volatilityfoundation
Live Interactive Shell Volatility3 Plugin
live.py – Volatility 3 Live System Analysis Plugin
live.py is a custom plugin for Volatility 3 designed to extend its capabilities for real-time forensic data collection and threat hunting directly on a live Windows system, eliminating the need for a full memory dump.
This tool provides an interactive command-line shell for dynamic investigation, leveraging system APIs through libraries like psutil and pywin32 to quickly triage and analyze active endpoints.
Key Capabilities
Live Analysis Mode
Performs immediate, low-overhead forensic data collection from an active operating system, bypassing traditional memory dump requirements.
Interactive Shell
Includes an integrated CLI environment offering a suite of commands for efficient, step-by-step investigation via the LiveShellCommand interface.
Advanced Threat Hunting
Provides built-in commands for targeted analysis:
- fileless – Detects fileless malware and suspicious in-memory activity, focusing on processes such as
powershell.exe. - detect_sandbox – Identifies virtualized or sandboxed environments by inspecting artifacts, process behavior, and MAC address prefixes.
Comprehensive Forensic Data Collection
Collects essential artifacts and system information for deep analysis:
- Process and Module Data:
pslist,psscan,dlllist,handles,sids,cmdline - Network Activity:
netscanfor active connections and sockets - Persistence & Services: Analysis of
services,drivers,registry, and autorun entries - Artifact Analysis: Extraction of
shimcache,prefetch,userassist, andjumplists - Timeline Generation: Unified event correlation using
timeliner
