Volatility 2.6 (Windows 10 / Server 2016)

This release improves support for Windows 10 and adds support for Windows Server 2016, Mac OS Sierra 10.12, and Linux with KASLR kernels. A lot of bug fixes went into this release as well as performance enhancements (especially related to page table parsing and virtual address space scanning). See below for a more detailed list of the changes in this version. 

 

This release also coincides with the Community repo - a collection of Volatility plugins written and maintained by authors in the forensics community. Many of these are the result of the last 4 years of Volatility plugin contests, but some were just written for fun. Either way, its an entire arsenal of plugins that you can easily extend into your existing Volatility installation. 

 

Released: December 2016

 

 

Release Highlights

  • Enhanced support for Windows 10 (including 14393.447)

  • Added new profiles for recently patched Windows 7, Windows 8, and Server 2012

  • Optimized page table enumeration and scanning algorithms, especially on 64-bit Windows 10

  • Added support for carving Internet Explorer 10 history records

  • Added support for memory dumps from the most recent VirtualBox version

  • Updated the svcscan plugin to show FailureCommand (the command that runs when a service fails to start multiple times)

  • Add APIs to paged address spaces (x86 and x64) to allow easy lookups of PTE flags (i.e. writeable, no-exec, supervisor, copy-on-write)

  • Add support for tagging Mac memory ranges as heaps, stacks, etc.

  • Add plugins for checking Mac file operation pointers, C++ classes in the kernel, IOKit interest handlers, timers set by kernel drivers, and enumeration of processes that filter file system events

  • Add support for KASLR Linux kernels

 

Operating System Support

 

  • 64-bit Windows Server 2016

  • 64-bit Windows Server 2012 and 2012 R2 

  • 32- and 64-bit Windows 10 

  • 32- and 64-bit Windows 8, 8.1, and 8.1 Update 1

  • 32- and 64-bit Windows 7 (all service packs)

  • 32- and 64-bit Windows Server 2008 (all service packs)

  • 64-bit Windows Server 2008 R2 (all service packs)

  • 32- and 64-bit Windows Vista (all service packs)

  • 32- and 64-bit Windows Server 2003 (all service packs)

  • 32- and 64-bit Windows XP (SP2 and SP3)

  • 32- and 64-bit Linux kernels from 2.6.11 to 4.2.3

  • 32-bit 10.5.x Leopard (the only 64-bit 10.5 is Server, which isn't supported)

  • 32- and 64-bit 10.6.x Snow Leopard

  • 32- and 64-bit 10.7.x Lion

  • 64-bit 10.8.x Mountain Lion (there is no 32-bit version)

  • 64-bit 10.9.x Mavericks (there is no 32-bit version)

  • 64-bit 10.10.x Yosemite (there is no 32-bit version)

  • 64-bit 10.11.x El Capitan (there is no 32-bit version)

  • 64-bit 10.12.x Sierra (there is no 32-bit version)

 

Memory Format Support

 

  • Raw/Padded Physical Memory

  • Firewire (IEEE 1394)

  • Expert Witness (EWF)

  • 32- and 64-bit Windows Crash Dump

  • 32- and 64-bit Windows Hibernation (from Windows 7 or earlier)

  • 32- and 64-bit MachO files

  • Virtualbox Core Dumps

  • VMware Saved State (.vmss) and Snapshot (.vmsn)

  • HPAK Format (FastDump)

  • QEMU memory dumps 

© 2020 The Volatility Foundation