Volatility v2.6 - An advanced memory forensics framework.

Volatility v2.6 – An advanced memory forensics framework.

Changelog Volatility v2.6-git:
+ Add an interpreter path in convert.py
+ Added module for detecting PowerShell Empire
+ Solve the NameError problem.
+ Update README.txt with new profiles

The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. The extraction techniques are performed completely independent of the system being investigated but offer visibilty into the runtime state of the system. The framework is intended to introduce people to the techniques and complexities associated with extracting digital artifacts from volatile memory samples and provide a platform for further work into this exciting area of research.

volatility v2-6

Volatility supports investigations of the following memory images:

Windows:
* 32-bit Windows XP Service Pack 2 and 3
* 32-bit Windows 2003 Server Service Pack 0, 1, 2
* 32-bit Windows Vista Service Pack 0, 1, 2
* 32-bit Windows 2008 Server Service Pack 1, 2 (there is no SP0)
* 32-bit Windows 7 Service Pack 0, 1
* 32-bit Windows 8, 8.1, and 8.1 Update 1
* 32-bit Windows 10 (initial support)
* 64-bit Windows XP Service Pack 1 and 2 (there is no SP0)
* 64-bit Windows 2003 Server Service Pack 1 and 2 (there is no SP0)
* 64-bit Windows Vista Service Pack 0, 1, 2
* 64-bit Windows 2008 Server Service Pack 1 and 2 (there is no SP0)
* 64-bit Windows 2008 R2 Server Service Pack 0 and 1
* 64-bit Windows 7 Service Pack 0 and 1
* 64-bit Windows 8, 8.1, and 8.1 Update 1
* 64-bit Windows Server 2012 and 2012 R2
* 64-bit Windows 10 (initial support)

Linux:
* 32-bit Linux kernels 2.6.11 to 4.2.3
* 64-bit Linux kernels 2.6.11 to 4.2.3
* OpenSuSE, Ubuntu, Debian, CentOS, Fedora, Mandriva, etc

Mac OSX:
* 32-bit 10.5.x Leopard (the only 64-bit 10.5 is Server, which isn’t supported)
* 32-bit 10.6.x Snow Leopard
* 64-bit 10.6.x Snow Leopard
* 32-bit 10.7.x Lion
* 64-bit 10.7.x Lion
* 64-bit 10.8.x Mountain Lion (there is no 32-bit version)
* 64-bit 10.9.x Mavericks (there is no 32-bit version)
* 64-bit 10.10.x Yosemite (there is no 32-bit version)
* 64-bit 10.11.x El Capitan (there is no 32-bit version)

Volatility supports a variety of sample file formats and the ability to convert between these formats:
– Raw linear sample (dd)
– Hibernation file (from Windows 7 and earlier)
– Crash dump file
– VirtualBox ELF64 core dump
– VMware saved state and snapshot files
– EWF format (E01)
– LiME (Linux Memory Extractor) format
– Mach-O file format
– QEMU virtual machine dumps
– Firewire
– HPAK (FDPro)

Usage and download from source:

Source: https://github.com/volatilityfoundation