The Volatility Framework: Volatile memory artifact extraction utility framework

The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. The extraction techniques are performed completely independent of the system being investigated but offer unprecedented visibilty into the runtime state of the system. The framework is intended to introduce people to the techniques and complexities associated with extracting digital artifacts from volatile memory samples and provide a platform for further work into this exciting area of research.

Image Source

http://blogs.sans.org/computer-forensics/files/2011/01/volatility-1.4rc1-h.png

The Volatility Framework demonstrates our committment to and belief in the importance of open source digital investigation tools . Volatile Systems is committed to the belief that the technical procedures used to extract digital evidence should be open to peer analysis and review. We also believe this is in the best interest of the digital investigation community, as it helps increase the communal knowledge about systems we are forced to investigate. Similarly, we do not believe the availability of these tools should be restricted and therefore encourage people to modify, extend, and make derivative works, as permitted by the GPL.

Main Features:

  • Image information (date, time, CPU count)
  • Running processes
  • Process SIDs and environment variables
  • Open network sockets
  • Open network connections
  • DLLs loaded for each process
  • Open handles to all kernel/executive objects (files, keys, mutexes)
  • OS kernel modules
  • Dump any process, DLL, or module to disk
  • Mapping physical offsets to virtual addresses
  • Virtual Address Descriptor information
  • Addressable memory for each process
  • Memory maps for each process
  • Extract executable samples
  • Scanning examples: processes, threads, sockets, connections, modules
  • Command histories (cmd.exe) and console input/output buffers
  • Imported and exported API functions
  • PE version information
  • System call tables (IDT, GDT, SSDT)
  • API hooks in user- and kernel-mode (inline, IAT, EAT, NT syscall, winsock)
  • Explore cached registry hives
  • Dump LM/NTLM hashes and LSA secrets
  • User assist and shimcache exploration
  • Scan for byte patterns, regular expressions, or strings in memory
  • Analyze kernel timers and callback functions
  • Report on windows services

Supported Samples

The Volatility Framework can extract digital artifacts from volatile memory samples captured from:

  • 32-bit Windows XP Service Pack 2 and 3
  • 32-bit Windows 2003 Server Service Pack 0, 1, 2
  • 32-bit Windows Vista Service Pack 0, 1, 2
  • 32-bit Windows 2008 Server Service Pack 1, 2 (there is no SP0)
  • 32-bit Windows 7 Service Pack 0, 1
  • 64-bit Windows XP Service Pack 1 and 2 (there is no SP0)
  • 64-bit Windows 2003 Server Service Pack 1 and 2 (there is no SP0)
  • 64-bit Windows Vista Service Pack 0, 1, 2
  • 64-bit Windows 2008 Server Service Pack 1 and 2 (there is no SP0)
  • 64-bit Windows 2008 R2 Server Service Pack 0 and 1
  • 64-bit Windows 7 Service Pack 0 and 1

Download Volatility Framework

 

Permanent link to this article: https://www.darknessgate.com/2014/03/12/the-volatility-framework-volatile-memory-artifact-extraction-utility-framework/