Volatility Framework – Memory Forensics Framework

Last Release: 12/18/2018     Last Commit: 10/08/2019

Volatility Framework – Memory Forensics Framework

Introduction

Volatility is an open source memory forensics framework, completely open collection of tools, for incident response and malware analysis. It’s implemented in Python under the GNU General Public License. The first version of The Volatility Framework was released publicly at Black Hat.

An Advanced Memory Forensics Framework - Violatility

Volatility: Advanced Memory Forensics Framework

Volatility, memory forensics framework, is capable to perform monitoring runtime processes and state of any system using the data found in RAM (Volatile memory). Therefore, it can perform reconnaissance on process lists, ports, network connections, registry files, DLL’s, crash dumps and cached sectors. This framework also provides a unique platform that enables better efficiency of Forensic research (Law Enforcement, defense forces, commercial investigators, etc.

Volatility supports memory dumps from all major 32- and 64-bit Windows versions and service packs including:

  • XP, 2003 Server, Vista, Server 2008, Server 2008 R2, and Seven.

It also supports Linux memory dumps in raw or LiME format and include 35+ plugins for analyzing 32- and 64-bit Linux kernels from 2.6.11 – 3.5.x and distributions such as:

  • Debian, Ubuntu, OpenSuSE, Fedora, CentOS, and Mandrake.

Furthermore, this memory forensics framework supports:

  • Mac OSX memory dumps from 10.5 to 10.8.3 Mountain Lion, both 32- and 64-bit;
  • Also, Android phones with ARM processors.

Key Features:

  • A single, cohesive framework: analyzes RAM dumps from 32- and 64-bit Windows, also Linux, Mac, and Android systems;
  • Its Open Source GPLv2:  read it, learn from it, and extend it;
  • It's written in Python: most analysts are already familiar with Python, forensic and reverse engineering language with loads of libraries that can easily integrate into volatility;
  • Runs on Windows, Linux, or Mac analysis systems: runs on any platform that supports Python;
  • Extensible and scriptable API: gives you the power to go beyond and continue innovating.
  • Unparalleled feature sets: based on reverse engineering and specialized research.
  • Comprehensive coverage of file formats: volatility can analyze:
    • raw dumps, crash dumps, hibernation files, VMware .vmem, VMware saved state and suspended files (.vmss/.vmsn), VirtualBox core dumps, LiME (Linux Memory Extractor), expert witness (EWF), and direct physical memory over Firewire.
  • Fast and efficient algorithms: let you analyze RAM dumps from large systems without unnecessary overhead or memory consumption.
  • Serious and powerful community: of practitioners and researchers who work in the forensics, IR, and malware analysis fields. It brings together contributors from commercial companies, law enforcement, and academic institutions around the world.
  • Forensics/IR/malware focus: Volatility was created by forensics, incident response, and malware experts to focus on the types of tasks these analysts typically form.

Volatility supports the following  memory formats:

  • Raw/Padded Physical Memory
  • Firewire (IEEE 1394)
  • Expert Witness (EWF)
  • 32- and 64-bit: Windows Crash Dump,Windows Hibernation, also MachO files
  • Virtualbox Core Dumps
  • VMware Saved State (.vmss) and Snapshot (.vmsn)
  • HPAK Format (FastDump)
  • LiME (Linux Memory Extractor)
  • QEMU VM memory dumps

To see full list of memory images supported for the Volatility investigations, visit github repository.

Install Volatility

Step 1 – Download

Download a stable release, or clone it from github:

$ git clone https://github.com/volatilityfoundation/volatility.git

Step 2 – Install

Instalation isn’t necessary if you’re using standalone Linux, Windows or Mac executable. Also, dependencies are already packaged inside the .exe. Just run it form a command prompt.

Windows-only: If you’re using the Pyinstaller executable, double click and follow through with the installation instructions. You must already have a working Python 2.7. For the dependency libraries check github repository.

Upgrade

If you used setup.py to install Volatility, and trying to to run setup.py for a new version, you may have some problems. So, before you install a new version of Volatility, remove everything the previous setup.py created:

$ sudo rm -rf /usr/local/lib/python2.6/dist-packages/volatility
$ sudo rm `which vol.py`
$ sudo rm -rf /usr/local/contrib/plugins

Check here for the Community Plugin Repo.

Basic Usage

  1. Replace plugin with the name of the plugin to use,
  2. image with the file path to your memory image,
  3. and profile with the name of the profile.
$ python vol.py [plugin] -f [image] --profile=[profile]

To display global options/help and the list of  the available plugins for the specified profile, just type -h or --help on command-line:

python vol.py -h 

  -h, --help            list all available options and their default values.
                        Default values may be set in the configuration file
                        (/etc/volatilityrc)
Documentation Box
Download Box

Want to remove data from the drive permanently and to make life a bit harder for data forensic guys? This article may help you in that: Remove Data Permanently (HDD/SSD/Memory).