skip to Main Content

Volatility Memory Forensics | Graphviz

The commands ‘psscan’ and ‘vadtree’ can print a compatible graph for the great open source graph visualization software Graphviz. You can install Graphviz from Ubuntu Software Center or via terminal by using the following command:

$ sudo apt-get install graphviz

1.) To enumerate processes using pool tag scanning, use the ‘psscan’ command.

$ python psscan -f /home/evild3ad/memory-samples/cookbook/zeus.vmem

2.) If you want to show the parent/child relationship between processes in Graphviz format, use the dot output rendering:

$ python psscan -f /home/evild3ad/memory-samples/cookbook/zeus.vmem --output=dot

Note: The highly requested missing render_dot for ‘psscan’ is put back in Volatility 2.x (Sep 26, 2011). To update your repository you can run the following command from inside the trunk directory:

$ svn update

3.) The next command executed is using the Graphviz dot utility (PNG for example).

$ dot -Tpng -o psscan.png

Now you should have a PNG image named psscan.png that you can open and inspect.


1.) To display the VAD nodes in a visual tree form, use the vadtree command.

$ python --profile=WinXPSP2x86 -f /home/evild3ad/memory-samples/cookbook/zeus.vmem -p 856 vadtree

2.) If you want to view the balanced binary tree in Graphviz format, use the dot output rendering:

$ python --profile=WinXPSP2x86 -f /home/evild3ad/memory-samples/cookbook/zeus.vmem -p 856 vadtree --output=dot

3.) Now you can open in any Graphviz-compatible viewer or use the Graphviz dot utility:

$ dot -Tpng -o vadtree_Pid856.png


Graphviz – Graph Visualization Software
The VAD Tree: A Process-Eye View of Physical Memory

Back To Top