Results from the 13th Annual Volatility Plugin Contest are in! We received 8 submissions from 7 different countries that included 20 plugins.
Contest submissions included a range of features and functionality:
- Plugins for extracting cryptographic artifacts and keys
- An AI framework to improve efficiency and usability of memory forensics
- Volatility renderers to support modern data analysis workflows
We would like to thank all of this year’s contestants for their contributions to the Volatility community! Independent open-source projects and communities only remain viable because of contributors who are willing to sacrifice their time and resources. You can show your appreciation for their hard work by following on GitHub and social media, providing constructive feedback, or contributing to their code through testing, documentation, and patches.
ACKNOWLEDGEMENTS
We would like to thank Volexity for being a sustaining sponsor of the Volatility Foundation and for contributing to this year’s contest. We would also like to thank the core Volatility developers and the previous winners of the contest who helped review and deliberate the submissions.
Placements and Prizes for the 2025 Volatility Plugin Contest
1st place and $3000 USD cash or One Free Seat at Malware and Memory Forensics Training by the Volatility Team goes to:
Daniel Baier: XRFM Inspector
2nd place and $2000 USD cash goes to:
Jan-Hendrik Lang: MemoryInvestigator
3rd place and $1000 USD cash goes to:
Kartik Iyer: APCWatch & MalAPC
Summary of Submissions
Below is a detailed summary of all submissions, ordered alphabetically by first name. If you have feedback for the participants, we’re sure they’d love to hear your thoughts! As previously mentioned, these developers deserve praise for their amazing work. We look forward to seeing future work by these authors!
Daniel Baier: XRFM Inspector
This submission includes a set of Volatility 3 plugins that perform the extraction of VPN (IPSEC) related artifacts and cryptographic keys from the XFRM Linux subsystem. AES/GCM keys and Authentication tags are extracted directly from the kernel’s Security Associations (SA). Investigators can leverage these capabilities to list active tunnels and import keys directly in Wireshark to decrypt ESP traffic from network captures. As the data needed for decryption often lives only in memory, this set of plugins helps bridge the gap between memory and network forensics.
Related References:
https://github.com/monkeywave/XFRM-Inspector/
https://pchaigno.github.io/xfrm/2024/10/30/linux-xfrm-ipsec-reference-guide.html
Devarjya Purkayastha: PEScan
The PEScan plugin provides an alternative method to malfind for analyzing PE files in a memory sample. It gives each memory region containing a PE file a threat score and then summarizes any high or critical regions. Some of the areas of analysis include packer identification, section entropy calculations, PE header anomalies, as well as searching for suspicious strings, IPs, and URLs. The JSON output includes details of the analysis for the high and critical threat regions for easier SIEM/SOAR integration.
Related References:
https://github.com/devarjya27/PEscan/
Diyar Saadi Ali: Detection Plugins
This submission includes a broad suite of detection plugins and tools to identify suspicious processes and artifacts within the memory sample of a suspected system using a variety of heuristics and indicators.
- DuplicateProcs: Helps investigators locate suspicious or redundant processes that may indicate malware, misconfiguration, or system anomalies
- Enhanced Desktop Artifacts: Quickly identify, categorize, and investigate desktop artifacts
- Fileless Malware Hunter: Identifies sophisticated in-memory attacks, including fileless malware, remote access trojans (RATs), cryptocurrency miners, and living-off-the-land binary (LOLBin) abuse
- Live System Analysis Framework: Enables real-time forensic analysis of live Windows systems without requiring memory dumps
- ProcDup: Lists processes that occur more than once in a memory sample
- ProcVT: Scans Windows processes, extracted from memory, using VirusTotal to identify if they are suspicious
- PSDiff: Detects process anomalies, multiple instances, suspicious parent-child relationships, and unusual patterns in memory
- PSParent: Provides a variety of detections related to suspicious parent/child process pairs, integrity level violations, protected process bypass attempts, and PPID spoofing
- SandboxDetect: Detects sandbox or virtualized environments in Windows memory dumps using multiple heuristic methods
Jan-Hendrik Lang: MemoryInvestigator
MemoryInvestigator was developed as part of a master’s thesis, “Optimizing Memory Forensics: A Proof of Concept for Automating Queries and Integrating Large Language Models”, at the Munich University of Applied Sciences. MemoryInvestigator is a Streamlit-based application designed to automate memory forensic analysis. The tool specializes in Windows memory analysis, and it integrates Volatility 3 and Large Language Models (LLMs), including Retrieval-Augmented Generation (RAG) and an enhanced Tree-of-Table Algorithm. The tool enables an investigator to dig deeper into the memory dump and therefore enhances efficiency and usability in memory forensics.
Related References:
https://github.com/jan-hendrik-lang/MemoryInvestigator
https://dl.acm.org/doi/pdf/10.1145/3748263
Kartik Iyer: APCWatch & MalAPC
This submission presents a comprehensive plugin suite for detecting Asynchronous Procedure Call (APC) injection attacks in Windows memory forensics. The suite consists of two complementary Volatility 3 plugins: APCWatch for APC enumeration and baseline analysis, and MalAPC for advanced threat detection and payload analysis. Together, these tools provide investigators with the capability to identify and analyze one of the most sophisticated code injection techniques employed by modern malware. The white paper submitted along with the plugins covers the theoretical foundations, implementation details, practical usage, and forensic analysis workflows for both plugins.
Related References:
https://learn.microsoft.com/en-us/windows/win32/sync/asynchronous-procedure-calls
https://attack.mitre.org/techniques/T1055/004/
Kyrre Wahl Kongsgård: Arrow & Parquet Renderers
This submission allows Volatility plugin output to be written via the Arrow and Parquet renderers, enabling the output to be easily integrated into tools for modern data analysis workflows. For example, it can be used in notebook-based investigation environments built with marimo and DuckDB. Plugin results can be treated as tables and explored interactively through queries, joins, and derived views. As a result, an analyst can build powerful analysis tools and interactive visualizations.
Related References:
https://github.com/kyrre/deathcon-2025-memory-analysis
https://www.youtube.com/playlist?list=PLXJPlQrY3W8YdU9–Ogz7TaP5qFLRVqt-
https://datasets.marimo.app/deathcon/CLIENT-02.dmp
Théo Letailleur: Journald Extractor
The JournaldExtract plugin automates extraction of Linux journal files cached in memory along with analysis using the open-source go-journalctl tool. Modern Linux systems rarely produce the old-style, plaintext /var/log/messages and /var/log/syslog files, and instead produce structured, binary journal files. By utilizing this plugin, investigators can immediately obtain the parsed versions of these journal files from memory and begin deeper analysis.
Related References:
https://systemd.io/JOURNAL_FILE_FORMAT/
https://github.com/Velocidex/go-journalctl
Thomas Clark: EA App Artifacts Volatility 3 Plugin
This plugin is intended to help investigators with incidents involving activity within the EA App, which provides a centralized location for purchasing, downloading, launching EA games, and numerous social features. Examples of the artifacts extracted include OAuth access and refresh tokens, JWT Bearer tokens, EA account identities and user metadata, device and installation identifiers, game entitlements and launch metadata, and EA network endpoints and API URLs.
Related References:
https://github.com/TDClarke/Volatility3-Game-plugins/blob/main/ea_app_artifacts.py
https://github.com/TDClarke/Volatility3-Game-plugins/tree/main
Thomas Clark: MetaHorizonWorlds Volatility 3 Plugin
This plugin scans memory of processes related to Meta Horizon Worlds on Windows x64 systems to extract OAuth Bearer tokens and memory-resident chat fragments. This could help an investigator learn more about which accounts were being used, what activities may have been associated with those accounts, and with whom those accounts may have been communicating. This is accomplished by identifying relevant processes and then searching the appropriate virtual address descriptor (VAD) regions.
Related References:
https://github.com/TDClarke/Volatility3-Game-plugins/blob/main/meta_horizon_worlds.py
https://github.com/TDClarke/Volatility3-Game-plugins/tree/main
Thomas Clark: SteamArtifacts Volatility 3 Plugin
With the increasing number of people playing video games, gaming platforms may provide valuable forensics artifacts for digital investigations. Valve’s Steam platform is one of the most successful game platforms for playing and buying games. This submission includes a plugin that extracts memory-resident strings from the Steam client by scanning its virtual address space and filtering for Steam related artifacts, including SteamIDs, URLs, installation paths, and other network artifacts. These artifacts can help investigators identify users, track activity, and link users to games, transactions, and communication logs.
Related References:
https://github.com/TDClarke/Volatility3-Game-plugins/blob/main/steam_artifacts.py
https://github.com/TDClarke/Volatility3-Game-plugins/tree/main
Resources
Here are some additional resources for previous contests and community-driven plugins:
- Volatility Foundation Contest Page: https://volatilityfoundation.org/contest
- Volatility 3 Community GitHub Repository: https://github.com/volatilityfoundation/community3