Monday, October 31, 2011

The Volatility Framework: Volatile memory artifact extraction utility framework

The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. The extraction techniques are performed completely independent of the system being investigated but offer unprecedented visibilty into the runtime state of the system. The framework is intended to introduce people to the techniques and complexities associated with extracting digital artifacts from volatile memory samples and provide a platform for further work into this exciting area of research. 

Video Demontration-

The Volatility Framework demonstrates our committment to and belief in the importance of open source digital investigation tools . Volatile Systems is committed to the belief that the technical procedures used to extract digital evidence should be open to peer analysis and review. We also believe this is in the best interest of the digital investigation community, as it helps increase the communal knowledge about systems we are forced to investigate. Similarly, we do not believe the availability of these tools should be restricted and therefore encourage people to modify, extend, and make derivative works, as permitted by the GPL.
The Volatility Framework currently provides the following extraction capabilities for memory samples
  • Image date and time
  • Running processes
  • Open network sockets
  • Open network connections
  • DLLs loaded for each process
  • Open files for each process
  • Open registry handles for each process
  • A process' addressable memory
  • OS kernel modules
  • Mapping physical offsets to virtual addresses (strings to process)
  • Virtual Address Descriptor information
  • Scanning examples: processes, threads, sockets, connections,modules
  • Extract executables from memory samples
  • Transparently supports a variety of sample formats (ie, Crash dump, Hibernation, DD)
  • Automated conversion between formats
The Volatility Framework can extract digital artifacts from volatile memory samples captured from:
  • 32bit Windows XP Service Pack 2 and 3
  • 32bit Windows 2003 Server Service Pack 0, 1, 2
  • 32bit Windows Vista Service Pack 0, 1, 2
  • 32bit Windows 2008 Server Service Pack 1, 2 (there is no SP0)
  • 32bit Windows 7 Service Pack 0, 1
If you want to give Volatility a try, you can download one of the samples listed within the Volatility FAQ.
Volatility-2.0: tar.gz / zip / standalone EXE / EXE (python installed) / md5 / sha1
Volatility-1.3_Beta: tar.gz zip md5 sha1 gpg tar.gz gpg zip gpg_key
Volatility-1.1.2: tar.gz zip md5 sha1 gpg tar.gz gpg zip gpg_key
Volatility-1.1.1: tar.gz md5 sha1 gpg gpg_key


Post a Comment