Volatility 2.4 (Art of Memory Forensics)

 

The release of this version coincides with the publication of The Art of Memory Forensics. It adds support for Windows 8, 8.1, 2012, and 2012 R2 memory dumps and Mac OS X Mavericks (up to 10.9.4). New plugins include the ability to extract cached Truecrypt passphrases and master keys from Windows and Linux memory dumps, investigate Mac user activity (such as pulling their contact database, calendar items, PGP encrypted mails, OTR Adium chat messages, etc), and analyze advanced Linux rootkits. 

 

Starting with this release, we also provide Linux and Mac binary builds, which means you can use Volatility on all major platforms without installing Python or any dependencies. 

 

Released: August 2014

 

 

Release Highlights

 

  • Windows

    • Truecrypt plugins (summary, cached passphrases, master keys)

    • Apihooks support for 64-bit memory images 

    • Apihooks plugin detects JMP FAR hook instructions 

    • Hashdump, Cachedump, and Lsadump plugins updated for x64 and Win8/2012

    • Callbacks and timers plugins work on 64-bit memory images 

    • Mftparser identifies NTFS alternate data streams 

    • Mftparser -D option extracts MFT-resident data blocks to disk

    • Ability to scan for multiple executive object types concurrently with a single pass through the memory dump 

    • Procmemdump and procexedump condensed into "procdump" (and --memory option available)

    • Envars plugin has a --silent flag to ignore common/default environment variables 

    • Vadtree plugin in graphviz output mode (--output=dot) color codes nodes per heap, stack, mapped file, DLL, etc.

    • Getsids plugin automatically resolves user and service SIDs 

    • Timeliner plugin supports --machine to identify the source in multi-source timelines 

    • Verinfo (PE version info) plugin updated and moved into core framework 

    • Strings translator prints "FREE MEMORY" for data found in deallocated regions (used to skip them)

    • Vadinfo plugin allows --addr to specify one region rather than printing them all 

    • Yarascan plugin allows you to control --size (bytes in preview) and --reverse (show data *before* a hit)

    • Volshell plugin has new APIs proc(), addrspace(), getprocs(), and getmods() for easy access

    • All process based plugins accept --name (process name regular expression filter)

    • Added the auditpol plugin to check audit policies 

    • Added the cmdline plugin to show process command line arguments 

    • Volshell plugin can recursively print structure members (similar to windbg's dt /r)

    • New pooltracker plugin allows analysis of kernel pool tag statistics 

    • New bigpools plugin allows finding big page pool allocations 

    • Svcscan plugin prints service start type (manual, automatic, disabled, etc)

    • Added a plugin to find and print text on the Notepad application's heap

    • PE dumping plugins (procdump, dlldump, moddump) support --fix to fix the image base value 

  • New address spaces

    • Support for QEMU virtual machine memory images 

    • Support for "split" VMware files (memory in .vmem and metadata in .vmss/.vmsn)

    • Support for Windows BitMap crash dumps (created by Windows 8 / 2012 on BSOD)

  • Mac OSX

    • Support for Mavericks through 10.9.4

    • Mac string translation added 

    • Recover sent and received Adium messages, including those protected by OTR 

    • Enumerate contacts from the Contact application's database

    • Extract the HTML content of notes from the Notes application 

    • Ability to reveal clear-text PGP emails sent or received with the Mail application 

    • Locate Apple Keychain encryption keys in memory (for cracking with Chainbreaker)

    • Find API hooks in both the kernel and process memory

    • List IP and socket filters

    • Extract loaded kernel extension to disk

    • Find suspicious process mappings (i.e. injected code) 

    • Find hidden kernel extensions

    • Recovered files cached in memory

  • Linux/Android

    • Support for Linux kernels through 3.16

    • Linux string translation added

    • Detect API hooks in both userland processes and the kernel

    • Detect GOT/PLT overwrites

    • Find hollowed executables

    • Find suspicious process mappings

    • Library listing using the loader’s data structures

    • Extract process ELF executables and libraries to disk

    • List network interfaces in promiscuous mode

    • List processes that are using raw sockets

    • Find hidden kernel modules

    • List Netfilter hooks

    • Extract cached Truecrypt passphrases 

 

Operating System Support

 

  • 64-bit Windows Server 2012 and 2012 R2 

  • 32- and 64-bit Windows 8 and 8.1

  • 32- and 64-bit Windows 7 (all service packs)

  • 32- and 64-bit Windows Server 2008 (all service packs)

  • 64-bit Windows Server 2008 R2 (all service packs)

  • 32- and 64-bit Windows Vista (all service packs)

  • 32- and 64-bit Windows Server 2003 (all service packs)

  • 32- and 64-bit Windows XP (SP2 and SP3)

  • 32- and 64-bit Linux kernels from 2.6.11 to 3.5

  • 32-bit 10.5.x Leopard (the only 64-bit 10.5 is Server, which isn't supported)

  • 32- and 64-bit 10.6.x Snow Leopard

  • 32- and 64-bit 10.7.x Lion

  • 64-bit 10.8.x Mountain Lion (there is no 32-bit version)

  • 64-bit 10.9.x Mavericks (there is no 32-bit version)

  • 32- and 64-bit Linux kernels up to 3.16 

 

Memory Format Support

 

  • Raw/Padded Physical Memory

  • Firewire (IEEE 1394)

  • Expert Witness (EWF)

  • 32- and 64-bit Windows Crash Dump

  • 32- and 64-bit Windows Hibernation (from Windows 7 or earlier)

  • 32- and 64-bit MachO files

  • Virtualbox Core Dumps

  • VMware Saved State (.vmss) and Snapshot (.vmsn)

  • HPAK Format (FastDump)

  • QEMU memory dumps 

© 2020 The Volatility Foundation