Volatility 2.3.1 (Mac OSX and Android ARM)

 

The main goal of this release was Mac OS X (x86, x64) and Android ARM support. We also included a number of other exciting new capabilities, such as dumping cached files, exploring process privileges, analyzing Virtualbox and VMware saved state and snapshot files, and carving IE history URLs and MFT records.

 

Released: October 2013

 

 

Release Highlights

 

  • Windows

    • Parse IE history/index.dat URLs

    • Recover shellbags data

    • Dump cached files (exe/pdf/doc/etc)

    • Extract the MBR and MFT records

    • Explore recently unloaded kernel modules

    • Dump SSL private and public keys/certs

    • Display details on process privileges

    • Detect Poison Ivy infections

    • Decrypt configurations for Poison Ivy, Zeus, and Citadel

    • Apihooks detects Duqu style instruction modifications (MOV reg32, imm32; JMP reg32)

    • Crashinfo displays uptime, systemtime, and dump type

    • Psxview plugin adds two new sources of process listings from the GUI API

    • Screenshots plugin shows text for window titles

    • Svcscan automatically queries the cached registry for service DLLs

    • Dlllist shows load count to distinguish between static and dynamic loaded DLLs

  • New address spaces

    • Added support for VirtualBox ELF64 core dumps

    • VMware saved state (vmss) and snapshot (vmsn) files

    • FDPro's non-standard HPAK format

    • Plugins to extract metadata from all of these new formats

  • Mac OSX

    • New MachO address space for 32- and 64-bit Mac memory samples

    • Over 30+ plugins for Mac memory forensics

  • Linux/Android

    • New ARM address space for Linux and Android devices on ARM

    • Plugins to scan Linux process and kernel memory with Yara signatures

    • Dump LKMs to disk, and check TTY devices for rootkit hooks

    • Check the ARM system call and exception vector tables for hooks

 

Operating System Support

 

  • 32- and 64-bit Windows 7 (all service packs)

  • 32- and 64-bit Windows Server 2008 (all service packs)

  • 64-bit Windows Server 2008 R2 (all service packs)

  • 32- and 64-bit Windows Vista (all service packs)

  • 32- and 64-bit Windows Server 2003 (all service packs)

  • 32- and 64-bit Windows XP (SP2 and SP3)

  • 32- and 64-bit Linux kernels from 2.6.11 to 3.5

  • 32-bit 10.5.x Leopard (the only 64-bit 10.5 is Server, which isn't supported)

  • 32- and 64-bit 10.6.x Snow Leopard

  • 32- and 64-bit 10.7.x Lion

  • 64-bit 10.8.x Mountain Lion (there is no 32-bit version)

 

Memory Format Support

 

  • Raw/Padded Physical Memory

  • Firewire (IEEE 1394)

  • Expert Witness (EWF)

  • 32- and 64-bit Windows Crash Dump

  • 32- and 64-bit Windows Hibernation

  • 32- and 64-bit MachO files

  • Virtualbox Core Dumps

  • VMware Saved State (.vmss) and Snapshot (.vmsn)

  • HPAK Format (FastDump)

© 2020 The Volatility Foundation