Volatility is a popular open source framework for performing memory forensics. The current production version of Volatility is 1.3. The Volatility development team is putting finishing touches on version 1.4, which is currently in the Release Candidate 1 status. While there may still be some bugs to be ironed out, Volatility 1.4 RC1 is sufficiently stable for general exploration and experimentation.
I'd like to briefly highlight some of the changes that were made to Volatility since its 1.3 release. This note is designed for individuals who are already somewhat familiar with Volatility 1.3, and are wondering what to expect from 1.4:
- Volatility 1.3 only supported the analysis of Windows XP memory images. Volatility 1.4 includes basic support for analyzing memory images of Windows Vista and Windows 7.
- The plugin architecture has changed from version 1.3 to 1.4. The good news is that the most popular plugins have already been ported to version 1.4. Moreover, the most useful plugins that needed to be installed separately in version 1.3 have been incorporated into the core Volatility 1.4 distribution. This means that it's easier to install the framework. This also means that the plugins are more uniform in their usability, such as the command-line parameters they take.
- VolRip (rip.pl), which can be used for examining registry contents from the memory image, is presently only compatible with version 1.3 of Volatility.
- The logic behind the "psscan2" plugin for Volatility 1.3 has been incorporated into the new "psscan" plugin for Volatility 1.4. The "psscan3" plugin's logic has not yet been ported to Volatility 1.4.
- Volatility Analyst Pack, which included popular plugins for analyzing malware through memory forensics has been retired. It has been replaced with the malware.py library, which implements malfind, apihooks, orphanthreads, mutantscan, ldrmodules and other malware-related Volatility plug-ins.
- You can now include the Volatility plugin command at the very end of the command line, even after the "-f" parameter. If you don't want to define the memory image's file name with "-f", you can also define it as a variable ("export VOLATILITY_FILENAME=/var/tmp/memory.img") and then repeatedly invoke Volatility without the "-f" parameter.
- Some of the plugin names have changed in version 1.4. For instance, "memdmp" is now "memdump"; "malfind2" is "malfind"; "procdump" is "procexedump". The parameters these plugins accept have changed in some cases, too. For instance, "malfind" now uses "-D" instead of "-d" to specify its destination directory.
You can grab Volatility 1.4 RC1 by using SVN, pointing it to http://volatility.googlecode.com/svn/branches/Volatility-1.4_rc1. If you don't feel like installing Volatility 1.4 RC1 on your own, you can experiment with it on REMnux. REMnux is a lightweight Linux distribution for assisting malware analysts in reverse-engineering malicious software; it now includes Volatility 1.4 RC1 and is available as a Live CD and a virtual appliance.
I recommend Malware Analyst's Cookbook if you're looking for a reference on using Volatility and its plugins for malware analysis. Also, SANS offers the following courses that cover the use of Volatility:
- FOR610: Reverse-Engineering Malware
- FOR526: Advanced Filesystem Recovery and Memory Forensic
- FOR508: Computer Forensic Investigations and Incident Response
I'm very glad to see the continued development of Volatility. Looking forward to the final "production" release of version 1.4!
Lenny Zeltser focuses on safeguarding customers' IT operations at NCR Corporation. He also teaches how to analyze malware at SANS Institute. Lenny is active on Twitter and writes a security blog.