Volatility 2.2 (Linux Support)

 

This release introduced support for 32- and 64-bit Linux memory samples, an address space for LiME (the Linux Memory Extractor), and a suite of 14 new plugins to investigate Windows GUI space--including clipboard contents, desktop windows, and screenshots.

 

Released: October 2012

 

 

Release Highlights

 

  • Introduction of Linux support (Intel x86, x64)

    • Kernels: 2.6.11 to 3.5

    • Debian, Ubuntu, OpenSuSE, Fedora, CentOS, Mandriva, and more...

  • Approximately 35 new Linux plugins

  • New LiME Address Space

  • Addition of the win32k suite (14 new plugins and APIs for analyzing windows GUI memory)

  • New windows plugins:

    • getservicesids: calculate SIDs of windows services

    • evtlogs: parse XP and 2003 event logs from memory

 

Operating System Support

 

  • 32- and 64-bit Windows 7 (all service packs)

  • 32- and 64-bit Windows Server 2008 (all service packs)

  • 64-bit Windows Server 2008 R2 (all service packs)

  • 32- and 64-bit Windows Vista (all service packs)

  • 32- and 64-bit Windows Server 2003 (all service packs)

  • 32- and 64-bit Windows XP (SP2 and SP3)

  • 32- and 64-bit Linux kernels from 2.6.11 to 3.5

 

Memory Format Support

 

  • Raw/Padded Physical Memory

  • Firewire (IEEE 1394)

  • Expert Witness (EWF)

  • 32- and 64-bit Windows Crash Dump

  • 32- and 64-bit Windows Hibernation

© 2020 The Volatility Foundation