The Volatility Framework - Volatile Memory Extraction

   The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. The extraction techniques are performed completely independent of the system being investigated but offer visibilty into the runtime state of the system. The framework is intended to introduce people to the techniques and complexities associated with extracting digital artifacts from volatile memory samples and provide a platform for further work into this exciting area of research.

Why Volatility

• A single, cohesive framework analyzes RAM dumps from 32- and 64-bit windows, linux, mac, and android systems. Volatility’s modular design allows it to easily support new operating systems and architectures as they are released. All your devices are targets…so don’t limit your forensic capabilities to just windows computers.

• Its Open Source GPLv2, which means you can read it, learn from it, and extend it. Why use a tool that outputs results without giving you any indication where the values came from or how they were interpreted? Learn how your tools work, understand why and how to tweak and enhance them – help yourself become a smarter analyst. You can also immediately fix any issues you discover, instead of having to wait weeks or months for vendors to communicate, reproduce, and publish patches.

• Its written in Python, an established forensic and reverse engineering language with loads of libraries that can easily integrate into volatility. Most analysts are already familiar with Python and don’t want to learn new languages. For example, windbg’s scripting syntax which is often seen as cryptic and many times the capabilities just aren’t there. Other memory analysis frameworks require you to use Visual Studio to compile C# DLLs and the rest don’t expose a programming API at all.

• Runs on windows, linux, or mac analysis systems (anywhere Python runs) – a refreshing break from other memory analysis tools that only run on windows and require .NET installations and admin privileges just to open. If you’re already accustomed to performing forensics on a particular host OS, by all means keep using it – and take volatility with you.

• Extensible and scriptable API gives you the power to go beyond and continue innovating. For example you can use volatility to build a customized web interface or GUI, drive your malware sandbox, perform virtual machine introspection or just explore kernel memory in an automated fashion. Analysts can add new address spaces, plugins, data structures, and overlays to truly weld the framework to their needs. You can explore the Doxygen documentation for Volatility to get an idea of its internals.

• Unparalleled feature sets based on reverse engineering and specialized research. Volatility provides capabilities that Microsoft’s own kernel debugger doesn’t allow, such as carving command histories, console input/output buffers, USER objects (GUI memory), and network related data structures. Just because its not documented doesn’t mean you can’t analyze it!

• Comprehensive coverage of file formats – volatility can analyze raw dumps, crash dumps, hibernation files, VMware .vmem, VMware saved state and suspended files (.vmss/.vmsn), VirtualBox core dumps, LiME (Linux Memory Extractor), expert witness (EWF), and direct physical memory over Firewire. You can even convert back and forth between these formats. In the heat of your incident response moment, don’t get caught looking like a fool when someone hands you a format your other tools can’t parse.

• Fast and efficient algorithms let you analyze RAM dumps from large systems without unnecessary overhead or memory consumption. For example volatility is able to list kernel modules from an 80 GB system in just a few seconds. There is always room for improvement, and timing differs per command, however other memory analysis frameworks can take several hours to do the same thing on much smaller memory dumps.

• Serious and powerful community of practitioners and researchers who work in the forensics, IR, and malware analysis fields. It brings together contributors from commercial companies, law enforcement, and academic institutions around the world. Don’t just take our word for it – check out the Volatility Documentation Project – a collection of over 200 docs from 60+ different authors. Volatility is also being built on by a number of large organizations such as Google, National DoD Laboratories, DC3, and many Antivirus and security shops.

• Forensics/IR/malware focus – Volatility was designed by forensics, incident response, and malware experts to focus on the types of tasks these analysts typically form. As a result, there are things that are often very important to a forensics analysts that are not as important to a person debugging a kernel driver (unallocated storage, indirect artifacts, etc).

• Money-back guarantee – There is nothing another memory analysis framework can do that volatility can’t (or that it can’t be quickly programmed to do).

Getting Volatility

$ git clone https://github.com/volatilityfoundation/volatility.git

This will create a volatility folder that contains the source code and you can run Volatility directory from there.

Installing Volatility

If you’re using the standalone Windows, Linux, or Mac executable, no installation is necessary – just run it from a command prompt. No dependencies are required, because they’re already packaged inside the exe.

Volatility v2.5 Released

   This is the first release since the publication of The Art of Memory Forensics! It adds support for Windows 10 (initial), Linux kernels 4.2.3, and Mac OS X El Capitan. Additionally, the unified output rendering gives users the flexibility of asking for results in various formats (html, sqlite, json, xlsx, dot, text, etc.) while simplifying things for plugin developers. In short, less code leads to more functionality. This is especially useful for framework designers (GUIs, web interfaces, library APIs), because you can interface with a plugin directly and ask for json, which you then store, process, or modify however you want.

This release also coincides with the Community repo – a collection of Volatility plugins written and maintained by authors in the forensics community. Many of these are the result of the last 3 years of Volatility plugin contests, but some were just written for fun. Either way, its an entire arsenal of plugins that you can easily extend into your existing Volatility installation.

Release Highlights

• Windows

  • Added profiles for Windows 8.1 Update 1
  • Added basic support for Windows 10
  • New plugin to print AmCache information from the registry (amcache)
  • New plugin to dump registry files to disk (dumpregistry)
  • New plugin to detect hidden/unlinked service record structures (servicediff)
  • New plugin to print the shutdown time from the registry (shutdowntime)
  • New plugin to print editbox controls from the GUI subsystem (editbox)
  • Malfind plugin detects injected code with erased PE headers
  • Imagecopy and raw2dmp can display the number of bytes copied or converted
  • Fix an issue with the memmap and memdump offsets being inconsistent
  • Fix an issue with vadtree’s graphviz fill colors not being rendered by some viewers
  • Update the well known SIDs reported by the getsids plugin
  • Add an optional –max-size parameter to yarascan, dump_maps, etc
  • Fix an issue translating strings in PAE and x64 images
  • Add options to yarascan for case-insensitive search
  • Add options to yarascan to scan process and kernel memory at once

• Mac OSX

  • Added profiles and support for Mac 10.10 Yosemite and 10.11 El Capitan
  • New plugin to print and extract compressed swap data (mac_compressed_swap)
  • New plugin to automatically detect Mac OS X profiles (mac_get_profile)
  • New plugin(s) to report Kauth scopes and listeners (mac_list_kauth_scopes | listeners)
  • New plugin to identify applications with promiscuous sockets (mac_list_raw)
  • New plugin to find hidden threads (mac_orphan_threads)
  • New plugin to print process environment variables (mac_psenv)
  • New plugin to print basic and complex thread data (mac_threads, mac_threads_simple)

• Linux/Android

  • Addd support for Linux kernels up to 4.2.3
  • New plugin to print Linux dynamic environment variables (linux_dynamic_env)
  • New plugin to print the current working directory of processes (linux_getcwd)
  • New plugin to carve for network connection structures (linux_netscan)
  • Speed improvements to various plugins
  • Improve handling of mprotect() Linux memory regions

Operating System Support

• 64-bit Windows Server 2012 and 2012 R2
• 32- and 64-bit Windows 10 (initial/basic support)
• 32- and 64-bit Windows 8, 8.1, and 8.1 Update 1
• 32- and 64-bit Windows 7 (all service packs)
• 32- and 64-bit Windows Server 2008 (all service packs)
• 64-bit Windows Server 2008 R2 (all service packs)
• 32- and 64-bit Windows Vista (all service packs)
• 32- and 64-bit Windows Server 2003 (all service packs)
• 32- and 64-bit Windows XP (SP2 and SP3)
• 32- and 64-bit Linux kernels from 2.6.11 to 4.2.3
• 32-bit 10.5.x Leopard (the only 64-bit 10.5 is Server, which isn’t supported)
• 32- and 64-bit 10.6.x Snow Leopard
• 32- and 64-bit 10.7.x Lion
• 64-bit 10.8.x Mountain Lion (there is no 32-bit version)
• 64-bit 10.9.x Mavericks (there is no 32-bit version)
• 64-bit 10.10.x Yosemite (there is no 32-bit version)
• 64-bit 10.11.x El Capitan (there is no 32-bit version)

Memory Format Support

• Raw/Padded Physical Memory
• Firewire (IEEE 1394)
• Expert Witness (EWF)
• 32- and 64-bit Windows Crash Dump
• 32- and 64-bit Windows Hibernation (from Windows 7 or earlier)
• 32- and 64-bit MachO files
• Virtualbox Core Dumps
• VMware Saved State (.vmss) and Snapshot (.vmsn)
• HPAK Format (FastDump)
• QEMU memory dumps

Github Project