Convert Figma logo to code with AI

volatilityfoundation logovolatility

An advanced memory forensics framework

7,257
1,276
7,257
224

Top Related Projects

Volatility 3.0 development

A collection of software installations scripts for Windows systems that allows you to easily setup and maintain a reverse engineering environment on a VM.

1,917

Rekall Memory Forensic Framework

Quick Overview

Volatility is an open-source memory forensics framework for incident response and malware analysis. It is designed to analyze volatile memory dumps from Windows, Linux, and Mac systems, allowing investigators to extract valuable information from a system's RAM.

Pros

  • Comprehensive memory analysis capabilities for multiple operating systems
  • Large and active community, providing regular updates and support
  • Extensive plugin ecosystem for customized analysis
  • Powerful command-line interface for advanced users and automation

Cons

  • Steep learning curve for beginners
  • Performance can be slow when analyzing large memory dumps
  • Limited graphical user interface options
  • Requires specific memory dump formats, which may not always be available

Code Examples

# Example 1: List all processes in a memory dump
import volatility3
from volatility3.cli import command_line

args = ["--file", "memory_dump.raw", "windows.pslist.PsList"]
command_line.main(args)
# Example 2: Extract registry hives from a memory dump
import volatility3
from volatility3.cli import command_line

args = ["--file", "memory_dump.raw", "windows.registry.hivelist.HiveList"]
command_line.main(args)
# Example 3: Scan for network connections
import volatility3
from volatility3.cli import command_line

args = ["--file", "memory_dump.raw", "windows.netscan.NetScan"]
command_line.main(args)

Getting Started

  1. Install Volatility 3:

    pip install volatility3
    
  2. Download a memory dump file (e.g., memory_dump.raw)

  3. Run a basic analysis:

    import volatility3
    from volatility3.cli import command_line
    
    args = ["--file", "memory_dump.raw", "windows.info.Info"]
    command_line.main(args)
    
  4. Explore other plugins and options in the Volatility 3 documentation for more advanced analysis.

Competitor Comparisons

Volatility 3.0 development

Pros of Volatility3

  • Improved performance and speed for memory analysis
  • Better support for modern operating systems and architectures
  • More flexible and extensible plugin system

Cons of Volatility3

  • Limited compatibility with older Volatility 2 plugins
  • Steeper learning curve for users familiar with Volatility 2
  • Some features and plugins from Volatility 2 not yet ported

Code Comparison

Volatility (Python 2):

import volatility.utils as utils
import volatility.plugins.common as common

class MyPlugin(common.AbstractWindowsCommand):
    def calculate(self):
        addr_space = utils.load_as(self._config)
        # Plugin logic here

Volatility3 (Python 3):

from volatility3.framework import interfaces
from volatility3.framework import renderers

class MyPlugin(interfaces.plugins.PluginInterface):
    @classmethod
    def run(cls, context, layer_name, symbol_table):
        # Plugin logic here
        return renderers.TreeGrid([("Column", str)], [])

The code comparison shows the difference in plugin structure and implementation between Volatility and Volatility3. Volatility3 uses a more modular and object-oriented approach, with improved type hinting and a cleaner API for plugin development.

A collection of software installations scripts for Windows systems that allows you to easily setup and maintain a reverse engineering environment on a VM.

Pros of FLARE VM

  • Comprehensive Windows-based malware analysis environment
  • Easy setup with automated installation scripts
  • Includes a wide range of pre-configured tools for reverse engineering and forensics

Cons of FLARE VM

  • Limited to Windows operating systems
  • Requires significant disk space and system resources
  • May not be as flexible for customization as individual tool installations

Code Comparison

While a direct code comparison is not particularly relevant due to the different nature of these projects, we can look at how they are typically used:

Volatility:

python vol.py -f memory_dump.raw imageinfo
python vol.py -f memory_dump.raw --profile=Win7SP1x64 pslist

FLARE VM (PowerShell installation):

Set-ExecutionPolicy Unrestricted
.\install.ps1

Summary

Volatility is a memory forensics framework focused on analyzing memory dumps, while FLARE VM is a comprehensive Windows-based environment for malware analysis and reverse engineering. Volatility offers more flexibility and can be used on various platforms, whereas FLARE VM provides a pre-configured setup with a wide range of tools specifically for Windows systems.

1,917

Rekall Memory Forensic Framework

Pros of Rekall

  • More modern codebase with Python 3 support
  • Faster analysis due to improved memory access techniques
  • Better support for live memory analysis

Cons of Rekall

  • Smaller community and less frequent updates
  • Limited plugin ecosystem compared to Volatility
  • Steeper learning curve for new users

Code Comparison

Rekall:

from rekall import session
s = session.Session(filename="memory.dmp")
for proc in s.plugins.pslist():
    print(proc.name, proc.pid)

Volatility:

import volatility.plugins.common as common
import volatility.utils as utils
class PsList(common.AbstractWindowsCommand):
    def render_text(self, outfd, data):
        for task in data:
            outfd.write("{0} {1}\n".format(task.ImageFileName, task.UniqueProcessId))

Both tools offer powerful memory forensics capabilities, but Volatility has a larger user base and more extensive plugin support. Rekall, on the other hand, provides better performance and more modern features. The choice between them often depends on specific use cases and user preferences.

Convert Figma logo designs to code with AI

Visual Copilot

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot

README

============================================================================ Volatility Framework - Volatile memory extraction utility framework

The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. The extraction techniques are performed completely independent of the system being investigated but offer visibilty into the runtime state of the system. The framework is intended to introduce people to the techniques and complexities associated with extracting digital artifacts from volatile memory samples and provide a platform for further work into this exciting area of research.

The Volatility distribution is available from: http://www.volatilityfoundation.org/#!releases/component_71401

Volatility should run on any platform that supports Python (http://www.python.org)

Volatility supports investigations of the following memory images:

Windows:

  • 32-bit Windows XP Service Pack 2 and 3
  • 32-bit Windows 2003 Server Service Pack 0, 1, 2
  • 32-bit Windows Vista Service Pack 0, 1, 2
  • 32-bit Windows 2008 Server Service Pack 1, 2 (there is no SP0)
  • 32-bit Windows 7 Service Pack 0, 1
  • 32-bit Windows 8, 8.1, and 8.1 Update 1
  • 32-bit Windows 10 (initial support)
  • 64-bit Windows XP Service Pack 1 and 2 (there is no SP0)
  • 64-bit Windows 2003 Server Service Pack 1 and 2 (there is no SP0)
  • 64-bit Windows Vista Service Pack 0, 1, 2
  • 64-bit Windows 2008 Server Service Pack 1 and 2 (there is no SP0)
  • 64-bit Windows 2008 R2 Server Service Pack 0 and 1
  • 64-bit Windows 7 Service Pack 0 and 1
  • 64-bit Windows 8, 8.1, and 8.1 Update 1
  • 64-bit Windows Server 2012 and 2012 R2
  • 64-bit Windows 10 (including at least 10.0.19041)
  • 64-bit Windows Server 2016 (including at least 10.0.19041)

Note: Please see the guidelines at the following link for notes on compatibility with recently patched Windows 7 (or later) memory samples:

https://github.com/volatilityfoundation/volatility/wiki/2.6-Win-Profiles

Linux:

  • 32-bit Linux kernels 2.6.11 to 5.5
  • 64-bit Linux kernels 2.6.11 to 5.5
  • OpenSuSE, Ubuntu, Debian, CentOS, Fedora, Mandriva, etc

Mac OSX:

  • 32-bit 10.5.x Leopard (the only 64-bit 10.5 is Server, which isn't supported)
  • 32-bit 10.6.x Snow Leopard
  • 64-bit 10.6.x Snow Leopard
  • 32-bit 10.7.x Lion
  • 64-bit 10.7.x Lion
  • 64-bit 10.8.x Mountain Lion (there is no 32-bit version)
  • 64-bit 10.9.x Mavericks (there is no 32-bit version)
  • 64-bit 10.10.x Yosemite (there is no 32-bit version)
  • 64-bit 10.11.x El Capitan (there is no 32-bit version)
  • 64-bit 10.12.x Sierra (there is no 32-bit version)
  • 64-bit 10.13.x High Sierra (there is no 32-bit version))
  • 64-bit 10.14.x Mojave (there is no 32-bit version)
  • 64-bit 10.15.x Catalina (there is no 32-bit version)

Volatility does not provide memory sample acquisition capabilities. For acquisition, there are both free and commercial solutions available. If you would like suggestions about suitable acquisition solutions, please contact us at:

volatility (at) volatilityfoundation (dot) org

Volatility supports a variety of sample file formats and the ability to convert between these formats:

  • Raw linear sample (dd)
  • Hibernation file (from Windows 7 and earlier)
  • Crash dump file
  • VirtualBox ELF64 core dump
  • VMware saved state and snapshot files
  • EWF format (E01)
  • LiME format
  • Mach-O file format
  • QEMU virtual machine dumps
  • Firewire
  • HPAK (FDPro)

For a more detailed list of capabilities, see the following:

https://github.com/volatilityfoundation/volatility/wiki

Also see the community plugins repository:

https://github.com/volatilityfoundation/community

Example Data

If you want to give Volatility a try, you can download exemplar memory images from the following url:

https://github.com/volatilityfoundation/volatility/wiki/Memory-Samples

Mailing Lists

Mailing lists to support the users and developers of Volatility can be found at the following address:

http://lists.volatilesystems.com/mailman/listinfo

Contact

For information or requests, contact:

Volatility Foundation

Web: http://www.volatilityfoundation.org http://volatility-labs.blogspot.com http://volatility.tumblr.com

Email: volatility (at) volatilityfoundation (dot) org

IRC: #volatility on freenode

Twitter: @volatility

Requirements

Some plugins may have other requirements which can be found at: https://github.com/volatilityfoundation/volatility/wiki/Installation

Quick Start

  1. Unpack the latest version of Volatility from volatilityfoundation.org

  2. To see available options, run "python vol.py -h" or "python vol.py --info"

    Example:

$ python vol.py --info Volatility Foundation Volatility Framework 2.6

Address Spaces

AMD64PagedMemory - Standard AMD 64-bit address space. ArmAddressSpace - Address space for ARM processors FileAddressSpace - This is a direct file AS. HPAKAddressSpace - This AS supports the HPAK format IA32PagedMemory - Standard IA-32 paging address space. IA32PagedMemoryPae - This class implements the IA-32 PAE paging address space. It is responsible LimeAddressSpace - Address space for Lime LinuxAMD64PagedMemory - Linux-specific AMD 64-bit address space. MachOAddressSpace - Address space for mach-o files to support atc-ny memory reader OSXPmemELF - This AS supports VirtualBox ELF64 coredump format QemuCoreDumpElf - This AS supports Qemu ELF32 and ELF64 coredump format VMWareAddressSpace - This AS supports VMware snapshot (VMSS) and saved state (VMSS) files VMWareMetaAddressSpace - This AS supports the VMEM format with VMSN/VMSS metadata VirtualBoxCoreDumpElf64 - This AS supports VirtualBox ELF64 coredump format Win10AMD64PagedMemory - Windows 10-specific AMD 64-bit address space. WindowsAMD64PagedMemory - Windows-specific AMD 64-bit address space. WindowsCrashDumpSpace32 - This AS supports windows Crash Dump format WindowsCrashDumpSpace64 - This AS supports windows Crash Dump format WindowsCrashDumpSpace64BitMap - This AS supports Windows BitMap Crash Dump format WindowsHiberFileSpace32 - This is a hibernate address space for windows hibernation files.

Profiles

VistaSP0x64 - A Profile for Windows Vista SP0 x64 VistaSP0x86 - A Profile for Windows Vista SP0 x86 VistaSP1x64 - A Profile for Windows Vista SP1 x64 VistaSP1x86 - A Profile for Windows Vista SP1 x86 VistaSP2x64 - A Profile for Windows Vista SP2 x64 VistaSP2x86 - A Profile for Windows Vista SP2 x86 Win10x64 - A Profile for Windows 10 x64 Win10x64_10586 - A Profile for Windows 10 x64 (10.0.10586.306 / 2016-04-23) Win10x64_14393 - A Profile for Windows 10 x64 (10.0.14393.0 / 2016-07-16) Win10x86 - A Profile for Windows 10 x86 Win10x86_10586 - A Profile for Windows 10 x86 (10.0.10586.420 / 2016-05-28) Win10x86_14393 - A Profile for Windows 10 x86 (10.0.14393.0 / 2016-07-16) Win2003SP0x86 - A Profile for Windows 2003 SP0 x86 Win2003SP1x64 - A Profile for Windows 2003 SP1 x64 Win2003SP1x86 - A Profile for Windows 2003 SP1 x86 Win2003SP2x64 - A Profile for Windows 2003 SP2 x64 Win2003SP2x86 - A Profile for Windows 2003 SP2 x86 Win2008R2SP0x64 - A Profile for Windows 2008 R2 SP0 x64 Win2008R2SP1x64 - A Profile for Windows 2008 R2 SP1 x64 Win2008R2SP1x64_23418 - A Profile for Windows 2008 R2 SP1 x64 (6.1.7601.23418 / 2016-04-09) Win2008SP1x64 - A Profile for Windows 2008 SP1 x64 Win2008SP1x86 - A Profile for Windows 2008 SP1 x86 Win2008SP2x64 - A Profile for Windows 2008 SP2 x64 Win2008SP2x86 - A Profile for Windows 2008 SP2 x86 Win2012R2x64 - A Profile for Windows Server 2012 R2 x64 Win2012R2x64_18340 - A Profile for Windows Server 2012 R2 x64 (6.3.9600.18340 / 2016-05-13) Win2012x64 - A Profile for Windows Server 2012 x64 Win2016x64_14393 - A Profile for Windows Server 2016 x64 (10.0.14393.0 / 2016-07-16) Win7SP0x64 - A Profile for Windows 7 SP0 x64 Win7SP0x86 - A Profile for Windows 7 SP0 x86 Win7SP1x64 - A Profile for Windows 7 SP1 x64 Win7SP1x64_23418 - A Profile for Windows 7 SP1 x64 (6.1.7601.23418 / 2016-04-09) Win7SP1x86 - A Profile for Windows 7 SP1 x86 Win7SP1x86_23418 - A Profile for Windows 7 SP1 x86 (6.1.7601.23418 / 2016-04-09) Win81U1x64 - A Profile for Windows 8.1 Update 1 x64 Win81U1x86 - A Profile for Windows 8.1 Update 1 x86 Win8SP0x64 - A Profile for Windows 8 x64 Win8SP0x86 - A Profile for Windows 8 x86 Win8SP1x64 - A Profile for Windows 8.1 x64 Win8SP1x64_18340 - A Profile for Windows 8.1 x64 (6.3.9600.18340 / 2016-05-13) Win8SP1x86 - A Profile for Windows 8.1 x86 WinXPSP1x64 - A Profile for Windows XP SP1 x64 WinXPSP2x64 - A Profile for Windows XP SP2 x64 WinXPSP2x86 - A Profile for Windows XP SP2 x86 WinXPSP3x86 - A Profile for Windows XP SP3 x86

Plugins

amcache - Print AmCache information apihooks - Detect API hooks in process and kernel memory atoms - Print session and window station atom tables atomscan - Pool scanner for atom tables auditpol - Prints out the Audit Policies from HKLM\SECURITY\Policy\PolAdtEv bigpools - Dump the big page pools using BigPagePoolScanner bioskbd - Reads the keyboard buffer from Real Mode memory cachedump - Dumps cached domain hashes from memory callbacks - Print system-wide notification routines clipboard - Extract the contents of the windows clipboard cmdline - Display process command-line arguments cmdscan - Extract command history by scanning for _COMMAND_HISTORY connections - Print list of open connections [Windows XP and 2003 Only] connscan - Pool scanner for tcp connections consoles - Extract command history by scanning for _CONSOLE_INFORMATION crashinfo - Dump crash-dump information deskscan - Poolscaner for tagDESKTOP (desktops) devicetree - Show device tree dlldump - Dump DLLs from a process address space dlllist - Print list of loaded dlls for each process driverirp - Driver IRP hook detection drivermodule - Associate driver objects to kernel modules driverscan - Pool scanner for driver objects dumpcerts - Dump RSA private and public SSL keys dumpfiles - Extract memory mapped and cached files dumpregistry - Dumps registry files out to disk editbox - Displays information about Edit controls. (Listbox experimental.) envars - Display process environment variables eventhooks - Print details on windows event hooks evtlogs - Extract Windows Event Logs (XP/2003 only) filescan - Pool scanner for file objects gahti - Dump the USER handle type information gditimers - Print installed GDI timers and callbacks gdt - Display Global Descriptor Table getservicesids - Get the names of services in the Registry and return Calculated SID getsids - Print the SIDs owning each process handles - Print list of open handles for each process hashdump - Dumps passwords hashes (LM/NTLM) from memory hibinfo - Dump hibernation file information hivedump - Prints out a hive hivelist - Print list of registry hives. hivescan - Pool scanner for registry hives hpakextract - Extract physical memory from an HPAK file hpakinfo - Info on an HPAK file idt - Display Interrupt Descriptor Table iehistory - Reconstruct Internet Explorer cache / history imagecopy - Copies a physical address space out as a raw DD image imageinfo - Identify information for the image impscan - Scan for calls to imported functions joblinks - Print process job link information kdbgscan - Search for and dump potential KDBG values kpcrscan - Search for and dump potential KPCR values ldrmodules - Detect unlinked DLLs limeinfo - Dump Lime file format information linux_apihooks - Checks for userland apihooks linux_arp - Print the ARP table linux_aslr_shift - Automatically detect the Linux ASLR shift linux_banner - Prints the Linux banner information linux_bash - Recover bash history from bash process memory linux_bash_env - Recover a process' dynamic environment variables linux_bash_hash - Recover bash hash table from bash process memory linux_check_afinfo - Verifies the operation function pointers of network protocols linux_check_creds - Checks if any processes are sharing credential structures linux_check_evt_arm - Checks the Exception Vector Table to look for syscall table hooking linux_check_fop - Check file operation structures for rootkit modifications linux_check_idt - Checks if the IDT has been altered linux_check_inline_kernel - Check for inline kernel hooks linux_check_modules - Compares module list to sysfs info, if available linux_check_syscall - Checks if the system call table has been altered linux_check_syscall_arm - Checks if the system call table has been altered linux_check_tty - Checks tty devices for hooks linux_cpuinfo - Prints info about each active processor linux_dentry_cache - Gather files from the dentry cache linux_dmesg - Gather dmesg buffer linux_dump_map - Writes selected memory mappings to disk linux_dynamic_env - Recover a process' dynamic environment variables linux_elfs - Find ELF binaries in process mappings linux_enumerate_files - Lists files referenced by the filesystem cache linux_find_file - Lists and recovers files from memory linux_getcwd - Lists current working directory of each process linux_hidden_modules - Carves memory to find hidden kernel modules linux_ifconfig - Gathers active interfaces linux_info_regs - It's like 'info registers' in GDB. It prints out all the linux_iomem - Provides output similar to /proc/iomem linux_kernel_opened_files - Lists files that are opened from within the kernel linux_keyboard_notifiers - Parses the keyboard notifier call chain linux_ldrmodules - Compares the output of proc maps with the list of libraries from libdl linux_library_list - Lists libraries loaded into a process linux_librarydump - Dumps shared libraries in process memory to disk linux_list_raw - List applications with promiscuous sockets linux_lsmod - Gather loaded kernel modules linux_lsof - Lists file descriptors and their path linux_malfind - Looks for suspicious process mappings linux_memmap - Dumps the memory map for linux tasks linux_moddump - Extract loaded kernel modules linux_mount - Gather mounted fs/devices linux_mount_cache - Gather mounted fs/devices from kmem_cache linux_netfilter - Lists Netfilter hooks linux_netscan - Carves for network connection structures linux_netstat - Lists open sockets linux_pidhashtable - Enumerates processes through the PID hash table linux_pkt_queues - Writes per-process packet queues out to disk linux_plthook - Scan ELF binaries' PLT for hooks to non-NEEDED images linux_proc_maps - Gathers process memory maps linux_proc_maps_rb - Gathers process maps for linux through the mappings red-black tree linux_procdump - Dumps a process's executable image to disk linux_process_hollow - Checks for signs of process hollowing linux_psaux - Gathers processes along with full command line and start time linux_psenv - Gathers processes along with their static environment variables linux_pslist - Gather active tasks by walking the task_struct->task list linux_pslist_cache - Gather tasks from the kmem_cache linux_psscan - Scan physical memory for processes linux_pstree - Shows the parent/child relationship between processes linux_psxview - Find hidden processes with various process listings linux_recover_filesystem - Recovers the entire cached file system from memory linux_route_cache - Recovers the routing cache from memory linux_sk_buff_cache - Recovers packets from the sk_buff kmem_cache linux_slabinfo - Mimics /proc/slabinfo on a running machine linux_strings - Match physical offsets to virtual addresses (may take a while, VERY verbose) linux_threads - Prints threads of processes linux_tmpfs - Recovers tmpfs filesystems from memory linux_truecrypt_passphrase - Recovers cached Truecrypt passphrases linux_vma_cache - Gather VMAs from the vm_area_struct cache linux_volshell - Shell in the memory image linux_yarascan - A shell in the Linux memory image lsadump - Dump (decrypted) LSA secrets from the registry mac_adium - Lists Adium messages mac_apihooks - Checks for API hooks in processes mac_apihooks_kernel - Checks to see if system call and kernel functions are hooked mac_arp - Prints the arp table mac_bash - Recover bash history from bash process memory mac_bash_env - Recover bash's environment variables mac_bash_hash - Recover bash hash table from bash process memory mac_calendar - Gets calendar events from Calendar.app mac_check_fop - Validate File Operation Pointers mac_check_mig_table - Lists entires in the kernel's MIG table mac_check_syscall_shadow - Looks for shadow system call tables mac_check_syscalls - Checks to see if system call table entries are hooked mac_check_sysctl - Checks for unknown sysctl handlers mac_check_trap_table - Checks to see if mach trap table entries are hooked mac_compressed_swap - Prints Mac OS X VM compressor stats and dumps all compressed pages mac_contacts - Gets contact names from Contacts.app mac_dead_procs - Prints terminated/de-allocated processes mac_dead_sockets - Prints terminated/de-allocated network sockets mac_dead_vnodes - Lists freed vnode structures mac_devfs - Lists files in the file cache mac_dmesg - Prints the kernel debug buffer mac_dump_file - Dumps a specified file mac_dump_maps - Dumps memory ranges of process(es), optionally including pages in compressed swap mac_dyld_maps - Gets memory maps of processes from dyld data structures mac_find_aslr_shift - Find the ASLR shift value for 10.8+ images mac_get_profile - Automatically detect Mac profiles mac_ifconfig - Lists network interface information for all devices mac_interest_handlers - Lists IOKit Interest Handlers mac_ip_filters - Reports any hooked IP filters mac_kernel_classes - Lists loaded c++ classes in the kernel mac_kevents - Show parent/child relationship of processes mac_keychaindump - Recovers possbile keychain keys. Use chainbreaker to open related keychain files mac_ldrmodules - Compares the output of proc maps with the list of libraries from libdl mac_librarydump - Dumps the executable of a process mac_list_files - Lists files in the file cache mac_list_kauth_listeners - Lists Kauth Scope listeners mac_list_kauth_scopes - Lists Kauth Scopes and their status mac_list_raw - List applications with promiscuous sockets mac_list_sessions - Enumerates sessions mac_list_zones - Prints active zones mac_lsmod - Lists loaded kernel modules mac_lsmod_iokit - Lists loaded kernel modules through IOkit mac_lsmod_kext_map - Lists loaded kernel modules mac_lsof - Lists per-process opened files mac_machine_info - Prints machine information about the sample mac_malfind - Looks for suspicious process mappings mac_memdump - Dump addressable memory pages to a file mac_moddump - Writes the specified kernel extension to disk mac_mount - Prints mounted device information mac_netstat - Lists active per-process network connections mac_network_conns - Lists network connections from kernel network structures mac_notesapp - Finds contents of Notes messages mac_notifiers - Detects rootkits that add hooks into I/O Kit (e.g. LogKext) mac_orphan_threads - Lists threads that don't map back to known modules/processes mac_pgrp_hash_table - Walks the process group hash table mac_pid_hash_table - Walks the pid hash table mac_print_boot_cmdline - Prints kernel boot arguments mac_proc_maps - Gets memory maps of processes mac_procdump - Dumps the executable of a process mac_psaux - Prints processes with arguments in user land (**argv) mac_psenv - Prints processes with environment in user land (**envp) mac_pslist - List Running Processes mac_pstree - Show parent/child relationship of processes mac_psxview - Find hidden processes with various process listings mac_recover_filesystem - Recover the cached filesystem mac_route - Prints the routing table mac_socket_filters - Reports socket filters mac_strings - Match physical offsets to virtual addresses (may take a while, VERY verbose) mac_tasks - List Active Tasks mac_threads - List Process Threads mac_threads_simple - Lists threads along with their start time and priority mac_timers - Reports timers set by kernel drivers mac_trustedbsd - Lists malicious trustedbsd policies mac_version - Prints the Mac version mac_vfsevents - Lists processes filtering file system events mac_volshell - Shell in the memory image mac_yarascan - Scan memory for yara signatures machoinfo - Dump Mach-O file format information malfind - Find hidden and injected code mbrparser - Scans for and parses potential Master Boot Records (MBRs) memdump - Dump the addressable memory for a process memmap - Print the memory map messagehooks - List desktop and thread window message hooks mftparser - Scans for and parses potential MFT entries moddump - Dump a kernel driver to an executable file sample modscan - Pool scanner for kernel modules modules - Print list of loaded modules multiscan - Scan for various objects at once mutantscan - Pool scanner for mutex objects netscan - Scan a Vista (or later) image for connections and sockets notepad - List currently displayed notepad text objtypescan - Scan for Windows object type objects patcher - Patches memory based on page scans poolpeek - Configurable pool scanner plugin pooltracker - Show a summary of pool tag usage printkey - Print a registry key, and its subkeys and values privs - Display process privileges procdump - Dump a process to an executable file sample pslist - Print all running processes by following the EPROCESS lists psscan - Pool scanner for process objects pstree - Print process list as a tree psxview - Find hidden processes with various process listings qemuinfo - Dump Qemu information raw2dmp - Converts a physical memory sample to a windbg crash dump screenshot - Save a pseudo-screenshot based on GDI windows servicediff - List Windows services (ala Plugx) sessions - List details on _MM_SESSION_SPACE (user logon sessions) shellbags - Prints ShellBags info shimcache - Parses the Application Compatibility Shim Cache registry key shutdowntime - Print ShutdownTime of machine from registry sockets - Print list of open sockets sockscan - Pool scanner for tcp socket objects ssdt - Display SSDT entries strings - Match physical offsets to virtual addresses (may take a while, VERY verbose) svcscan - Scan for Windows services symlinkscan - Pool scanner for symlink objects thrdscan - Pool scanner for thread objects threads - Investigate _ETHREAD and _KTHREADs timeliner - Creates a timeline from various artifacts in memory timers - Print kernel timers and associated module DPCs truecryptmaster - Recover TrueCrypt 7.1a Master Keys truecryptpassphrase - TrueCrypt Cached Passphrase Finder truecryptsummary - TrueCrypt Summary unloadedmodules - Print list of unloaded modules userassist - Print userassist registry keys and information userhandles - Dump the USER handle tables vaddump - Dumps out the vad sections to a file vadinfo - Dump the VAD info vadtree - Walk the VAD tree and display in tree format vadwalk - Walk the VAD tree vboxinfo - Dump virtualbox information verinfo - Prints out the version information from PE images vmwareinfo - Dump VMware VMSS/VMSN information volshell - Shell in the memory image win10cookie - Find the ObHeaderCookie value for Windows 10 windows - Print Desktop Windows (verbose details) wintree - Print Z-Order Desktop Windows Tree wndscan - Pool scanner for window stations yarascan - Scan process or kernel memory with Yara signatures

  1. To get more information on a Windows memory sample and to make sure Volatility supports that sample type, run 'python vol.py imageinfo -f ' or 'python vol.py kdbgscan -f '

    Example:

    $ python vol.py imageinfo -f WIN-II7VOJTUNGL-20120324-193051.raw Volatility Foundation Volatility Framework 2.6 Determining profile based on KDBG search...

           Suggested Profile(s) : Win2008R2SP0x64, Win7SP1x64, Win7SP0x64, Win2008R2SP1x64 (Instantiated with Win7SP0x64)
                      AS Layer1 : AMD64PagedMemory (Kernel AS)
                      AS Layer2 : FileAddressSpace (/Path/to/WIN-II7VOJTUNGL-20120324-193051.raw)
                       PAE type : PAE
                            DTB : 0x187000L
                           KDBG : 0xf800016460a0
           Number of Processors : 1
      Image Type (Service Pack) : 1
                 KPCR for CPU 0 : 0xfffff80001647d00L
              KUSER_SHARED_DATA : 0xfffff78000000000L
            Image date and time : 2012-03-24 19:30:53 UTC+0000
      Image local date and time : 2012-03-25 03:30:53 +0800
    

    If multiple profiles are suggested by imageinfo or kdbgscan, or if you're having trouble analyzing Windows 7 or later memory samples, please see the guidelines here:

     https://github.com/volatilityfoundation/volatility/wiki/2.6-Win-Profiles
    
  2. Run some other plugins. -f is a required option for all plugins. Some also require/accept other options. Run "python vol.py -h" for more information on a particular command. A Command Reference wiki is also available on the GitHub site:

     https://github.com/volatilityfoundation/volatility/wiki
    

    as well as Basic Usage:

     https://github.com/volatilityfoundation/volatility/wiki/Volatility-Usage
    

Licensing and Copyright

Copyright (C) 2007-2016 Volatility Foundation

All Rights Reserved

Volatility is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.

Volatility is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with Volatility. If not, see http://www.gnu.org/licenses/.

Bugs and Support

There is no support provided with Volatility. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

If you think you've found a bug, please report it at:

https://github.com/volatilityfoundation/volatility/issues

In order to help us solve your issues as quickly as possible, please include the following information when filing a bug:

  • The version of volatility you're using
  • The operating system used to run volatility
  • The version of python used to run volatility
  • The suspected operating system of the memory image
  • The complete command line you used to run volatility

Depending on the operating system of the memory image, you may need to provide additional information, such as:

For Windows:

  • The suspected Service Pack of the memory image

For Linux:

  • The suspected kernel version of the memory image

Other options for communication can be found at: https://github.com/volatilityfoundation/volatility/wiki

Missing or Truncated Information

Volatility Foundation makes no claims about the validity or correctness of the output of Volatility. Many factors may contribute to the incorrectness of output from Volatility including, but not limited to, malicious modifications to the operating system, incomplete information due to swapping, and information corruption on image acquisition.

Command Reference

The following url contains a reference of all commands supported by Volatility.

https://github.com/volatilityfoundation/volatility/wiki