volatility (1)
NAME
volatility - advanced memory forensics frameworkSYNOPSIS
volatility [option] volatility [plugin] -f [image] --profile=[profile]
DESCRIPTION
The Volatility Framework is a completely open collection of tools for the extraction of digital artifacts from volatile memory (RAM) samples. It is useful in forensics analysis. The extraction techniques are performed completely independent of the system being investigated but offer unprecedented visibilty into the runtime state of the system.Currently, volatility supports several versions of the MS Windows, Linux and MAC OS:
Windows
32-bit Windows XP Service Pack 2 and 3
32-bit Windows 2003 Server Service Pack 0, 1, 2
32-bit Windows Vista Service Pack 0, 1, 2
32-bit Windows 2008 Server Service Pack 1, 2
32-bit Windows 7 Service Pack 0, 1
64-bit Windows XP Service Pack 1 and 2
64-bit Windows 2003 Server Service Pack 1 and 2
64-bit Windows Vista Service Pack 0, 1, 2
64-bit Windows 2008 Server Service Pack 1 and 2
64-bit Windows 2008 R2 Server Service Pack 0 and 1
64-bit Windows 7 Service Pack 0 and 1
Linux
32-bit Linux kernels 2.6.11 to 3.5
64-bit Linux kernels 2.6.11 to 3.5
OpenSuSE, Ubuntu, Debian, CentOS, Fedora, Mandriva, etc
Mac OSX
32-bit 10.5.x Leopard (the only 64-bit 10.5 is Server, which isn't supported)
32-bit 10.6.x Snow Leopard
64-bit 10.6.x Snow Leopard
32-bit 10.7.x Lion
64-bit 10.7.x Lion
64-bit 10.8.x Mountain Lion (there is no 32-bit version)
The supported address spaces (RAM types) are:
FileAddressSpace - This is a direct file AS
Standard Intel x86 address spaces
IA32PagedMemoryPae
IA32PagedMemory
AMD64PagedMemory - This AS supports AMD 64-bit address spaces
WindowsCrashDumpSpace32 - This AS supports windows Crash Dump format (x86)
WindowsCrashDumpSpace64 - This AS supports windows Crash Dump format (x64)
WindowsHiberFileSpace32 - This AS supports windows hibernation files (x86 and x64)
EWFAddressSpace - This AS supports expert witness (EWF) files
FirewireAddressSpace - This AS supports direct memory access over firewire
LimeAddressSpace - This AS supports LiME (Linux Memory Extractor)
MachOAddressSpace - This AS supports 32- and 64-bit Mac OSX memory dumps
ArmAddressSpace - This AS supports memory dumps from 32-bit ARM (there is no 64-bit ARM yet)
VirtualBoxCoreDumpElf64 - This AS supports memory dumps from VirtualBox virtual machines
VMware Snapshot - This AS supports VMware saved state (.vmss) and VMware snapshot (.vmsn) files. Note: these are not raw memory dumps like the typical .vmem files.
HPAKAddressSpace - This AS supports ".hpak" files produced by H.B. Gary's FDPro tool.
You can get RAM images for tests at https://code.google.com/p/volatility/wiki/SampleMemoryImages.
OPTIONS
- -h, --help
- list all available options and their default values. Default values may be set in the configuration file (/etc/volatilityrc)
--conf-file=/root/.volatilityrc User based configuration file
- -d, --debug
- Debug volatility
- --plugins=PLUGINS
- Additional plugin directories to use (colon separated)
- --info
- Print information about all registered objects --cache-directory=/root/.cache/volatility Directory where cache files are stored
- --cache
- Use caching
- --tz=TZ
- Sets the timezone for displaying timestamps -f FILENAME, --filename=FILENAME Filename to use when opening an image --profile=WinXPSP2x86 Name of the profile to load -l LOCATION, --location=LOCATION A URN location from which to load an address space
- -w, --write
- Enable write support
- --dtb=DTB
- DTB Address
- --cache-dtb
- Cache virtual to physical mappings
- --output=text
- Output in this format (format support is module specific) --output-file=OUTPUT_FILE write output in this file
- -v, --verbose
- Verbose information
- --shift=SHIFT
- Mac KASLR shift address
- -g KDBG, --kdbg=KDBG
- Specify a specific KDBG virtual address
- -k KPCR, --kpcr=KPCR
- Specify a specific KPCR address
PLUGINS
The supported plugins are:
Windows
Image Identification
imageinfo - Identify information for the image
kdbgscan - Search for and dump potential KDBG values
kpcrscan - Search for and dump potential _KPCR values
Process and DLLs
pslist - Print active processes by following the _EPROCESS list
pstree - Print process list as a tree
psscan - Scan Physical memory for _EPROCESS pool allocations
psdispscan - Scan Physical memory for _EPROCESS objects based on Dispatch Headers (Windows XP x86 only)
dlllist - Print list of loaded DLLs for each process
dlldump - Dump DLLs from a process address space
handles - Print list of open handles for each process
getsids - Print the SIDs owning each process
verinfo - Print a PE file's version information
enumfunc - Enumerate a PE file's imports and exports
envars - Display process environment variables
cmdscan - Extract command history by scanning for _COMMAND_HISTORY
consoles - Extract command history by scanning for _CONSOLE_INFORMATION
privs - Identify the present and/or enabled windows privileges for each process
Process Memory
memmap - Print the memory map
memdump - Dump the addressable memory for a process
procexedump - Dump a process to an executable file
procmemdump - Dump a process to an executable memory sample
vadwalk - Walk the VAD tree
vadtree - Walk the VAD tree and display in tree format
vadinfo - Dump the VAD info
vaddump - Dumps out the vad sections to a file
evtlogs - Parse XP and 2003 event logs from memory
iehistory - Extract and parse Internet Explorer history and URL cache
Kernel Memory and Objects
modules - Print list of loaded modules
modscan - Scan Physical memory for _LDR_DATA_TABLE_ENTRY objects
moddump - Extract a kernel driver to disk
ssdt - Print the Native and GDI System Service Descriptor Tables
driverscan - Scan physical memory for _DRIVER_OBJECT objects
filescan - Scan physical memory for _FILE_OBJECT objects
mutantscan - Scan physical memory for _KMUTANT objects
symlinkscan - Scans for symbolic link objects
thrdscan - Scan physical memory for _ETHREAD objects
dumpfiles - Reconstruct files from the windows cache manager and shared section objects
unloadedmodules - Show recently unloaded kernel modules (which indirectly tells you which ones recently loaded)
Win32k / GUI Memory
sessions - List details on _MM_SESSION_SPACE (user logon sessions)
wndscan - Pool scanner for tagWINDOWSTATION (window stations)
deskscan - Poolscaner for tagDESKTOP (desktops)
atomscan - Pool scanner for _RTL_ATOM_TABLE
atoms - Print session and window station atom tables
clipboard - Extract the contents of the windows clipboard
eventhooks - Print details on windows event hooks
gathi - Dump the USER handle type information
messagehooks - List desktop and thread window message hooks
screenshot - Save a pseudo-screenshot based on GDI windows
userhandles - Dump the USER handle tables
windows - Print Desktop Windows (verbose details)
wintree - Print Z-Order Desktop Windows Tree
gditimers - Analyze GDI timer objects and their callbacks
Networking
connections - Print open connections (XP and 2003 only)
connscan - Scan Physical memory for _TCPT_OBJECT objects (XP and 2003 only)
sockets - Print open sockets (XP and 2003 only)
sockscan - Scan Physical memory for _ADDRESS_OBJECT (XP and 2003 only)
netscan - Scan physical memory for network objects (Vista, 2008, and 7)
Registry
hivescan - Scan Physical memory for _CMHIVE objects
hivelist - Print list of registry hives
printkey - Print a registry key, and its subkeys and values
hivedump - Recursively prints all keys and timestamps in a given hive
hashdump - Dumps passwords hashes (LM/NTLM) from memory (x86 only)
lsadump - Dump (decrypted) LSA secrets from the registry (XP and 2003 x86 only)
userassist - Parses and output User Assist keys from the registry
shimcache - Parses the Application Compatibility Shim Cache registry key
getservicesids - Calculate SIDs for windows services in the registry
shellbags - This plugin parses and prints Shellbag information obtained from the registry
File Formats
crashinfo - Dump crash-dump information
hibinfo - Dump hibernation file information
imagecopy - Copies a physical address space out as a raw DD image
raw2dmp - Converts a physical memory sample to a windbg crash dump
vboxinfo - Display header and memory runs information from VirtualBox core dumps
vmwareinfo - Display header and memory runs information from VMware vmss or vmsn files
hpakinfo - Display header and memory runs information from .hpak files
hpakextract - Extract (and decompress if necessary) the raw physical memory dump from an .hpak file
Malware
malfind - Find hidden and injected code
svcscan - Scan for Windows services
ldrmodules - Detect unlinked DLLs
impscan - Scan for calls to imported functions
apihooks - Detect API hooks in process and kernel memory (x86 only)
idt - Dumps the Interrupt Descriptor Table (x86 only)
gdt - Dumps the Global Descriptor Table (x86 only)
threads - Investigate _ETHREAD and _KTHREADs
callbacks - Print system-wide notification routines (x86 only)
driverirp - Driver IRP hook detection
devicetree - Show device tree
psxview - Find hidden processes with various process listings
timers - Print kernel timers and associated module DPCs (x86 only)
File System
mbrparser - Scans for and parses potential Master Boot Records (MBRs)
mftparser - Scans for and parses potential MFT entries
Miscellaneous
strings - Match physical offsets to virtual addresses
volshell - Shell to interactively explore a memory image
bioskbd - Reads the keyboard buffer from Real Mode memory
patcher - Patches memory based on page scans
timeliner - Produce timelines in body file format, excel 2007 spreadsheets, or text
dumpcerts - Extract SSL private and public keys/certs
Linux/Android
Processes
linux_pslist - Gather active tasks by walking the task_struct->task list
linux_psaux - Gathers processes along with full command line and start time
linux_pstree - Shows the parent/child relationship between processes
linux_pslist_cache - Gather tasks from the kmem_cache
linux_pidhashtable - Enumerates processes through the PID hash table
linux_psxview - Find hidden processes with various process listings
linux_lsof - Lists open files
Process Memory
linux_memmap - Dumps the memory map for linux tasks
linux_proc_maps - Gathers process maps for linux
linux_dump_map - Writes selected process memory mappings to disk
linux_bash - Recover bash history from bash process memory
Kernel Memory and Objects
linux_lsmod - Gather loaded kernel modules
linux_tmpfs - Recovers tmpfs filesystems from memory
linux_moddump - Extract an LKM from memory to disk (.text segment only)
Networking
linux_arp - Print the ARP table
linux_ifconfig - Gathers active interfaces
linux_netstat - Lists open sockets
linux_route_cache - Recovers the routing cache from memory
linux_pkt_queues - Writes per-process packet queues out to disk
linux_sk_buff_cache - Recovers packets from the sk_buff kmem_cache
Malware/Rootkits
linux_check_afinfo - Verifies the operation function pointers of network protocols
linux_check_creds - Checks if any processes are sharing credential structures
linux_check_fop - Check file operation structures for rootkit modifications
linux_check_idt - Checks if the IDT has been altered
linux_check_modules - Compares module list to sysfs info, if available
linux_check_syscall - Checks if the system call table has been altered
linux_check_syscall_arm - Checks if the system call table has been altered (ARM)
linux_check_tty - Check TTY devices for rootkit hooks
linux_check_evt_arm - Check ARM exception vector table for hooks
System Information
linux_cpuinfo - Prints info about each active processor
linux_dmesg - Gather dmesg buffer
linux_iomem - Provides output similar to /proc/iomem
linux_mount - Gather mounted fs/devices
linux_mount_cache - Gather mounted fs/devices from kmem_cache
linux_slabinfo - Mimics /proc/slabinfo on a running machine
linux_dentry_cache - Gather files from the dentry cache
linux_find_file - Extract cached file contents from memory via inodes
linux_vma_cache - Gather VMAs from the vm_area_struct cache
linux_keyboard_notifier - Parses the keyboard notifier call chain
Miscellaneous
linux_volshell - Shell to interactively explore Linux/Android memory captures
linux_yarascan - Scan process and kernel memory with yara signatures
Mac OSX
Processes
mac_pslist - List running processes
mac_tasks - List active tasks
mac_pstree - Show parent/child relationship of processes
mac_lsof - Lists per-process open files
mac_pgrp_hash_table - Walks the process group hash table
mac_pid_hash_table - Walks the pid hash table
mac_dead_procs - List dead/terminated processes
mac_psaux - Prints processes with their command-line arguments (argv)
Process Memory
mac_proc_maps - Print information on allocated process memory ranges
mac_dump_maps - Dumps memory ranges of processes
Kernel Memory and Objects
mac_list_sessions - Enumerates sessions
mac_list_zones - Enumerates zones (allocated/freed object counts)
mac_lsmod - Lists loaded kernel modules
mac_mount - Prints mounted device information
Networking
mac_arp - Prints the arp table
mac_ifconfig - Lists network interface information for all devices
mac_netstat - Lists active per-process network connections
mac_route - Prints the routing table
Malware/Rootkits
mac_check_sysctl - Check for unknown sysctl handlers
mac_check_syscalls - Check for hooked syscall table entries
mac_check_trap_table - Checks to see if mach trap table entries are hooked
mac_ip_filters - Reports any hooked IP filters
mac_notifiers - Detects rootkits that add hooks into I/O Kit (e.g. LogKext)
mac_trustedbsd - List malicious trustedbsd policies
System Information
mac_dmesg - Prints the kernel debug buffers
mac_find_aslr_shift - Find the ASLR shift value for 10.8+ images
mac_machine_info - Prints machine information about the sample
mac_version - Prints the Mac version
mac_print_boot_cmdline - Prints the mac boot command line
Miscellaneous
mac_volshell - Shell to interactively explore mac memory captures
machoinfo - Display header and memory runs for Mach-O memory dumps
mac_yarascan - Scan for Yara signatures in process or kernel memory
PROFILES
Profiles are maps used by volatility to understand the operational systems. The profiles provided by the volatility are:- VistaSP0x64
- - A Profile for Windows Vista SP0 x64
- VistaSP0x86
- - A Profile for Windows Vista SP0 x86
- VistaSP1x64
- - A Profile for Windows Vista SP1 x64
- VistaSP1x86
- - A Profile for Windows Vista SP1 x86
- VistaSP2x64
- - A Profile for Windows Vista SP2 x64
- VistaSP2x86
- - A Profile for Windows Vista SP2 x86
- Win2003SP0x86
- - A Profile for Windows 2003 SP0 x86
- Win2003SP1x64
- - A Profile for Windows 2003 SP1 x64
- Win2003SP1x86
- - A Profile for Windows 2003 SP1 x86
- Win2003SP2x64
- - A Profile for Windows 2003 SP2 x64
- Win2003SP2x86
- - A Profile for Windows 2003 SP2 x86 Win2008R2SP0x64 - A Profile for Windows 2008 R2 SP0 x64 Win2008R2SP1x64 - A Profile for Windows 2008 R2 SP1 x64
- Win2008SP1x64
- - A Profile for Windows 2008 SP1 x64
- Win2008SP1x86
- - A Profile for Windows 2008 SP1 x86
- Win2008SP2x64
- - A Profile for Windows 2008 SP2 x64
- Win2008SP2x86
- - A Profile for Windows 2008 SP2 x86
- Win7SP0x64
- - A Profile for Windows 7 SP0 x64
- Win7SP0x86
- - A Profile for Windows 7 SP0 x86
- Win7SP1x64
- - A Profile for Windows 7 SP1 x64
- Win7SP1x86
- - A Profile for Windows 7 SP1 x86
- WinXPSP1x64
- - A Profile for Windows XP SP1 x64
- WinXPSP2x64
- - A Profile for Windows XP SP2 x64
- WinXPSP2x86
- - A Profile for Windows XP SP2 x86
- WinXPSP3x86
- - A Profile for Windows XP SP3 x86
To determine the OS type, you can use:
# volatility -f <image> imageinfo
You must create your own profiles for Linux and MAC. For this, please, see:
Linux: https://code.google.com/p/volatility/wiki/LinuxMemoryForensics#Creating_a_profile MAC: https://code.google.com/p/volatility/wiki/MacMemoryForensics#Building_a_Profile
NOTES
This manpage was based in several official documents about volatility. For other information and tutorials, see:https://code.google.com/p/volatility/wiki/VolatilityUsage23
AUTHOR
volatility was written by several contributors. For contact, use the mail <volatility@volatilityfoundation.org>.This manual page was written by Joao Eriberto Mota Filho <eriberto@eriberto.pro.br> for the Debian project (but may be used by others).
![assorted[chips]](/wp-content/themes/codetools-2016child/images/assortedchips_logo_black.png){kind=logo}