Volatility

Check what profile to use with image.

volatility -f MyDump.dmp imageinfo

Check which process are running.

volatility -f MyDump.dmp --profile=MyProfile pslist
volatility -f MyDump.dmp --profile=MyProfile pstree
volatility -f MyDump.dmp --profile=MyProfile psxview

List open TCP/UDP connections.

volatility -f MyDump.dmp --profile=MyProfile connscan
volatility -f MyDump.dmp --profile=MyProfile sockets
volatility -f MyDump.dmp --profile=MyProfile netscan

Check what commands were lastly run on the computer.

volatility -f MyDump.dmp --profile=MyProfile cmdline
volatility -f MyDump.dmp --profile=MyProfile consoles
volatility -f MyDump.dmp --profile=MyProfile cmdscan

Dump processes exe and memory.

volatility -f MyDump.dmp --profile=MyProfile procdump -p MyPid --dump-dir .
volatility -f MyDump.dmp --profile=MyProfile memdump -p MyPid --dump-dir .

Check hive and registry key values.

volatility -f MyDump.dmp --profile=MyProfile hivelist
volatility -f MyDump.dmp --profile=MyProfile printkey -K "MyPath"
volatility -f MyDump.tmp --profile=MyProfile hashdump -y SystemOffset -s SamOffset

List file handles, files and dump interesting ones.

volatility -f MyDump.dmp --profile=MyProfile handles -p MyPid
volatility -f MyDump.dmp --profile=MyProfile filescan
volatility -f MyDump.dmp --profile=MyProfile dumpfiles -Q FileOffset -D DumpDir -n

Timeline of various memory artifacts.

volatility -f MyDump.dmp --profile=MyProfile timeliner

Plugins

Scan for edit controls created by a call to CreateWindowEx.

volatility -f MyDump.dmp --profile=MyProfile editbox -p MyPid