Volatility – A python framework for forensics

I recently came across Volatility which is an advanced forensic framework implemented in Python. This is an effective tool for digital artifacts extraction from volatile memory or the RAM. Volatility can analyze raw dumps, crash dumps, hibernation files, VMware .vmem, VMware saved state and suspended files (.vmss/.vmsn), VirtualBox core dumps, LiME (Linux Memory Extractor), expert witness (EWF), and direct physical memory over Firewire

There are a set of plugins that could be used with Volatility, that makes it really special. There are some of the plugins that I found really interesting.

  1. dlldump: Extract specified dll from the memory
  2. pslist: Prints all the process by following the EPROCESS lists.
  3. psscan: Find process that were previously terminated or unlinked by a rootkit. It has the ability to list hidden/unlinked process.
  4. dlllist: Display every dll that a process calls.
  5. file_scan: List file_object in physical memory
  6. malfind: Finds hidden or injected code and injected dlls useful in analysis of malware. It also displays process, flags, memory segments etc. 
  7. svsscan: Scans for windows services
  8. API hooks: Detects API hooks in process and kernel memory.
  9. callbacks: Display instance of software listings for callbacks.
  10. iehistory: Reconstruct Internet Explorer cache/history. 

If you are interested in exploring more about Volatility, these are some good tutorials that helped me to get started:


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s