top of page

Release Downloads

Volatility releases are the result of significant in-depth research into OS internals, applications, malicious code, and suspect activities. Releases represent a milestone in not only our team's progress, but also in the development of the community and forensics capabilities as a whole. While releases may seem few and far between, we strive to perform rigorous testing of our new features before calling it stable.

Volatility 2.6 (Windows 10 / Server 2016)


This release improves support for Windows 10 and adds support for Windows Server 2016, Mac OS Sierra 10.12, and Linux with KASLR kernels. A lot of bug fixes went into this release as well as performance enhancements (especially related to page table parsing and virtual address space scanning). See below for a more detailed list of the changes in this version. 

Released: December 2016





Volatility 2.5 (Unified Output / Community)


This is the first release since the publication of The Art of Memory Forensics! It adds support for Windows 10 (initial), Linux kernels 4.2.3+, and Mac OS X Yosemite and El Capitan. Additionally, the unified output rendering gives users the flexibility of asking for results in various formats (html, sqlite, json, xlsx, dot, text, etc.) while simplifying things for plugin developers. In short, less code leads to more functionality. This is especially useful for framework designers (GUIs, web interfaces, library APIs), because you can interface with a plugin directly and ask for json, which you then store, process, or modify however you want. 


This release also coincides with the Community repo - a collection of Volatility plugins written and maintained by authors in the forensics community. Many of these are the result of the last 3 years of Volatility plugin contests, but some were just written for fun. Either way, its an entire arsenal of plugins that you can easily extend into your existing Volatility installation. 


Released: October 2015





Volatility 2.4 (Art of Memory Forensics)


The release of this version coincides with the publication of The Art of Memory Forensics. It adds support for Windows 8, 8.1, 2012, and 2012 R2 memory dumps and Mac OS X Mavericks (up to 10.9.4). New plugins include the ability to extract cached Truecrypt passphrases and master keys from Windows and Linux memory dumps, investigate Mac user activity (such as pulling their contact database, calendar items, PGP encrypted mails, OTR Adium chat messages, etc), and analyze advanced Linux rootkits. 


Starting with this release, we also provide Linux and Mac binary builds, which means you can use Volatility on all major platforms without installing Python or any dependencies. 


Released: August 2014




Volatility 2.3.1 (Mac OSX and Android ARM)


The main goal of this release was Mac OS X (x86, x64) and Android ARM support. We also included a number of other exciting new capabilities, such as dumping cached files, exploring process privileges, analyzing VMware saved state and snapshot files, and carving IE history URLs and MFT records.


Released: October 2013




Volatility 2.2 (Linux Support)


This release introduced support for 32- and 64-bit Linux memory samples, an address space for LiME (the Linux Memory Extractor), and a suite of 14 new plugins to investigate Windows GUI space--including clipboard contents, desktop windows, and screenshots.


Released: October 2012




Volatility 2.1 (Malware and 64-bits)


This is the first release to support all major 64-bit versions of Windows. It also included the ability to convert raw memory images to crash dumps, extract command history and console input/output buffers, and an API for accessing cached registry keys and values from memory. Ten new plugins were added with a specific focus on malware analysis.


Released: August 2012




Volatility 2.0 (Beyond XP)


This major release from the 1.x series added over 40 new plugins (including volshell) and took Volatility beyond Windows XP. It supported 2003 Server, Vista, 2008 Server, and 7. It also introduced a new scanning framework and a pluggable address space system with examples such as EWF and Firewire.


Released: August 2011




bottom of page