Digital Forensics Tool: Volatility Memory Forensics Framework
The Volatility Framework by Aaron Walters, is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. The extraction techniques are performed completely independent of the system being investigated but offer visibilty into the runtime state of the system. The framework is intended to introduce people to the techniques and complexities associated with extracting digital artifacts from volatile memory samples and provide a platform for further work into this exciting area of research.
Features
A single, cohesive framework analyzes RAM dumps from 32- and 64-bit windows, linux, mac, and android systems.
It’s Open Source GPLv2, which means you can read it, learn from it, and extend it.
It’s written in Python, an established forensic and reverse engineering language with loads of libraries that can easily integrate into volatility.
Runs on windows, linux, or mac analysis systems (anywhere Python runs) – a refreshing break from other memory analysis tools that only run on windows and require .NET installations and admin privileges just to open.
Extensible and scriptable API gives you the power to go beyond and continue innovating.
Unparalleled feature sets based on reverse engineering and specialized research.
Comprehensive coverage of file formats – volatility can analyze raw dumps, crash dumps, hibernation files, VMware .vmem, VMware saved state and suspended files (.vmss/.vmsn), VirtualBox core dumps, LiME (Linux Memory Extractor), expert witness (EWF), and direct physical memory over Firewire.
Fast and efficient algorithms let you analyze RAM dumps from large systems without unnecessary overhead or memory consumption.
Serious and powerful community of practitioners and researchers who work in the forensics, IR, and malware analysis fields. It brings together contributors from commercial companies, law enforcement, and academic institutions around the world.
Forensics/IR/malware focus – Volatility was designed by forensics, incident response, and malware experts to focus on the types of tasks these analysts typically form.
Volatility supports a variety of sample file formats and the
ability to convert between these formats:
- Raw linear sample (dd)
- Hibernation file (from Windows 7 and earlier)
- Crash dump file
- VirtualBox ELF64 core dump
- VMware saved state and snapshot files
- EWF format (E01)
- LiME format
- Mach-O file format
- QEMU virtual machine dumps
- Firewire
- HPAK (FDPro)
#volatility #memoryanalysis #digitalforensics #cybersecurity
