Wednesday, August 1, 2007

Announce: Volatility Framework 1.1.1

The Volatile Systems team is pleased to announce:

The volatile memory extraction utility framework:
Volatility Framework 1.1.1

The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) images. The extraction techniques are performed completely independent of the system being investigated but still offer visibility into the run time state of the system. The framework is intended to introduce people to the techniques and complexities associated with extracting digital artifacts from volatile memory images and provide a platform for further research into this area.

Volatility 1.1.1 currently supports the investigations of Microsoft Windows XP Service Pack memory images and provides the following extraction capabilities:
  • Image date and time
  • Running processes
  • Open network sockets
  • Open network connections
  • DLLs loaded for each process
  • Open files for each process
  • OS kernel modules
  • Mapping physical offsets to virtual addresses (strings to process mapping)
  • Virtual Address Descriptor information
  • Scanning examples: processes, threads, sockets, connections

Download the Volatility Framework at:

Recent Changes:
  • Constraint based linear scanning framework. New modules include psscan, thrdscan, sockscan, connscan. Inspired by the work of Andreas Schuster.
  • Virtual Address Descriptor modules: vadinfo, vaddump, vadwalk. Based on the research of Brendan Dolan-Gavitt to be presented at DFRWS 2007.
  • Completely open source (No third-party closed source dependencies)
  • Auto-identification speed enhancements
  • Bug fixes in network and socket modules
  • Symbol dependencies removed
  • Multiprocessor support


The Volatile Systems team

No comments: