An advanced memory forensics framework
The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. The extraction techniques are performed completely independent of the system being investigated but offer visibilty into the runtime state of the system. The framework is intended to introduce people to the techniques and complexities associated with extracting digital artifacts from volatile memory samples and provide a platform for further work into this exciting area of research.
The Volatility distribution is available from: http://www.volatilityfoundation.org/#!releases/component_71401
Volatility should run on any platform that supports Python (http://www.python.org)
Volatility supports investigations of the following memory images:
Windows: * 32-bit Windows XP Service Pack 2 and 3 * 32-bit Windows 2003 Server Service Pack 0, 1, 2 * 32-bit Windows Vista Service Pack 0, 1, 2 * 32-bit Windows 2008 Server Service Pack 1, 2 (there is no SP0) * 32-bit Windows 7 Service Pack 0, 1 * 32-bit Windows 8, 8.1, and 8.1 Update 1 * 32-bit Windows 10 (initial support) * 64-bit Windows XP Service Pack 1 and 2 (there is no SP0) * 64-bit Windows 2003 Server Service Pack 1 and 2 (there is no SP0) * 64-bit Windows Vista Service Pack 0, 1, 2 * 64-bit Windows 2008 Server Service Pack 1 and 2 (there is no SP0) * 64-bit Windows 2008 R2 Server Service Pack 0 and 1 * 64-bit Windows 7 Service Pack 0 and 1 * 64-bit Windows 8, 8.1, and 8.1 Update 1 * 64-bit Windows Server 2012 and 2012 R2 * 64-bit Windows 10 (including at least 10.0.19041) * 64-bit Windows Server 2016 (including at least 10.0.19041)
Note: Please see the guidelines at the following link for notes on compatibility with recently patched Windows 7 (or later) memory samples:
Linux: * 32-bit Linux kernels 2.6.11 to 5.5 * 64-bit Linux kernels 2.6.11 to 5.5 * OpenSuSE, Ubuntu, Debian, CentOS, Fedora, Mandriva, etc
Mac OSX: * 32-bit 10.5.x Leopard (the only 64-bit 10.5 is Server, which isn't supported) * 32-bit 10.6.x Snow Leopard * 64-bit 10.6.x Snow Leopard * 32-bit 10.7.x Lion * 64-bit 10.7.x Lion * 64-bit 10.8.x Mountain Lion (there is no 32-bit version) * 64-bit 10.9.x Mavericks (there is no 32-bit version) * 64-bit 10.10.x Yosemite (there is no 32-bit version) * 64-bit 10.11.x El Capitan (there is no 32-bit version) * 64-bit 10.12.x Sierra (there is no 32-bit version) * 64-bit 10.13.x High Sierra (there is no 32-bit version)) * 64-bit 10.14.x Mojave (there is no 32-bit version) * 64-bit 10.15.x Catalina (there is no 32-bit version)
Volatility does not provide memory sample acquisition capabilities. For acquisition, there are both free and commercial solutions available. If you would like suggestions about suitable acquisition solutions, please contact us at:
volatility (at) volatilityfoundation (dot) org
Volatility supports a variety of sample file formats and the ability to convert between these formats:
For a more detailed list of capabilities, see the following:
Also see the community plugins repository:
If you want to give Volatility a try, you can download exemplar memory images from the following url:
Mailing lists to support the users and developers of Volatility can be found at the following address:
For information or requests, contact:
Web: http://www.volatilityfoundation.org http://volatility-labs.blogspot.com http://volatility.tumblr.com
Email: volatility (at) volatilityfoundation (dot) org
IRC: #volatility on freenode
Some plugins may have other requirements which can be found at: https://github.com/volatilityfoundation/volatility/wiki/Installation
Unpack the latest version of Volatility from volatilityfoundation.org
To see available options, run "python vol.py -h" or "python vol.py --info"
$ python vol.py --info Volatility Foundation Volatility Framework 2.6
AMD64PagedMemory - Standard AMD 64-bit address space. ArmAddressSpace - Address space for ARM processors FileAddressSpace - This is a direct file AS. HPAKAddressSpace - This AS supports the HPAK format IA32PagedMemory - Standard IA-32 paging address space. IA32PagedMemoryPae - This class implements the IA-32 PAE paging address space. It is responsible LimeAddressSpace - Address space for Lime LinuxAMD64PagedMemory - Linux-specific AMD 64-bit address space. MachOAddressSpace - Address space for mach-o files to support atc-ny memory reader OSXPmemELF - This AS supports VirtualBox ELF64 coredump format QemuCoreDumpElf - This AS supports Qemu ELF32 and ELF64 coredump format VMWareAddressSpace - This AS supports VMware snapshot (VMSS) and saved state (VMSS) files VMWareMetaAddressSpace - This AS supports the VMEM format with VMSN/VMSS metadata VirtualBoxCoreDumpElf64 - This AS supports VirtualBox ELF64 coredump format Win10AMD64PagedMemory - Windows 10-specific AMD 64-bit address space. WindowsAMD64PagedMemory - Windows-specific AMD 64-bit address space. WindowsCrashDumpSpace32 - This AS supports windows Crash Dump format WindowsCrashDumpSpace64 - This AS supports windows Crash Dump format WindowsCrashDumpSpace64BitMap - This AS supports Windows BitMap Crash Dump format WindowsHiberFileSpace32 - This is a hibernate address space for windows hibernation files.
VistaSP0x64 - A Profile for Windows Vista SP0 x64 VistaSP0x86 - A Profile for Windows Vista SP0 x86 VistaSP1x64 - A Profile for Windows Vista SP1 x64 VistaSP1x86 - A Profile for Windows Vista SP1 x86 VistaSP2x64 - A Profile for Windows Vista SP2 x64 VistaSP2x86 - A Profile for Windows Vista SP2 x86 Win10x64 - A Profile for Windows 10 x64 Win10x6410586 - A Profile for Windows 10 x64 (10.0.10586.306 / 2016-04-23) Win10x6414393 - A Profile for Windows 10 x64 (10.0.14393.0 / 2016-07-16) Win10x86 - A Profile for Windows 10 x86 Win10x8610586 - A Profile for Windows 10 x86 (10.0.10586.420 / 2016-05-28) Win10x8614393 - A Profile for Windows 10 x86 (10.0.14393.0 / 2016-07-16) Win2003SP0x86 - A Profile for Windows 2003 SP0 x86 Win2003SP1x64 - A Profile for Windows 2003 SP1 x64 Win2003SP1x86 - A Profile for Windows 2003 SP1 x86 Win2003SP2x64 - A Profile for Windows 2003 SP2 x64 Win2003SP2x86 - A Profile for Windows 2003 SP2 x86 Win2008R2SP0x64 - A Profile for Windows 2008 R2 SP0 x64 Win2008R2SP1x64 - A Profile for Windows 2008 R2 SP1 x64 Win2008R2SP1x6423418 - A Profile for Windows 2008 R2 SP1 x64 (6.1.7601.23418 / 2016-04-09) Win2008SP1x64 - A Profile for Windows 2008 SP1 x64 Win2008SP1x86 - A Profile for Windows 2008 SP1 x86 Win2008SP2x64 - A Profile for Windows 2008 SP2 x64 Win2008SP2x86 - A Profile for Windows 2008 SP2 x86 Win2012R2x64 - A Profile for Windows Server 2012 R2 x64 Win2012R2x6418340 - A Profile for Windows Server 2012 R2 x64 (6.3.9600.18340 / 2016-05-13) Win2012x64 - A Profile for Windows Server 2012 x64 Win2016x6414393 - A Profile for Windows Server 2016 x64 (10.0.14393.0 / 2016-07-16) Win7SP0x64 - A Profile for Windows 7 SP0 x64 Win7SP0x86 - A Profile for Windows 7 SP0 x86 Win7SP1x64 - A Profile for Windows 7 SP1 x64 Win7SP1x6423418 - A Profile for Windows 7 SP1 x64 (6.1.7601.23418 / 2016-04-09) Win7SP1x86 - A Profile for Windows 7 SP1 x86 Win7SP1x8623418 - A Profile for Windows 7 SP1 x86 (6.1.7601.23418 / 2016-04-09) Win81U1x64 - A Profile for Windows 8.1 Update 1 x64 Win81U1x86 - A Profile for Windows 8.1 Update 1 x86 Win8SP0x64 - A Profile for Windows 8 x64 Win8SP0x86 - A Profile for Windows 8 x86 Win8SP1x64 - A Profile for Windows 8.1 x64 Win8SP1x6418340 - A Profile for Windows 8.1 x64 (6.3.9600.18340 / 2016-05-13) Win8SP1x86 - A Profile for Windows 8.1 x86 WinXPSP1x64 - A Profile for Windows XP SP1 x64 WinXPSP2x64 - A Profile for Windows XP SP2 x64 WinXPSP2x86 - A Profile for Windows XP SP2 x86 WinXPSP3x86 - A Profile for Windows XP SP3 x86
amcache - Print AmCache information apihooks - Detect API hooks in process and kernel memory atoms - Print session and window station atom tables atomscan - Pool scanner for atom tables auditpol - Prints out the Audit Policies from HKLM\SECURITY\Policy\PolAdtEv bigpools - Dump the big page pools using BigPagePoolScanner bioskbd - Reads the keyboard buffer from Real Mode memory cachedump - Dumps cached domain hashes from memory callbacks - Print system-wide notification routines clipboard - Extract the contents of the windows clipboard cmdline - Display process command-line arguments cmdscan - Extract command history by scanning for COMMANDHISTORY connections - Print list of open connections [Windows XP and 2003 Only] connscan - Pool scanner for tcp connections consoles - Extract command history by scanning for CONSOLEINFORMATION crashinfo - Dump crash-dump information deskscan - Poolscaner for tagDESKTOP (desktops) devicetree - Show device tree dlldump - Dump DLLs from a process address space dlllist - Print list of loaded dlls for each process driverirp - Driver IRP hook detection drivermodule - Associate driver objects to kernel modules driverscan - Pool scanner for driver objects dumpcerts - Dump RSA private and public SSL keys dumpfiles - Extract memory mapped and cached files dumpregistry - Dumps registry files out to disk editbox - Displays information about Edit controls. (Listbox experimental.) envars - Display process environment variables eventhooks - Print details on windows event hooks evtlogs - Extract Windows Event Logs (XP/2003 only) filescan - Pool scanner for file objects gahti - Dump the USER handle type information gditimers - Print installed GDI timers and callbacks gdt - Display Global Descriptor Table getservicesids - Get the names of services in the Registry and return Calculated SID getsids - Print the SIDs owning each process handles - Print list of open handles for each process hashdump - Dumps passwords hashes (LM/NTLM) from memory hibinfo - Dump hibernation file information hivedump - Prints out a hive hivelist - Print list of registry hives. hivescan - Pool scanner for registry hives hpakextract - Extract physical memory from an HPAK file hpakinfo - Info on an HPAK file idt - Display Interrupt Descriptor Table iehistory - Reconstruct Internet Explorer cache / history imagecopy - Copies a physical address space out as a raw DD image imageinfo - Identify information for the image impscan - Scan for calls to imported functions joblinks - Print process job link information kdbgscan - Search for and dump potential KDBG values kpcrscan - Search for and dump potential KPCR values ldrmodules - Detect unlinked DLLs limeinfo - Dump Lime file format information linuxapihooks - Checks for userland apihooks linuxarp - Print the ARP table linuxaslrshift - Automatically detect the Linux ASLR shift linuxbanner - Prints the Linux banner information linuxbash - Recover bash history from bash process memory linuxbashenv - Recover a process' dynamic environment variables linuxbashhash - Recover bash hash table from bash process memory linuxcheckafinfo - Verifies the operation function pointers of network protocols linuxcheckcreds - Checks if any processes are sharing credential structures linuxcheckevtarm - Checks the Exception Vector Table to look for syscall table hooking linuxcheckfop - Check file operation structures for rootkit modifications linuxcheckidt - Checks if the IDT has been altered linuxcheckinlinekernel - Check for inline kernel hooks linuxcheckmodules - Compares module list to sysfs info, if available linuxchecksyscall - Checks if the system call table has been altered linuxchecksyscallarm - Checks if the system call table has been altered linuxchecktty - Checks tty devices for hooks linuxcpuinfo - Prints info about each active processor linuxdentrycache - Gather files from the dentry cache linuxdmesg - Gather dmesg buffer linuxdumpmap - Writes selected memory mappings to disk linuxdynamicenv - Recover a process' dynamic environment variables linuxelfs - Find ELF binaries in process mappings linuxenumeratefiles - Lists files referenced by the filesystem cache linuxfindfile - Lists and recovers files from memory linuxgetcwd - Lists current working directory of each process linuxhiddenmodules - Carves memory to find hidden kernel modules linuxifconfig - Gathers active interfaces linuxinforegs - It's like 'info registers' in GDB. It prints out all the linuxiomem - Provides output similar to /proc/iomem linuxkernelopenedfiles - Lists files that are opened from within the kernel linuxkeyboardnotifiers - Parses the keyboard notifier call chain linuxldrmodules - Compares the output of proc maps with the list of libraries from libdl linuxlibrarylist - Lists libraries loaded into a process linuxlibrarydump - Dumps shared libraries in process memory to disk linuxlistraw - List applications with promiscuous sockets linuxlsmod - Gather loaded kernel modules linuxlsof - Lists file descriptors and their path linuxmalfind - Looks for suspicious process mappings linuxmemmap - Dumps the memory map for linux tasks linuxmoddump - Extract loaded kernel modules linuxmount - Gather mounted fs/devices linuxmountcache - Gather mounted fs/devices from kmemcache linuxnetfilter - Lists Netfilter hooks linuxnetscan - Carves for network connection structures linuxnetstat - Lists open sockets linuxpidhashtable - Enumerates processes through the PID hash table linuxpktqueues - Writes per-process packet queues out to disk linuxplthook - Scan ELF binaries' PLT for hooks to non-NEEDED images linuxprocmaps - Gathers process memory maps linuxprocmapsrb - Gathers process maps for linux through the mappings red-black tree linuxprocdump - Dumps a process's executable image to disk linuxprocesshollow - Checks for signs of process hollowing linuxpsaux - Gathers processes along with full command line and start time linuxpsenv - Gathers processes along with their static environment variables linuxpslist - Gather active tasks by walking the taskstruct->task list linuxpslistcache - Gather tasks from the kmemcache linuxpsscan - Scan physical memory for processes linuxpstree - Shows the parent/child relationship between processes linuxpsxview - Find hidden processes with various process listings linuxrecoverfilesystem - Recovers the entire cached file system from memory linuxroutecache - Recovers the routing cache from memory linuxskbuffcache - Recovers packets from the skbuff kmemcache linuxslabinfo - Mimics /proc/slabinfo on a running machine linuxstrings - Match physical offsets to virtual addresses (may take a while, VERY verbose) linuxthreads - Prints threads of processes linuxtmpfs - Recovers tmpfs filesystems from memory linuxtruecryptpassphrase - Recovers cached Truecrypt passphrases linuxvmacache - Gather VMAs from the vmareastruct cache linuxvolshell - Shell in the memory image linuxyarascan - A shell in the Linux memory image lsadump - Dump (decrypted) LSA secrets from the registry macadium - Lists Adium messages macapihooks - Checks for API hooks in processes macapihookskernel - Checks to see if system call and kernel functions are hooked macarp - Prints the arp table macbash - Recover bash history from bash process memory macbashenv - Recover bash's environment variables macbashhash - Recover bash hash table from bash process memory maccalendar - Gets calendar events from Calendar.app maccheckfop - Validate File Operation Pointers maccheckmigtable - Lists entires in the kernel's MIG table macchecksyscallshadow - Looks for shadow system call tables macchecksyscalls - Checks to see if system call table entries are hooked macchecksysctl - Checks for unknown sysctl handlers macchecktraptable - Checks to see if mach trap table entries are hooked maccompressedswap - Prints Mac OS X VM compressor stats and dumps all compressed pages maccontacts - Gets contact names from Contacts.app macdeadprocs - Prints terminated/de-allocated processes macdeadsockets - Prints terminated/de-allocated network sockets macdeadvnodes - Lists freed vnode structures macdevfs - Lists files in the file cache macdmesg - Prints the kernel debug buffer macdumpfile - Dumps a specified file macdumpmaps - Dumps memory ranges of process(es), optionally including pages in compressed swap macdyldmaps - Gets memory maps of processes from dyld data structures macfindaslrshift - Find the ASLR shift value for 10.8+ images macgetprofile - Automatically detect Mac profiles macifconfig - Lists network interface information for all devices macinteresthandlers - Lists IOKit Interest Handlers macipfilters - Reports any hooked IP filters mackernelclasses - Lists loaded c++ classes in the kernel mackevents - Show parent/child relationship of processes mackeychaindump - Recovers possbile keychain keys. Use chainbreaker to open related keychain files macldrmodules - Compares the output of proc maps with the list of libraries from libdl maclibrarydump - Dumps the executable of a process maclistfiles - Lists files in the file cache maclistkauthlisteners - Lists Kauth Scope listeners maclistkauthscopes - Lists Kauth Scopes and their status maclistraw - List applications with promiscuous sockets maclistsessions - Enumerates sessions maclistzones - Prints active zones maclsmod - Lists loaded kernel modules maclsmodiokit - Lists loaded kernel modules through IOkit maclsmodkextmap - Lists loaded kernel modules maclsof - Lists per-process opened files macmachineinfo - Prints machine information about the sample macmalfind - Looks for suspicious process mappings macmemdump - Dump addressable memory pages to a file macmoddump - Writes the specified kernel extension to disk macmount - Prints mounted device information macnetstat - Lists active per-process network connections macnetworkconns - Lists network connections from kernel network structures macnotesapp - Finds contents of Notes messages macnotifiers - Detects rootkits that add hooks into I/O Kit (e.g. LogKext) macorphanthreads - Lists threads that don't map back to known modules/processes macpgrphashtable - Walks the process group hash table macpidhashtable - Walks the pid hash table macprintbootcmdline - Prints kernel boot arguments macprocmaps - Gets memory maps of processes macprocdump - Dumps the executable of a process macpsaux - Prints processes with arguments in user land (**argv) macpsenv - Prints processes with environment in user land (**envp) macpslist - List Running Processes macpstree - Show parent/child relationship of processes macpsxview - Find hidden processes with various process listings macrecoverfilesystem - Recover the cached filesystem macroute - Prints the routing table macsocketfilters - Reports socket filters macstrings - Match physical offsets to virtual addresses (may take a while, VERY verbose) mactasks - List Active Tasks macthreads - List Process Threads macthreadssimple - Lists threads along with their start time and priority mactimers - Reports timers set by kernel drivers mactrustedbsd - Lists malicious trustedbsd policies macversion - Prints the Mac version macvfsevents - Lists processes filtering file system events macvolshell - Shell in the memory image macyarascan - Scan memory for yara signatures machoinfo - Dump Mach-O file format information malfind - Find hidden and injected code mbrparser - Scans for and parses potential Master Boot Records (MBRs) memdump - Dump the addressable memory for a process memmap - Print the memory map messagehooks - List desktop and thread window message hooks mftparser - Scans for and parses potential MFT entries moddump - Dump a kernel driver to an executable file sample modscan - Pool scanner for kernel modules modules - Print list of loaded modules multiscan - Scan for various objects at once mutantscan - Pool scanner for mutex objects netscan - Scan a Vista (or later) image for connections and sockets notepad - List currently displayed notepad text objtypescan - Scan for Windows object type objects patcher - Patches memory based on page scans poolpeek - Configurable pool scanner plugin pooltracker - Show a summary of pool tag usage printkey - Print a registry key, and its subkeys and values privs - Display process privileges procdump - Dump a process to an executable file sample pslist - Print all running processes by following the EPROCESS lists psscan - Pool scanner for process objects pstree - Print process list as a tree psxview - Find hidden processes with various process listings qemuinfo - Dump Qemu information raw2dmp - Converts a physical memory sample to a windbg crash dump screenshot - Save a pseudo-screenshot based on GDI windows servicediff - List Windows services (ala Plugx) sessions - List details on _MMSESSION_SPACE (user logon sessions) shellbags - Prints ShellBags info shimcache - Parses the Application Compatibility Shim Cache registry key shutdowntime - Print ShutdownTime of machine from registry sockets - Print list of open sockets sockscan - Pool scanner for tcp socket objects ssdt - Display SSDT entries strings - Match physical offsets to virtual addresses (may take a while, VERY verbose) svcscan - Scan for Windows services symlinkscan - Pool scanner for symlink objects thrdscan - Pool scanner for thread objects threads - Investigate _ETHREAD and _KTHREADs timeliner - Creates a timeline from various artifacts in memory timers - Print kernel timers and associated module DPCs truecryptmaster - Recover TrueCrypt 7.1a Master Keys truecryptpassphrase - TrueCrypt Cached Passphrase Finder truecryptsummary - TrueCrypt Summary unloadedmodules - Print list of unloaded modules userassist - Print userassist registry keys and information userhandles - Dump the USER handle tables vaddump - Dumps out the vad sections to a file vadinfo - Dump the VAD info vadtree - Walk the VAD tree and display in tree format vadwalk - Walk the VAD tree vboxinfo - Dump virtualbox information verinfo - Prints out the version information from PE images vmwareinfo - Dump VMware VMSS/VMSN information volshell - Shell in the memory image win10cookie - Find the ObHeaderCookie value for Windows 10 windows - Print Desktop Windows (verbose details) wintree - Print Z-Order Desktop Windows Tree wndscan - Pool scanner for window stations yarascan - Scan process or kernel memory with Yara signatures
$ python vol.py imageinfo -f WIN-II7VOJTUNGL-20120324-193051.raw Volatility Foundation Volatility Framework 2.6 Determining profile based on KDBG search...
Suggested Profile(s) : Win2008R2SP0x64, Win7SP1x64, Win7SP0x64, Win2008R2SP1x64 (Instantiated with Win7SP0x64) AS Layer1 : AMD64PagedMemory (Kernel AS) AS Layer2 : FileAddressSpace (/Path/to/WIN-II7VOJTUNGL-20120324-193051.raw) PAE type : PAE DTB : 0x187000L KDBG : 0xf800016460a0 Number of Processors : 1 Image Type (Service Pack) : 1 KPCR for CPU 0 : 0xfffff80001647d00L KUSER_SHARED_DATA : 0xfffff78000000000L Image date and time : 2012-03-24 19:30:53 UTC+0000 Image local date and time : 2012-03-25 03:30:53 +0800
If multiple profiles are suggested by imageinfo or kdbgscan, or if you're having trouble analyzing Windows 7 or later memory samples, please see the guidelines here:
Run some other plugins. -f is a required option for all plugins. Some also require/accept other options. Run "python vol.py -h" for more information on a particular command. A Command Reference wiki is also available on the GitHub site:
as well as Basic Usage:
Copyright (C) 2007-2016 Volatility Foundation
All Rights Reserved
Volatility is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
Volatility is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with Volatility. If not, see http://www.gnu.org/licenses/.
There is no support provided with Volatility. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
If you think you've found a bug, please report it at:
In order to help us solve your issues as quickly as possible, please include the following information when filing a bug:
Depending on the operating system of the memory image, you may need to provide additional information, such as:
For Windows: * The suspected Service Pack of the memory image
For Linux: * The suspected kernel version of the memory image
Other options for communication can be found at: https://github.com/volatilityfoundation/volatility/wiki
Volatility Foundation makes no claims about the validity or correctness of the output of Volatility. Many factors may contribute to the incorrectness of output from Volatility including, but not limited to, malicious modifications to the operating system, incomplete information due to swapping, and information corruption on image acquisition.
The following url contains a reference of all commands supported by Volatility.