============================================================================
Volatility Framework - Volatile memory extraction utility framework
============================================================================
The Volatility Framework is a completely open collection of tools,
implemented in Python under the GNU General Public License, for the
extraction of digital artifacts from volatile memory (RAM) samples.
The extraction techniques are performed completely independent of the
system being investigated but offer visibilty into the runtime state
of the system. The framework is intended to introduce people to the
techniques and complexities associated with extracting digital artifacts
from volatile memory samples and provide a platform for further work into
this exciting area of research.
The Volatility distribution is available from:
http://www.volatilityfoundation.org/#!releases/component_71401
Volatility should run on any platform that supports
Python (http://www.python.org)
Volatility supports investigations of the following memory images:
Windows:
* 32-bit Windows XP Service Pack 2 and 3
* 32-bit Windows 2003 Server Service Pack 0, 1, 2
* 32-bit Windows Vista Service Pack 0, 1, 2
* 32-bit Windows 2008 Server Service Pack 1, 2 (there is no SP0)
* 32-bit Windows 7 Service Pack 0, 1
* 32-bit Windows 8 and 8.1
* 64-bit Windows XP Service Pack 1 and 2 (there is no SP0)
* 64-bit Windows 2003 Server Service Pack 1 and 2 (there is no SP0)
* 64-bit Windows Vista Service Pack 0, 1, 2
* 64-bit Windows 2008 Server Service Pack 1 and 2 (there is no SP0)
* 64-bit Windows 2008 R2 Server Service Pack 0 and 1
* 64-bit Windows 7 Service Pack 0 and 1
* 64-bit Windows 8 and 8.1
* 64-bit Windows Server 2012 and 2012 R2
Linux:
* 32-bit Linux kernels 2.6.11 to 3.5
* 64-bit Linux kernels 2.6.11 to 3.5
* OpenSuSE, Ubuntu, Debian, CentOS, Fedora, Mandriva, etc
Mac OSX:
* 32-bit 10.5.x Leopard (the only 64-bit 10.5 is Server, which isn't supported)
* 32-bit 10.6.x Snow Leopard
* 64-bit 10.6.x Snow Leopard
* 32-bit 10.7.x Lion
* 64-bit 10.7.x Lion
* 64-bit 10.8.x Mountain Lion (there is no 32-bit version)
* 64-bit 10.9.x Mavericks (there is no 32-bit version)
Volatility does not provide memory sample acquisition
capabilities. For acquisition, there are both free and commercial
solutions available. If you would like suggestions about suitable
acquisition solutions, please contact us at:
volatility (at) volatilityfoundation (dot) org
Volatility supports a variety of sample file formats and the
ability to convert between these formats:
- Raw linear sample (dd)
- Hibernation file
- Crash dump file
- VirtualBox ELF64 core dump
- VMware saved state and snapshot files
- EWF format (E01)
- LiME (Linux Memory Extractor) format
- Mach-o file format
- QEMU virtual machine dumps
- Firewire
- HPAK (FDPro)
For a more detailed list of capabilities, see the following:
https://github.com/volatilityfoundation/volatility/wiki
Example Data
============
If you want to give Volatility a try, you can download exemplar
memory images from the following url:
https://github.com/volatilityfoundation/volatility/wiki/Memory-Samples
Mailing Lists
=============
Mailing lists to support the users and developers of Volatility
can be found at the following address:
http://lists.volatilesystems.com/mailman/listinfo
Contact
=======
For information or requests, contact:
Volatility Foundation
Web: http://www.volatilityfoundation.org
http://volatility-labs.blogspot.com
http://volatility.tumblr.com
Email: volatility (at) volatilityfoundation (dot) org
IRC: #volatility on freenode
Twitter: @volatility
Requirements
============
- Python 2.6 or later, but not 3.0. http://www.python.org
Some plugins may have other requirements which can be found at:
https://github.com/volatilityfoundation/volatility/wiki/Installation
Quick Start
===========
1. Unpack the latest version of Volatility from
volatilityfoundation.org
2. To see available options, run "python vol.py -h" or "python vol.py --info"
Example:
$ python vol.py --info
Volatility Foundation Volatility Framework 2.4
Usage: Volatility - A memory forensics analysis platform.
Profiles
--------
VistaSP0x64 - A Profile for Windows Vista SP0 x64
VistaSP0x86 - A Profile for Windows Vista SP0 x86
VistaSP1x64 - A Profile for Windows Vista SP1 x64
VistaSP1x86 - A Profile for Windows Vista SP1 x86
VistaSP2x64 - A Profile for Windows Vista SP2 x64
VistaSP2x86 - A Profile for Windows Vista SP2 x86
Win2003SP0x86 - A Profile for Windows 2003 SP0 x86
Win2003SP1x64 - A Profile for Windows 2003 SP1 x64
Win2003SP1x86 - A Profile for Windows 2003 SP1 x86
Win2003SP2x64 - A Profile for Windows 2003 SP2 x64
Win2003SP2x86 - A Profile for Windows 2003 SP2 x86
Win2008R2SP0x64 - A Profile for Windows 2008 R2 SP0 x64
Win2008R2SP1x64 - A Profile for Windows 2008 R2 SP1 x64
Win2008SP1x64 - A Profile for Windows 2008 SP1 x64
Win2008SP1x86 - A Profile for Windows 2008 SP1 x86
Win2008SP2x64 - A Profile for Windows 2008 SP2 x64
Win2008SP2x86 - A Profile for Windows 2008 SP2 x86
Win2012R2x64 - A Profile for Windows Server 2012 R2 x64
Win2012x64 - A Profile for Windows Server 2012 x64
Win7SP0x64 - A Profile for Windows 7 SP0 x64
Win7SP0x86 - A Profile for Windows 7 SP0 x86
Win7SP1x64 - A Profile for Windows 7 SP1 x64
Win7SP1x86 - A Profile for Windows 7 SP1 x86
Win8SP0x64 - A Profile for Windows 8 SP0 x64
Win8SP0x86 - A Profile for Windows 8 SP0 x86
Win8SP1x64 - A Profile for Windows 8.1 x64
Win8SP1x86 - A Profile for Windows 8 SP1 x86
WinXPSP1x64 - A Profile for Windows XP SP1 x64
WinXPSP2x64 - A Profile for Windows XP SP2 x64
WinXPSP2x86 - A Profile for Windows XP SP2 x86
WinXPSP3x86 - A Profile for Windows XP SP3 x86
Address Spaces
--------------
AMD64PagedMemory - Standard AMD 64-bit address space.
ArmAddressSpace - No docs
FileAddressSpace - This is a direct file AS.
HPAKAddressSpace - This AS supports the HPAK format
IA32PagedMemory - Standard IA-32 paging address space.
IA32PagedMemoryPae - This class implements the IA-32 PAE paging address space. It is responsible
LimeAddressSpace - Address space for Lime
MachOAddressSpace - Address space for mach-o files to support atc-ny memory reader
OSXPmemELF - This AS supports VirtualBox ELF64 coredump format
QemuCoreDumpElf - This AS supports Qemu ELF32 and ELF64 coredump format
VMWareAddressSpace - This AS supports VMware snapshot (VMSS) and saved state (VMSS) files
VMWareMetaAddressSpace - This AS supports the VMEM format with VMSN/VMSS metadata
VirtualBoxCoreDumpElf64 - This AS supports VirtualBox ELF64 coredump format
WindowsCrashDumpSpace32 - This AS supports windows Crash Dump format
WindowsCrashDumpSpace64 - This AS supports windows Crash Dump format
WindowsCrashDumpSpace64BitMap - This AS supports Windows BitMap Crash Dump format
WindowsHiberFileSpace32 - This is a hibernate address space for windows hibernation files.
Plugins
-------
apihooks - Detect API hooks in process and kernel memory
atoms - Print session and window station atom tables
atomscan - Pool scanner for atom tables
auditpol - Prints out the Audit Policies from HKLM\SECURITY\Policy\PolAdtEv
bigpools - Dump the big page pools using BigPagePoolScanner
b
没有合适的资源?快使用搜索试试~ 我知道了~
资源推荐
资源详情
资源评论
收起资源包目录
最强大的windows取证工具 (375个子文件)
module.c 15KB
pmem.c 7KB
volatility.ico 51KB
MANIFEST.in 348B
Makefile 384B
Makefile 231B
Makefile 178B
PKG-INFO 264B
win8_sp1_x64_vtypes.py 614KB
win8_sp1_x86_vtypes.py 580KB
win8_sp0_x64_vtypes.py 568KB
win8_sp0_x86_vtypes.py 535KB
win7_sp1_x64_vtypes.py 492KB
win7_sp0_x64_vtypes.py 491KB
win7_sp1_x86_vtypes.py 461KB
win7_sp0_x86_vtypes.py 461KB
vista_sp2_x64_vtypes.py 450KB
vista_sp1_x64_vtypes.py 449KB
vista_sp1_x86_vtypes.py 410KB
vista_sp2_x86_vtypes.py 409KB
vista_sp0_x64_vtypes.py 407KB
vista_sp0_x86_vtypes.py 369KB
win2003_sp2_x64_vtypes.py 330KB
win2003_sp1_x64_vtypes.py 319KB
win2003_sp2_x86_vtypes.py 298KB
win2003_sp1_x86_vtypes.py 289KB
xp_sp3_x86_vtypes.py 285KB
win2003_sp0_x86_vtypes.py 282KB
xp_sp2_x86_vtypes.py 277KB
win7_sp0_x64_vtypes_gui.py 134KB
win7_sp1_x64_vtypes_gui.py 134KB
win7_sp1_x86_vtypes_gui.py 119KB
win7_sp0_x86_vtypes_gui.py 119KB
linux.py 60KB
dumpfiles.py 52KB
win8_sp1_x64_syscalls.py 51KB
win8_sp1_x86_syscalls.py 51KB
win8_sp0_x64_syscalls.py 48KB
win8_sp0_x86_syscalls.py 48KB
windows.py 47KB
obj.py 46KB
win7_sp01_x86_syscalls.py 45KB
mac.py 45KB
apihooks.py 44KB
vista_sp0_x86_syscalls.py 42KB
win7_sp01_x64_syscalls.py 41KB
shellbags.py 41KB
getservicesids.py 40KB
vista_sp0_x64_syscalls.py 39KB
vista_sp12_x64_syscalls.py 39KB
vista_sp12_x86_syscalls.py 39KB
pe_vtypes.py 37KB
timeliner.py 36KB
mftparser.py 35KB
xp_sp2_x86_syscalls.py 34KB
win32k_core.py 33KB
process_stack.py 33KB
cmdhistory.py 33KB
win2003_sp12_x64_syscalls.py 31KB
win2003_sp12_x86_syscalls.py 31KB
win2003_sp0_x86_syscalls.py 31KB
tcaudit.py 30KB
auditpol.py 30KB
crashdump.py 27KB
process_info.py 26KB
elf.py 25KB
apihooks_kernel.py 25KB
lsmod.py 25KB
cache.py 24KB
zeusscan.py 24KB
callbacks.py 23KB
macho.py 23KB
convert.py 21KB
volshell.py 21KB
threads.py 21KB
poisonivy.py 20KB
svcscan.py 20KB
malfind.py 18KB
tcpip_vtypes.py 17KB
mbrparser.py 16KB
xp.py 16KB
userassist.py 16KB
vadinfo.py 16KB
addrspace.py 15KB
conf.py 15KB
impscan.py 15KB
poolscan.py 15KB
psxview.py 14KB
kdbg_vtypes.py 14KB
win8.py 14KB
vad_vtypes.py 14KB
dwarf.py 14KB
registryapi.py 12KB
check_inline_kernel.py 12KB
filescan.py 12KB
evtlogs.py 12KB
hibernate.py 12KB
idt.py 11KB
taskmods.py 11KB
messagehooks.py 11KB
共 375 条
- 1
- 2
- 3
- 4
资源评论
- ww6est882017-11-01好的不得了
- 啊哦啊e2019-03-13源代码不会用啊。。
- Corner2017-03-20很烂啊,太不负责了,直接搞个源码就传上去了,又不是谁都会用
- chiyantiandun2016-05-16不会用,希望能有个使用指南什么的
葛武朝
- 粉丝: 2
- 资源: 4
上传资源 快速赚钱
- 我的内容管理 展开
- 我的资源 快来上传第一个资源
- 我的收益 登录查看自己的收益
- 我的积分 登录查看自己的积分
- 我的C币 登录后查看C币余额
- 我的收藏
- 我的下载
- 下载帮助
安全验证
文档复制为VIP权益,开通VIP直接复制
信息提交成功