• Home
  • History
  • Annotate
Name Date Size #Lines LOC

..03-May-2022-

.github/ISSUE_TEMPLATE/H10-May-2020-4934

development/H10-May-2020-997859

doc/H10-May-2020-1,137678

volatility/H10-May-2020-34,36028,397

.gitignoreH A D10-May-2020391 3023

.readthedocs.ymlH A D10-May-2020532 2318

.style.yapfH A D10-May-20207.8 KiB262215

MANIFEST.inH A D10-May-2020177 76

README.mdH A D10-May-20204.5 KiB12680

mypy.iniH A D10-May-202079 54

setup.pyH A D10-May-20202 KiB4134

vol.pyH A D10-May-2020288 113

vol.specH A D10-May-20205.3 KiB11148

volshell.pyH A D10-May-2020296 113

volshell.specH A D10-May-20202.9 KiB6749

README.md

1# Volatility 3: The volatile memory extraction framework
2
3Volatility is the world’s most widely used framework for extracting digital
4artifacts from volatile memory (RAM) samples. The extraction techniques are
5performed completely independent of the system being investigated but offer
6visibility into the runtime state of the system. The framework is intended
7to introduce people to the techniques and complexities associated with
8extracting digital artifacts from volatile memory samples and provide a
9platform for further work into this exciting area of research.
10
11In 2019, the Volatility Foundation released a complete rewrite of the
12framework, Volatility 3. The project was intended to address many of the
13technical and performance challenges associated with the original
14code base that became apparent over the previous 10 years. Another benefit
15of the rewrite is that Volatility 3 could be released under a custom
16license that was more aligned with the goals of the Volatility community,
17the Volatility Software License (VSL). See the [LICENSE](LICENSE.txt) file for more details.
18
19## Requirements
20
21- Python 3.5.3 or later. <https://www.python.org>
22- Pefile 2017.8.1 or later. <https://pypi.org/project/pefile/>
23
24## Optional Dependencies
25
26- yara-python 3.8.0 or later. <https://github.com/VirusTotal/yara-python>
27- capstone 3.0.0 or later. <https://www.capstone-engine.org/download.html>
28
29## Downloading Volatility
30
31The latest stable version of Volatility will always be the master branch of the GitHub repository. You can get the latest version of the code using the following command:
32
33```shell
34git clone https://github.com/volatilityfoundation/volatility3.git
35```
36
37## Quick Start
38
391. Clone the latest version of Volatility from GitHub:
40
41    ```shell
42    git clone https://github.com/volatilityfoundation/volatility3.git
43    ```
44
452. See available options:
46
47    ```shell
48    python3 vol.py —h
49    ```
50
513. To get more information on a Windows memory sample and to make sure
52Volatility supports that sample type, run
53`python3 vol.py -f <imagepath> windows.info`
54
55   Example:
56
57    ```shell
58    python3 vol.py —f /home/user/samples/stuxnet.vmem windows.info
59    ```
60
614. Run some other plugins. The `-f` or `—-single-location` is not strictly
62required, but most plugins expect a single sample. Some also
63require/accept other options.  Run `python3 vol.py <plugin> -h`
64for more information on a particular command.
65
66## Symbol Tables
67
68Symbol table packs for the various operating systems are available for download at:
69
70<https://downloads.volatilityfoundation.org/volatility3/symbols/windows.zip>
71<https://downloads.volatilityfoundation.org/volatility3/symbols/mac.zip>
72<https://downloads.volatilityfoundation.org/volatility3/symbols/linux.zip>
73
74Symbol tables zip files must be placed, as named, into the `volatility/symbols` directory (or just the symbols directory next to the executable file).
75
76Windows symbols that cannot be found will be queried, downloaded, generated and cached.  Mac and Linux symbol tables must be manually produced by a tool such as [dwarf2json](https://github.com/volatilityfoundation/dwarf2json).
77
78Please note: These are representative and are complete up to the point of creation for Windows and Mac.  Due to the ease of compiling Linux kernels and the inability to uniquely distinguish them, an exhaustive set of Linux symbol tables cannot easily be supplied.
79
80## Documentation
81
82The framework is documented through doc strings and can be built using sphinx.
83
84The latest generated copy of the documentation can be found at: <https://volatility3.readthedocs.io/en/latest/>
85
86## Licensing and Copyright
87
88Copyright (C) 2007-2019 Volatility Foundation
89
90All Rights Reserved
91
92<https://www.volatilityfoundation.org/license/vsl-v1.0>
93
94## Bugs and Support
95
96If you think you've found a bug, please report it at:
97
98<https://github.com/volatilityfoundation/volatility3/issues>
99
100In order to help us solve your issues as quickly as possible,
101please include the following information when filing a bug:
102
103- The version of Volatility you're using
104- The operating system used to run Volatility
105- The version of Python used to run Volatility
106- The suspected operating system of the memory sample
107- The complete command line you used to run Volatility
108
109For community support, please join us on Slack:
110
111<https://www.volatilityfoundation.org/slack>
112
113## Contact
114
115For information or requests, contact:
116
117Volatility Foundation
118
119Web: <https://www.volatilityfoundation.org>
120
121Blog:     <https://volatility-labs.blogspot.com>
122
123Email: volatility (at) volatilityfoundation (dot) org
124
125Twitter: [@volatility](https://twitter.com/volatility)
126