volatility 3: The volatile memory extraction framework

Volatility 3: The volatile memory extraction framework

Volatility is the world’s most widely used framework for extracting digital artifacts from volatile memory (RAM) samples. The extraction techniques are performed completely independent of the system being investigated but offer visibility into the runtime state of the system. The framework is intended to introduce people to the techniques and complexities associated with extracting digital artifacts from volatile memory samples and provide a platform for further work into this exciting area of research.

In 2019, the Volatility Foundation released a complete rewrite of the framework, Volatility 3. The project was intended to address many of the technical and performance challenges associated with the original code base that became apparent over the previous 10 years. Another benefit of the rewrite is that Volatility 3 could be released under a custom license that was more aligned with the goals of the Volatility community, the Volatility Software License (VSL).

Install

git clone https://github.com/volatilityfoundation/volatility3.git
pip3 install -r requirements-minimal.txt

Use

To see available options, run “python vol.py -h”

To get more information on a Windows memory sample and to make sure Volatility supports that sample type, run
‘python -f <imagepath> windows.info’

Example:

$ python vol.py —f /home/user/samples/stuxnet.vmem windows.info

Run some other plugins. The -f or —-single-location is not strictly required, but most plugins expect a single sample. Some also
require/accept other options. Run “python vol.py <plugin> -h” for more information on a particular command.

Tutorial

Copyright (C) 2007-2019 Volatility Foundation