diff --git a/forensics/honeypot/README.md b/forensics/honeypot/README.md
index 250e8e5..e7d75d6 100644
--- a/forensics/honeypot/README.md
+++ b/forensics/honeypot/README.md
@@ -14,9 +14,29 @@ Download Link: http://46.101.25.140/forensics_honeypot.zip
 
 ## Flag
 
-## Progress so far
+## Volatility3
 
-- The honeypot.zip file contains ä windows memory dump
+### Installation
+
+```bash
+git clone git@github.com:volatilityfoundation/volatility3.git
+cd volatility3
+pipenv install
+pipenv shell
+```
+
+### Useful Commands
+
+```bash
+# get running processes and pid
+python vol.py -f ~/git/htb-santa-ctf/forensics/honeypot/honeypot.raw windows.cmdline.CmdLine
+# get all connected ips
+python vol.py -f ~/git/htb-santa-ctf/forensics/honeypot/honeypot.raw windows.netstat.NetStat
+```
+
+## Notes
+
+- The honeypot.zip file contains a windows memory dump
 - By using the `volatility3` framework one can extract data from the dump
 - By checking `vol -f honeypot.raw windows.cmdline.CMDLine` the malicious process is quite obvious
 
@@ -47,7 +67,7 @@ exited?)
 
 - The base64 string in the powershell command contains a url which contains a rickroll, this has to be the url
 - The PID of said command is 2700
-- By examining the currently active connections, using `vol -f honeypot.raw windows.netscan.Netscan` the following foreign IPs stand out:
+- By examining the currently active connections, using `windows.netscan.Netscan` the following foreign IPs stand out:
 
 ```
 Volatility 3 Framework 1.0.1