command syntax. Using -f, you specify the path to the memory image file, and ­ --profile tells Volatility which system and architecture the memory image was acquired from. The plugin can vary depending on what type of information you would like to extract from the memory image:

$ python vol.py -f <memory ...