1# Volatility 3: The volatile memory extraction framework 2 3Volatility is the world’s most widely used framework for extracting digital 4artifacts from volatile memory (RAM) samples. The extraction techniques are 5performed completely independent of the system being investigated but offer 6visibility into the runtime state of the system. The framework is intended 7to introduce people to the techniques and complexities associated with 8extracting digital artifacts from volatile memory samples and provide a 9platform for further work into this exciting area of research. 10 11In 2019, the Volatility Foundation released a complete rewrite of the 12framework, Volatility 3. The project was intended to address many of the 13technical and performance challenges associated with the original 14code base that became apparent over the previous 10 years. Another benefit 15of the rewrite is that Volatility 3 could be released under a custom 16license that was more aligned with the goals of the Volatility community, 17the Volatility Software License (VSL). See the [LICENSE](LICENSE.txt) file for more details. 18 19## Requirements 20 21- Python 3.5.3 or later. <https://www.python.org> 22- Pefile 2017.8.1 or later. <https://pypi.org/project/pefile/> 23 24## Optional Dependencies 25 26- yara-python 3.8.0 or later. <https://github.com/VirusTotal/yara-python> 27- capstone 3.0.0 or later. <https://www.capstone-engine.org/download.html> 28 29## Downloading Volatility 30 31The latest stable version of Volatility will always be the master branch of the GitHub repository. You can get the latest version of the code using the following command: 32 33```shell 34git clone https://github.com/volatilityfoundation/volatility3.git 35``` 36 37## Quick Start 38 391. Clone the latest version of Volatility from GitHub: 40 41 ```shell 42 git clone https://github.com/volatilityfoundation/volatility3.git 43 ``` 44 452. See available options: 46 47 ```shell 48 python3 vol.py —h 49 ``` 50 513. To get more information on a Windows memory sample and to make sure 52Volatility supports that sample type, run 53`python3 vol.py -f <imagepath> windows.info` 54 55 Example: 56 57 ```shell 58 python3 vol.py —f /home/user/samples/stuxnet.vmem windows.info 59 ``` 60 614. Run some other plugins. The `-f` or `—-single-location` is not strictly 62required, but most plugins expect a single sample. Some also 63require/accept other options. Run `python3 vol.py <plugin> -h` 64for more information on a particular command. 65 66## Symbol Tables 67 68Symbol table packs for the various operating systems are available for download at: 69 70<https://downloads.volatilityfoundation.org/volatility3/symbols/windows.zip> 71<https://downloads.volatilityfoundation.org/volatility3/symbols/mac.zip> 72<https://downloads.volatilityfoundation.org/volatility3/symbols/linux.zip> 73 74Symbol tables zip files must be placed, as named, into the `volatility/symbols` directory (or just the symbols directory next to the executable file). 75 76Windows symbols that cannot be found will be queried, downloaded, generated and cached. Mac and Linux symbol tables must be manually produced by a tool such as [dwarf2json](https://github.com/volatilityfoundation/dwarf2json). 77 78Please note: These are representative and are complete up to the point of creation for Windows and Mac. Due to the ease of compiling Linux kernels and the inability to uniquely distinguish them, an exhaustive set of Linux symbol tables cannot easily be supplied. 79 80## Documentation 81 82The framework is documented through doc strings and can be built using sphinx. 83 84The latest generated copy of the documentation can be found at: <https://volatility3.readthedocs.io/en/latest/> 85 86## Licensing and Copyright 87 88Copyright (C) 2007-2019 Volatility Foundation 89 90All Rights Reserved 91 92<https://www.volatilityfoundation.org/license/vsl-v1.0> 93 94## Bugs and Support 95 96If you think you've found a bug, please report it at: 97 98<https://github.com/volatilityfoundation/volatility3/issues> 99 100In order to help us solve your issues as quickly as possible, 101please include the following information when filing a bug: 102 103- The version of Volatility you're using 104- The operating system used to run Volatility 105- The version of Python used to run Volatility 106- The suspected operating system of the memory sample 107- The complete command line you used to run Volatility 108 109For community support, please join us on Slack: 110 111<https://www.volatilityfoundation.org/slack> 112 113## Contact 114 115For information or requests, contact: 116 117Volatility Foundation 118 119Web: <https://www.volatilityfoundation.org> 120 121Blog: <https://volatility-labs.blogspot.com> 122 123Email: volatility (at) volatilityfoundation (dot) org 124 125Twitter: [@volatility](https://twitter.com/volatility) 126