Volatility
Volatility
http://www.volatilityfoundation.org
advanced memory forensics framework
The Volatility Framework is a completely open collection of tools for the extraction of digital artifacts from volatile memory (RAM) samples. It is useful in forensics analysis. The extraction techniques are performed completely independent of the system being investigated but offer unprecedented visibility into the runtime state of the system.
Volatility supports memory dumps from all major 32- and 64-bit Windows versions and service packs. Whether your memory dump is in raw format, a Microsoft crash dump, hibernation file, or virtual machine snapshot, Volatility is able to work with it.
Linux memory dumps in raw or LiME format are supported too. There are several plugins for analyzing memory dumps from 32- and 64-bit Linux kernels and relevant distributions such as Debian, Ubuntu, OpenSuSE, RedHat, Fedora, CentOS, Mandrake, etc.
Volatility also support several versions of Mac OSX memory dumps, both 32- and 64-bit. Android phones with ARM processors are also supported.
These are some of the data that can be extracted from a memory image: . - Image information (date, time, CPU count); - Running processes; - Open network sockets and connections; - OS kernel modules loaded; - Memory maps for each process; - Executables samples; - Command history; - Suspicious process mappings (i.e. injected code); - Passwords, as LM/NTLM hashes and LSA secrets; - Cached Truecrypt passphrases; - Others.
Current version (2.4) supports investigations of the following memory images:
- 64-bit Windows Server 2012 and 2012 R2; - 32- and 64-bit Windows 8 and 8.1; - 32- and 64-bit Windows 7 (all service packs); - 32- and 64-bit Windows Server 2008 (all service packs); - 64-bit Windows Server 2008 R2 (all service packs); - 32- and 64-bit Windows Vista (all service packs); - 32- and 64-bit Windows Server 2003 (all service packs); - 32- and 64-bit Windows XP (SP2 and SP3); - 32- and 64-bit Linux kernels from 2.6.11 to 3.5; - 32-bit 10.5.x Leopard (the only 64-bit 10.5 is Server, not supported); - 32- and 64-bit 10.6.x Snow Leopard; - 32- and 64-bit 10.7.x Lion; - 64-bit 10.8.x Mountain Lion (there is no 32-bit version); - 64-bit 10.9.x Mavericks (there is no 32-bit version); - 32- and 64-bit Linux kernels up to 3.16.
Volatility supports a variety of sample file formats:
- Raw/Padded Physical Memory; - Firewire (IEEE 1394); - Expert Witness (EWF); - 32- and 64-bit Windows Crash Dump; - 32- and 64-bit Windows Hibernation; - 32- and 64-bit MachO files; - Virtualbox Core Dumps; - VMware Saved State (.vmss) and Snapshot (.vmsn); - HPAK Format (FastDump); - QEMU memory dumps.
Licensing
License
Verified by
Verified on
Notes
License
Verified by
Debian: Joao Eriberto Mota Filho <eriberto@debian.org>
Verified on
27 November 2014
Notes
License: gpl-2.0
License
Verified by
Debian: Joao Eriberto Mota Filho <eriberto@debian.org>
Verified on
27 November 2014
Notes
License: gpl-2.0+ or apache-2.0
License
Verified by
Debian: Joao Eriberto Mota Filho <eriberto@debian.org>
Verified on
27 November 2014
Notes
License: gpl-2.0+
Leaders and contributors
Resources and communication
Software prerequisites
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of the license is included in the page “GNU Free Documentation License”.
The copyright and license notices on this page only apply to the text on this page. Any software or copyright-licenses or other similar notices described in this text has its own copyright notice and license, which can usually be found in the distribution or license text itself.