top of page

Volatility 2.1 (Malware and 64-bits)

This is the first release to support all major 64-bit versions of Windows. It also included the ability to convert raw memory images to crash dumps, extract command history and console input/output buffers, and an API for accessing cached registry keys and values from memory. Ten new plugins were added with a specific focus on malware analysis.


Released: August 2012



Release Highlights


  • New Address Spaces (AMD64PagedMemory, WindowsCrashDumpSpace64)

  • Majority of Existing Plugins Updated with x64 Support

  • Merged Malware Plugins into Volatility Core with Preliminary x64 Support

  • WindowsHiberFileSpace32 Overhaul (also includes x64 Support)

  • Now supports all major x64 Windows Operating Systems

  • Plugin Additions

    • Printing Process Environment Variables (envvars)

    • Inspecting the Shim Cache (shimcache)

    • Profiling Command History and Console Usage (cmdscan, consoles)

    • Converting x86 and x64 Raw Dumps to MS Crash Dump (raw2dmp)

  • Plugin Enhancements

    • Verbose details for kdbgscan and kpcrscan

    • idt/gdt/timers plugins cycle automatically for each CPU

    • apihooks detects LSP/winsock procedure tables

  • New Output Formatting Support (Table Rendering)

  • New Mechanism for Profile Modifications

  • New Registry API Support

  • New Volshell Commands

  • Updated Documentation and Command Reference


Operating System Support


  • 32- and 64-bit Windows 7 (all service packs)

  • 32- and 64-bit Windows Server 2008 (all service packs)

  • 64-bit Windows Server 2008 R2 (all service packs)

  • 32- and 64-bit Windows Vista (all service packs)

  • 32- and 64-bit Windows Server 2003 (all service packs)

  • 32- and 64-bit Windows XP (SP2 and SP3)


Memory Format Support


  • Raw/Padded Physical Memory

  • Firewire (IEEE 1394)

  • Expert Witness (EWF)

  • 32- and 64-bit Windows Crash Dump

  • 32- and 64-bit Windows Hibernation


bottom of page