The Volatility Framework

collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) images.

Available as open source under GNU license, Volatility works on Linux, OS X, and Windows with Cygwin libraries and can analyze memory images captured from Windows XP Service Pack 2 systems.

The framework can extract data:

* Image date and time
* Running processes
* Open network sockets
* Open network connections
* DLLs loaded for each process
* Open files for each process
* OS kernel modules
* Mapping physical offsets to virtual addresses (strings to process)
* Virtual Address Descriptor information
* Scanning examples: processes, threads, sockets, connections

You can learn a lot more about the framework and download a copy at Volatile Systems' Web site.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.