Volatility (memory forensics)
Volatility is an open-source memory forensics framework for incident response and malware analysis. It is written in Python and supports Microsoft Windows, Mac OS X, and Linux (as of version 2.5[1]).
Stable release | 2.6
/ December 30, 2016 |
---|---|
Operating system | Windows, Mac OS X, Linux |
Website | www |
Volatility was created by computer scientist and entrepreneur Aaron Walters, drawing on academic research he did in memory forensics.[2][3]
Operating System Support
Volatility supports investigations of the following memory images:
Windows:
- 32-bit Windows XP (Service Pack 2 and 3)
- 32-bit Windows 2003 Server (Service Pack 0, 1, 2)
- 32-bit Windows Vista (Service Pack 0, 1, 2)
- 32-bit Windows 2008 Server (Service Pack 1, 2)
- 32-bit Windows 7 (Service Pack 0, 1)
- 32-bit Windows 8, 8.1, and 8.1 Update 1
- 32-bit Windows 10 (initial support)
- 64-bit Windows XP (Service Pack 1 and 2)
- 64-bit Windows 2003 Server (Service Pack 1 and 2)
- 64-bit Windows Vista (Service Pack 0, 1, 2)
- 64-bit Windows 2008 Server (Service Pack 1 and 2)
- 64-bit Windows 2008 R2 Server (Service Pack 0 and 1)
- 64-bit Windows 7 (Service Pack 0 and 1)
- 64-bit Windows 8, 8.1, and 8.1 Update 1
- 64-bit Windows Server 2012 and 2012 R2
- 64-bit Windows 10 (including at least 10.0.14393)
- 64-bit Windows Server 2016 (including at least 10.0.14393.0)
Mac OSX:
- 32-bit 10.5.x Leopard (the only 64-bit 10.5 is Server, which isn't supported)
- 32-bit 10.6.x Snow Leopard
- 32-bit 10.7.x Lion
- 64-bit 10.6.x Snow Leopard
- 64-bit 10.7.x Lion
- 64-bit 10.8.x Mountain Lion
- 64-bit 10.9.x Mavericks
- 64-bit 10.10.x Yosemite
- 64-bit 10.11.x El Capitan
- 64-bit 10.12.x Sierra
Linux:
- 32-bit Linux kernels 2.6.11 to 4.2.3
- 64-bit Linux kernels 2.6.11 to 4.2.3
- OpenSuSE, Ubuntu, Debian, CentOS, Fedora, Mandriva, etc.
Memory Format Support
Volatility supports a variety of sample file formats and the ability to convert between these formats:
- Raw/Padded Physical Memory
- Firewire (IEEE 1394)
- Expert Witness (EWF)
- 32- and 64-bit Windows Crash Dump
- 32- and 64-bit Windows Hibernation (from Windows 7 or earlier)
- 32- and 64-bit Mach-O files
- Virtualbox Core Dumps
- VMware Saved State (.vmss) and Snapshot (.vmsn)
- HPAK Format (FastDump)
- QEMU memory dumps
- LiME format
gollark: Minoteaur just got keyboard navigation! You can press "v" to switch to "view", "e" to switch to "edit", or "s" to open search.
gollark: https://github.com/osmarks/random-stuff
gollark: It was entry #13 in the contest.
gollark: Truly an example of stunning and brilliant design.
gollark: Did you see osmarkslisp™?
References
- http://www.volatilityfoundation.org/#!25/c1f29
- Petroni, N. L., Walters, A., Fraser, T., & Arbaugh, W. A. (2006). FATKit: A framework for the extraction and analysis of digital forensic data from volatile system memory. Digital Investigation, 3(4), 197-210.
- Walters, A., & Petroni, N. L. (2007). Volatools: Integrating Volatile Memory into the Digital Investigation Process. Black Hat Briefings DC 2007, 1-18.
This article is issued from Wikipedia. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.