[Volatility v2.3] The advanced memory forensics framework (Support of OSX)

The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. The extraction techniques are performed completely independent of the system being investigated but offer unprecedented visibilty into the runtime state of the system. The framework is intended to introduce people to the techniques and complexities associated with extracting digital artifacts from volatile memory samples and provide a platform for further work

  • Windows
    • new plugins to parse IE history/index.dat URLs, recover shellbags data, dump cached files (exe/pdf/doc/etc), extract the MBR and MFT records, explore recently unloaded kernel modules, dump SSL private and public keys/certs, and display details on process privileges
    • added plugins to detect poison ivy infections, find and decrypt configurations in memory for poison ivy, zeus v1, zeus v2 and citadelscan 1.3.4.5
    • apihooks detects duqu style instruction modifications (MOV reg32, imm32; JMP reg32)
    • crashinfo displays uptime, systemtime, and dump type (i.e. kernel, complete, etc)
    • psxview plugin adds two new sources of process listings from the GUI APIs
    • screenshots plugin shows text for window titles
    • svcscan automatically queries the cached registry for service dlls
    • dlllist shows load count to distinguish between static and dynamic loaded dlls
  • New address spaces
    • added support for VirtualBox ELF64 core dumps, VMware saved state (vmss) and snapshot (vmsn) files, and FDPro’s non-standard HPAK format
    • associated plugins: vboxinfo, vmwareinfo, hpakinfo, hpakextract
  • Mac
    • new MachO address space for 32- and 64-bit Mac memory samples
    • over 30+ plugins for Mac memory forensics
  • Linux/Android
    • new ARM address space to support memory dumps from Linux and Android devices on ARM
    • added plugins to scan linux process and kernel memory with yara signatures, dump LKMs to disk, and check TTY devices for rootkit hooks
    • added plugins to check the ARM system call and exception vector tables for hooks

Operating Systems

Volatility supports the following operating systems and versions. All Windows profiles are included in the standard Volatility package. You can download sample Linux profiles from the LinuxProfiles wiki page or read LinuxMemoryForensics on how to build your own. You can download a single archive of 38 different Mac OSX profiles or read MacMemoryForensics to build your own.
  • Windows
    • 32-bit Windows XP Service Pack 2 and 3
    • 32-bit Windows 2003 Server Service Pack 0, 1, 2
    • 32-bit Windows Vista Service Pack 0, 1, 2
    • 32-bit Windows 2008 Server Service Pack 1, 2
    • 32-bit Windows 7 Service Pack 0, 1
    • 64-bit Windows XP Service Pack 1 and 2
    • 64-bit Windows 2003 Server Service Pack 1 and 2
    • 64-bit Windows Vista Service Pack 0, 1, 2
    • 64-bit Windows 2008 Server Service Pack 1 and 2
    • 64-bit Windows 2008 R2 Server Service Pack 0 and 1
    • 64-bit Windows 7 Service Pack 0 and 1
  • Linux
    • 32-bit Linux kernels 2.6.11 to 3.5
    • 64-bit Linux kernels 2.6.11 to 3.5
    • OpenSuSE, Ubuntu, Debian, CentOS, Fedora, Mandriva, etc
  • Mac OSX
    • (new) 32-bit 10.5.x Leopard (the only 64-bit 10.5 is Server, which isn’t supported)
    • (new) 32-bit 10.6.x Snow Leopard
    • (new) 64-bit 10.6.x Snow Leopard
    • (new) 32-bit 10.7.x Lion
    • (new) 64-bit 10.7.x Lion
    • (new) 64-bit 10.8.x Mountain Lion (there is no 32-bit version)