The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for performing advanced memory forensics. The extraction techniques are performed completely independent of the system being investigated but still offer unprecedented visibility into the run time state of the system. The framework is intended to introduce people to the techniques and complexities associated with extracting digital artifacts from volatile memory samples, while providing a powerful platform for further research.
Volatility 1.3 currently supports the investigation of Microsoft Windows XP Service Pack 2 and Service Pack 3 memory samples. Preliminary support has also been added for the Linux operating system, making Volatility the only cross platform memory analysis framework.
Some of the new features in Volatility 1.3 include:
- Over 14 new data view modules!
- New object model allowing easier module development and memory exploration
- New plugin design allowing organizations to easily create, maintain, and share modules
- New object oriented scanning infrastructure (Very Fast!)
- Process graphing capabilities
- Ability to extract open registry handles
- Ability to dump a process' addressable memory
- Ability to extract executables from memory samples
- Transparently supports a variety of sample formats (ie, CrashDump, Hibernate, DD)
- Automated conversion between sample formats
- New scanning modules (ie, modules)
- Support for XP SP3
Special thanks to Brendan Dolan-Gavitt, Andreas Schuster, Michael Cohen, and Matthieu Suiche.
Download the Volatility Framework from:
The Volatility Team