Volatility is an open source memory forensics framework, completely open collection of tools, for incident response and malware analysis. It’s implemented in Python under the GNU General Public License. The first version of The Volatility Framework was released publicly at Black Hat.
Volatility: Advanced Memory Forensics Framework
Volatility, memory forensics framework, is capable to perform monitoring runtime processes and state of any system using the data found in RAM (Volatile memory). Therefore, it can perform reconnaissance on process lists, ports, network connections, registry files, DLL’s, crash dumps and cached sectors. This framework also provides a unique platform that enables better efficiency of Forensic research (Law Enforcement, defense forces, commercial investigators, etc.
Volatility supports memory dumps from all major 32- and 64-bit Windows versions and service packs including:
- XP, 2003 Server, Vista, Server 2008, Server 2008 R2, and Seven.
It also supports Linux memory dumps in raw or LiME format and include 35+ plugins for analyzing 32- and 64-bit Linux kernels from 2.6.11 – 3.5.x and distributions such as:
- Debian, Ubuntu, OpenSuSE, Fedora, CentOS, and Mandrake.
Furthermore, this memory forensics framework supports:
- Mac OSX memory dumps from 10.5 to 10.8.3 Mountain Lion, both 32- and 64-bit;
- Also, Android phones with ARM processors.
A single, cohesive framework:analyzes RAM dumps from 32- and 64-bit Windows, also Linux, Mac, and Android systems;
Its Open Source GPLv2:read it, learn from it, and extend it;
It's written in Python:most analysts are already familiar with Python, forensic and reverse engineering language with loads of libraries that can easily integrate into volatility;
Runs on Windows, Linux, or Mac analysis systems:runs on any platform that supports Python;
Extensible and scriptable API:gives you the power to go beyond and continue innovating.
Unparalleled feature sets:based on reverse engineering and specialized research.
Comprehensive coverage of file formats:volatility can analyze:
- raw dumps, crash dumps, hibernation files, VMware .vmem, VMware saved state and suspended files (.vmss/.vmsn), VirtualBox core dumps, LiME (Linux Memory Extractor), expert witness (EWF), and direct physical memory over Firewire.
Fast and efficient algorithms:let you analyze RAM dumps from large systems without unnecessary overhead or memory consumption.
Serious and powerful community:of practitioners and researchers who work in the forensics, IR, and malware analysis fields. It brings together contributors from commercial companies, law enforcement, and academic institutions around the world.
Forensics/IR/malware focus:Volatility was created by forensics, incident response, and malware experts to focus on the types of tasks these analysts typically form.
Volatility supports the following memory formats:
- Raw/Padded Physical Memory
- Firewire (IEEE 1394)
- Expert Witness (EWF)
- 32- and 64-bit: Windows Crash Dump,Windows Hibernation, also MachO files
- Virtualbox Core Dumps
- VMware Saved State (.vmss) and Snapshot (.vmsn)
- HPAK Format (FastDump)
- LiME (Linux Memory Extractor)
- QEMU VM memory dumps
To see full list of memory images supported for the Volatility investigations, visit github repository.
Step 1 – Download
Download a stable release, or clone it from github:
$ git clone https://github.com/volatilityfoundation/volatility.git
Step 2 – Install
Instalation isn’t necessary if you’re using standalone Linux, Windows or Mac executable. Also, dependencies are already packaged inside the
.exe. Just run it form a command prompt.
If you used
setup.py to install Volatility, and trying to to run
setup.py for a new version, you may have some problems. So, before you install a new version of Volatility, remove everything the previous
$ sudo rm -rf /usr/local/lib/python2.6/dist-packages/volatility $ sudo rm `which vol.py` $ sudo rm -rf /usr/local/contrib/plugins
Check here for the Community Plugin Repo.
pluginwith the name of the plugin to use,
imagewith the file path to your memory image,
profilewith the name of the profile.
$ python vol.py [plugin] -f [image] --profile=[profile]
To display global options/help and the list of the available plugins for the specified profile, just type
--help on command-line:
python vol.py -h -h, --help list all available options and their default values. Default values may be set in the configuration file (/etc/volatilityrc)
Want to remove data from the drive permanently and to make life a bit harder for data forensic guys? This article may help you in that: Remove Data Permanently (HDD/SSD/Memory).