Volatility Framework – Advanced Memory Forensics Framework

Outsmart Malicious Hackers


The Volatility Framework is an an advanced, completely open collection of tools for memory forensics, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples.

Volatility Framework - Advanced Memory Forensics Framework

The extraction techniques are performed completely independent of the system being investigated but offer visibility into the runtime state of the system. The framework is intended to introduce people to the techniques and complexities associated with extracting digital artifacts from volatile memory samples and provide a platform for further work into this exciting area of research.

Volatility does not provide memory sample acquisition capabilities. For acquisition, there are both free and commercial solutions available.

Features

  • A single, cohesive framework analyzes RAM dumps from 32- and 64-bit windows, linux, mac, and android systems.
  • It’s Open Source GPLv2, which means you can read it, learn from it, and extend it.
  • It’s written in Python, an established forensic and reverse engineering language with loads of libraries that can easily integrate into volatility.
  • Runs on windows, linux, or mac analysis systems (anywhere Python runs) – a refreshing break from other memory analysis tools that only run on windows and require .NET installations and admin privileges just to open.
  • Extensible and scriptable API gives you the power to go beyond and continue innovating.
  • Unparalleled feature sets based on reverse engineering and specialized research.
  • Comprehensive coverage of file formats – volatility can analyze raw dumps, crash dumps, hibernation files, VMware .vmem, VMware saved state and suspended files (.vmss/.vmsn), VirtualBox core dumps, LiME (Linux Memory Extractor), expert witness (EWF), and direct physical memory over Firewire.
  • Fast and efficient algorithms let you analyze RAM dumps from large systems without unnecessary overhead or memory consumption.
  • Serious and powerful community of practitioners and researchers who work in the forensics, IR, and malware analysis fields. It brings together contributors from commercial companies, law enforcement, and academic institutions around the world.
  • Forensics/IR/malware focus – Volatility was designed by forensics, incident response, and malware experts to focus on the types of tasks these analysts typically form.

File Format Support

Volatility supports a variety of sample file formats and the ability to convert between these formats:

  • Raw linear sample (dd)
  • Hibernation file (from Windows 7 and earlier)
  • Crash dump file
  • VirtualBox ELF64 core dump
  • VMware saved state and snapshot files
  • EWF format (E01)
  • LiME (Linux Memory Extractor) format
  • Mach-O file format
  • QEMU virtual machine dumps
  • Firewire
  • HPAK (FDPro)

Usage

The most basic Volatility commands are constructed as shown below. Replace plugin with the name of the plugin to use, image with the file path to your memory image, and profile with the name of the profile (such as Win7SP1x64).

Here is an example:

For everything beyond this example, such as controlling the output format, listing the available plugins and profiles, or supplying plugin-specific options, see the full documentation.

Requirements

Here is what you need for the core functionality:

  • A Windows, Linux, or Mac OS X machine
  • Python version 2.6 or greater (but not 3.x)

Some plugins require third party libraries which you can get here:

  • Distorm3 (Malware Plugins, Volshell)
  • Yara (Malware Plugins)
  • PyCrypto (Core)
  • OpenPyxl (xlsx rendering for all plugins)
  • Pil (Screenshot plugin)

You can download Volatility Framework here:

volatility-2.5.zip

Or read more here.


Posted in: Forensics, Security Software

, ,

Latest Posts:


BSQLinjector - Blind SQL Injection Tool Download BSQLinjector – Blind SQL Injection Tool Download in Ruby
BSQLinjector is an easy to use Blind SQL Injection tool in Ruby, that uses blind methods to retrieve data from SQL databases.
CCleaner Hack - Spreading Malware To Specific Tech Companies CCleaner Hack – Spreading Malware To Specific Tech Companies
The CCleaner Hack is blowing up, initially estimated to be huge, it's hit at least 700k computers & is specifically targeting 20 top tech organisations.
AWSBucketDump - AWS S3 Security Scanning Tool AWSBucketDump – AWS S3 Security Scanning Tool
AWSBucketDump is an AWS S3 Security Scanning Tool, which allows you to quickly enumerate AWS S3 buckets to look for interesting or confidential files.
nbtscan Download - NetBIOS Scanner For Windows & Linux nbtscan Download – NetBIOS Scanner For Windows & Linux
nbtscan is a command-line NetBIOS scanner for Windows that is SUPER fast, it scans for open NetBIOS nameservers on a local or remote TCP/IP network.
Equifax Data Breach - Hack Due To Missed Apache Patch Equifax Data Breach – Hack Due To Missed Apache Patch
The Equifax data breach is pretty huge with 143 million records leaked from the hack in the US alone with unknown more in Canada and the UK.
Seth - RDP Man In The Middle Attack Tool Seth – RDP Man In The Middle Attack Tool
Seth is an RDP Man In The Middle attack tool written in Python to MiTM RDP connections by attempting to downgrade the connection to extract clear text creds


Comments are closed.