Volatility Framework 1.1.1 (GPL) Aug 13 2007 10:39PM
AAron Walters (awalters 4tphi net)

The Volatile Systems team is pleased to announce:

The volatile memory extraction utility framework:
Volatility Framework 1.1.1

The Volatility Framework is a completely open collection of tools, implemented
in Python under the GNU General Public License, for the extraction of digital
artifacts from volatile memory (RAM) images. The extraction techniques are
performed completely independent of the system being investigated but still
offer visibility into the run time state of the system. The framework is
intended to introduce people to the techniques and complexities associated with
extracting digital artifacts from volatile memory images and provide a platform
for further research into this area.

Volatility 1.1.1 currently supports the investigations of Microsoft Windows XP
Service Pack 2 memory images and provides the following extraction

- Image date and time
- Running processes
- Open network sockets
- Open network connections
- DLLs loaded for each process
- Open files for each process
- OS kernel modules
- Mapping physical offsets to virtual addresses (strings to process
- Virtual Address Descriptor information
- Scanning examples: processes, threads, sockets, connections

Download the Volatility Framework at:

Recent Changes:

- Constraint based linear scanning framework. New modules include psscan,
thrdscan, sockscan, connscan. Inspired by the work of Andreas Schuster.
- Virtual Address Descriptor modules: vadinfo, vaddump, vadwalk. Based on the
research of Brendan Dolan-Gavitt to be presented at DFRWS 2007.
- Completely open source (No third-party closed source dependencies)
- Auto-identification speed enhancements
- Bug fixes in network and socket modules
- Symbol dependencies removed
- Multiprocessor support


The Volatile Systems team
volatility (at) volatilesystems (dot) com [email concealed]

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus