Bug#728251: ITP: volatility -- advanced memory forensics framework
Package: wnpp
Severity: wishlist
Owner: Joao Eriberto Mota Filho <eriberto@eriberto.pro.br>
* Package name : volatility
Version : 2.3
Upstream Author : Volatility Foundation <volatility@volatilityfoundation.org>
* URL : https://code.google.com/p/volatility
* License : GPL2
Programming Lang: Python
Description : advanced memory forensics framework
The Volatility Framework is a completely open collection of tools for the
extraction of digital artifacts from volatile memory (RAM) samples. It is
useful in forensics analysis. The extraction techniques are performed
completely independent of the system being investigated but offer
unprecedented visibilty into the runtime state of the system.
.
Volatility supports memory dumps from all major 32- and 64-bit Windows
versions and service packs including XP, 2003 Server, Vista, Server 2008,
Server 2008 R2, and Seven. Whether your memory dump is in raw format, a
Microsoft crash dump, hibernation file, or virtual machine snapshot,
Volatility is able to work with it.
.
Linux memory dumps in raw or LiME format is supported too. There are several
plugins for analyzing 32- and 64-bit Linux kernels and distributions such as
Debian, Ubuntu, OpenSuSE, Fedora, CentOS, and Mandrake.
.
Volatility support 38 versions of Mac OSX memory dumps from 10.5 to 10.8.3
Mountain Lion, both 32- and 64-bit. Android phones with ARM processors are
also supported.
.
These are some of the data that can be extracted:
.
- Image information (date, time, CPU count).
- Running processes.
- Open network sockets and connections.
- OS kernel modules loaded.
- Memory maps for each process.
- Executables samples.
- Command histories.
- Passwords, as LM/NTLM hashes and LSA secrets.
- Others.
Reply to: