1VOLATILITY(1) advanced memory forensics framework VOLATILITY(1)
2
6 volatility - advanced memory forensics framework
7
9 vol [option]
10 vol -f [image] --profile=[profile] [plugin]
11
14 The Volatility Framework is a completely open collection of tools for
15 the extraction of digital artifacts from volatile memory (RAM) samples.
16 It is useful in forensics analysis. The extraction techniques are per‐
17 formed completely independent of the system being investigated but
18 offer unprecedented visibility into the runtime state of the system.
19 Volatility supports several versions of the MS Windows, Linux and MAC
21 OSX:
22 MS Windows:
24 · 32-bit Windows XP Service Pack 2 and 3
26 · 32-bit Windows 2003 Server Service Pack 0, 1, 2
28 · 32-bit Windows Vista Service Pack 0, 1, 2
30 · 32-bit Windows 2008 Server Service Pack 1, 2 (there is no
32 SP0)
33 · 32-bit Windows 7 Service Pack 0, 1
35 · 32-bit Windows 8, 8.1, and 8.1 Update 1
37 · 32-bit Windows 10 (initial support)
39 · 64-bit Windows XP Service Pack 1 and 2 (there is no SP0)
41 · 64-bit Windows 2003 Server Service Pack 1 and 2 (there is no
43 SP0)
44 · 64-bit Windows Vista Service Pack 0, 1, 2
46 · 64-bit Windows 2008 Server Service Pack 1 and 2 (there is no
48 SP0)
49 · 64-bit Windows 2008 R2 Server Service Pack 0 and 1
51 · 64-bit Windows 7 Service Pack 0 and 1
53 · 64-bit Windows 8, 8.1, and 8.1 Update 1
55 · 64-bit Windows Server 2012 and 2012 R2
57 · 64-bit Windows 10 (initial support)
59 Linux:
61 · 32-bit Linux kernels 2.6.11 to 4.2.3
63 · 64-bit Linux kernels 2.6.11 to 4.2.3
65 · OpenSuSE, Ubuntu, Debian, CentOS, Fedora, Mandriva, etc
67 Mac OSX:
69 · 32-bit 10.5.x Leopard (the only 64-bit 10.5 is Server, which
71 isn't supported)
72 · 32-bit 10.6.x Snow Leopard
74 · 64-bit 10.6.x Snow Leopard
76 · 32-bit 10.7.x Lion
78 · 64-bit 10.7.x Lion
80 · 64-bit 10.8.x Mountain Lion (there is no 32-bit version)
82 · 64-bit 10.9.x Mavericks (there is no 32-bit version)
84 · 64-bit 10.10.x Yosemite (there is no 32-bit version)
86 · 64-bit 10.11.x El Capitan (there is no 32-bit version)
88 The memory formats supported are:
90 · Raw linear sample (dd)
92 · Hibernation file
94 · Crash dump file
96 · VirtualBox ELF64 core dump
98 · VMware saved state and snapshot files
100 · EWF format (E01)
102 · LiME (Linux Memory Extractor) format
104 · Mach-o file format
106 · QEMU virtual machine dumps
108 · Firewire
110 · HPAK (FDPro)
112 The supported address spaces (RAM types) are:
114 · AMD64PagedMemory - Standard AMD 64-bit address space
116 · ArmAddressSpace - Address space for ARM processors
118 · FileAddressSpace - This is a direct file AS
120 · HPAKAddressSpace - This AS supports the HPAK format
122 · IA32PagedMemory - Standard IA-32 paging address space
124 · IA32PagedMemoryPae - This class implements the IA-32 PAE pag‐
126 ing address space. It is responsible
127 · LimeAddressSpace - Address space for Lime
129 · MachOAddressSpace - Address space for mach-o files to support
131 atc-ny memory reader
132 · OSXPmemELF - This AS supports VirtualBox ELF64 coredump for‐
134 mat
135 · QemuCoreDumpElf - This AS supports Qemu ELF32 and ELF64 core‐
137 dump format
138 · SkipDuplicatesAMD64PagedMemory - Windows 8/10-specific AMD
140 64-bit address space
141 · VMWareAddressSpace - This AS supports VMware snapshot (VMSS)
143 and saved state (VMSS) files
144 · VMWareMetaAddressSpace - This AS supports the VMEM format
146 with VMSN/VMSS metadata
147 · VirtualBoxCoreDumpElf64 - This AS supports VirtualBox ELF64
149 coredump format
150 · WindowsAMD64PagedMemory - Windows-specific AMD 64-bit
152 address space.
153 · WindowsCrashDumpSpace32 - This AS supports windows Crash Dump
155 format
156 · WindowsCrashDumpSpace64 - This AS supports windows Crash Dump
158 format
159 · WindowsCrashDumpSpace64BitMap - This AS supports Windows Bit‐
161 Map Crash Dump format
162 · WindowsHiberFileSpace32 - This is a hibernate address space
164 for windows hibernation files
165 There are exemplar memory images for tests at
167 https://github.com/volatilityfoundation/volatility/wiki/Memory-Samples.
168
170 -h, --help
171 List all available options and their default values. Default
172 values may be set in the configuration file (/etc/volatilityrc).
173 --conf-file=/root/.volatilityrc
175 User based configuration file.
176 -d, --debug
178 Debug Volatility.
179 --plugins=PLUGINS
181 Additional plugin directories to use (colon separated).
182 --info Print information about all registered objects.
184 --cache-directory=/root/.cache/volatility
186 Directory where cache files are stored.
187 --cache
189 Use caching.
190 --tz=TZ
192 Set the timezone for displaying timestamps using pytz (if
193 installed) or tzset
194 -f FILENAME, --filename=FILENAME
196 Filename to use when opening an image.
197 --profile=WinXPSP2x86
199 Name of the profile to load (use --info to see a list of sup‐
200 ported profiles).
201 -l LOCATION, --location=LOCATION
203 A URN location from which to load an address space.
204 -w, --write
206 Enable write support.
207 --dtb=DTB
209 DTB Address.
210 --shift=SHIFT
212 Mac KASLR shift address.
213 --output=text
215 Output in this format.
216 --output-file=OUTPUT_FILE
218 Write output in this file.
219 -v, --verbose
221 Verbose information.
222 -g KDBG, --kdbg=KDBG
224 Specify a specific KDBG virtual address. For 64-bit Windows 8
225 and above this is the address of KdCopyDataBlock.
226 --force
228 Force utilization of suspect profile.
229 -k KPCR, --kpcr=KPCR
231 Specify a specific KPCR address.
232 --cookie=COOKIE
234 Specify the address of nt!ObHeaderCookie (valid for Windows 10
235 only).
236
238 The supported plugin commands and profiles can be viewed if using the
239 command '$ volatility --info'. Note that Linux and MAC OSX allowed
240 plugins will have the 'linux_' and 'mac_' prefixes. Plugins without
241 these prefixes were designed for MS Windows.
242 Profiles are maps used by Volatility to understand the operational sys‐
244 tems. The allowed MS Windows profiles are provided by the Volatility.
245 You must create your own profiles for Linux and MAC OSX. For this, you
247 can use the tools from the directory /usr/share/python-volatil‐
248 ity/tools. On Fedora with python-volatility package installed you can
249 use script vol_genprofile to generate profile for the currently running
250 kernel.
251 For MS Windows images, to determine the OS type, you can use:
253 $ vol -f <image> imageinfo
255 or
257 $ vol -f <image> kdbgscan
259
262 On a GNU/Linux or OS X system, these variables can be set:
263 · VOLATILITY_PROFILE - Specifies a profile to be used as
265 default, making unnecessary a '--profile' option.
266 · VOLATILITY_LOCATION - Specifies the path of an image. So, the
268 Volatility command will not need a file name via '-f' option.
269 · VOLATILITY_KDBG - Specifies a KDBG address. See EXTRA PROCE‐
271 DURES to more details.
272 Other plugin flags may be utilized in this way, for example KPCR, DTB
274 or PLUGINS. When exporting variables, simply prefix VOLATILITY_ before
275 the flag name (e.g. VOLATILITY_KPCR). Otherwise, the flag name remains
276 the same when adding it to the configuration file.
277 If you have a path with a space or more in the name, spaces should be
279 replaced with %20 instead (e.g. LOCATION=file:///tmp/my%20image.img).
280 Example:
282 $ export VOLATILITY_PROFILE=Win7SP0x86
284 $ export VOLATILITY_LOCATION=file:///tmp/myimage.img
285 $ export VOLATILITY_KDBG=0x82944c28
286
289 Configuration files are typically 'volatilityrc' in the current direc‐
290 tory or '~/.volatilityrc' in user's home directory, or at user speci‐
291 fied path, using the --conf-file option. An example of the file con‐
292 tents is shown below:
293 [DEFAULT]
295 PROFILE=Win7SP0x86
296 LOCATION=file:///tmp/myimage.img
297 KDBG=0x82944c28
298 Other plugin flags may be utilized in this way, for example KPCR, DTB
300 or PLUGINS. When exporting variables, simply prefix VOLATILITY_ before
301 the flag name (e.g. VOLATILITY_KPCR). Otherwise, the flag name remains
302 the same when adding it to the configuration file.
303 If you have a path with a space or more in the name, spaces should be
305 replaced with %20 instead (e.g. LOCATION=file:///tmp/my%20image.img).
306
308 Setting a timezone
309 Timestamps extracted from memory can either be in system-local time, or in Universal Time
311 Coordinates (UTC). If they're in UTC, Volatility can be instructed to display them in a time
312 zone of the analyst's choosing. To choose a timezone, use one of the standard timezone
313 names (such as America/Sao_Paulo, Europe/London, US/Eastern or most Olson timezones) with
314 the --tz=TIMEZONE flag.
315 Volatility attempts to use pytz if installed, otherwise it uses tzset.
317 Please note that specifying a timezone will not affect how system-local times are displayed. If
319 you identify a time that you know is UTC-based, please file it as an issue in the issue tracker.
320 By default the _EPROCESS CreateTime and ExitTime timestamps are in UTC.
321 Setting the DTB
323 The DTB (Directory Table Base) is what Volatility uses to translate virtual addresses to physical
325 addresses. By default, a kernel DTB is used (from the Idle/System process). If you want to use a
326 different process's DTB when accessing data, supply the address to --dtb=ADDRESS.
327 Setting the KDBG address (this is a Windows-only option)
329 Volatility scans for the '_KDDEBUGGER_DATA64' structure using hard-coded signatures "KDBG" and
331 a series of sanity checks. These signatures are not critical for the operating system to function
332 properly, thus malware can overwrite them in attempt to throw off tools that do rely on the
333 signature. Additionally, in some cases there may be more than one '_KDDEBUGGER_DATA64' (for
334 example if you apply a major OS update and don't reboot), which can cause confusion and lead to
335 incorrect process and module listings, among other problems. If you know the address
336 add '_KDDEBUGGER_DATA64', you can specify it with --kdbg=ADDRESS and this override the automated
337 scans. For more information, see the kdbgscan plugin.
338 Setting the KPCR address (this is a Windows-only option)
340 There is one KPCR (Kernel Processor Control Region) for each CPU on a system. Some Volatility
342 plugins display per-processor information. Thus if you want to display data for a specific CPU, for
343 example CPU 3 instead of CPU 1, you can pass the address of that CPU's KPCR with --kpcr=ADDRESS.
344 To locate the KPCRs for all CPUs, see the kpcrscan plugin. Also note that starting in Volatility 2.2,
345 many of the plugins such as idt and gdt automatically iterate through the list of KPCRs.
346 Enabling write support
348 Write support in Volatility should be used with caution. Therefore, to actually enable it, you must
350 not only type --write on command-line but you must type a 'password' in response to a question that
351 you'll be prompted with. In most cases you will not want to use write support since it can lead to
352 corruption or modification of data in your memory dump. However, special cases exist that make this
353 feature really interesting. For example, you could cleanse a live system of certain malware by
354 writing to RAM over firewire, or you could break into a locked workstation by patching bytes in the
355 winlogon DLLs.
356 Specifying additional plugin directories
358 Volatility's plugin architecture can load plugin files from multiple directories at once. In the
360 Volatility source code, most plugins are located in volatility/plugins. However, there is another
361 directory (volatility/contrib) which is reserved for contributions from third party developers, or
362 weakly supported plugins that simply are not enabled by default. To access these plugins you just
363 type --plugins=contrib/plugins on command-line. It also enables you to create a separate directory
364 of your own plugins that you can manage without having to add/remove/modify files in the core
365 Volatility directories.
366 Notes:
368 * On Fedora systems, the contrib/plugins directory is at:
370 /usr/lib/python2.7/site-packages/volatility/contrib
371 * Subdirectories will also be traversed as long as there is an __init__.py file (which can be empty)
373 within them.
374 * The parameter to --plugins can also be a zip file containing the plugins such
376 as --plugins=myplugins.zip. Due to the way plugins are loaded, the external plugins directory
377 or zip file must be specified before any plugin-specific arguments (including the name of the
378 plugin). Example:
379 $ vol --plugins=contrib -f XPSP3x86.vmem example
381 Choosing an output format
383 By default, plugins use text renderers to standard output. If you want to redirect to a file, you
385 can of course use the console's redirection (i.e. > out.txt) or you could use --output-file=out.txt.
386 The reason you can also choose --output=FORMAT is for allowing plugins to also render output as HTML,
387 JSON, SQL, or whatever you choose. However, there are no plugins with those alternate output formats
388 pre-configured for use, so you'll need to add a function named render_html, render_json, render_sql,
389 respectively to each plugin before using --output=HTML.
390 Plugin specific options
392 Many plugins accept arguments of their own, which are independent of the global options. To see the
394 list of available options, type both the plugin name and -h/--help on command-line.
395 $ vol dlllist -h
397 Debug mode
399 If something isn't happening in Volatility the expected way, try to run the command with -d/--debug.
401 This will enable the printing of debug messages to standard error. To more debug levels, as in using
402 pdb debugger), add -d -d -d to command.
403 Using Volatility as a library
405 Although its possible to use Volatility as a library, (there are plans to support it better in the
407 future). Currently, to import Volatility from a python script, the following example code can be used:
408 $ python
410 >>> import volatility.conf as conf
411 >>> import volatility.registry as registry
412 >>> registry.PluginImporter()
413 <volatility.registry.PluginImporter object at 0x7f9608f3ac10>
414 >>> config = conf.ConfObject()
415 >>> import volatility.commands as commands
416 >>> import volatility.addrspace as addrspace
417 >>> registry.register_global_options(config, commands.Command)
418 >>> registry.register_global_options(config, addrspace.BaseAddressSpace)
419 >>> config.parse_options()
420 >>> config.PROFILE="WinXPSP2x86"
421 >>> config.LOCATION = "file:///media/memory/private/image.dmp"
422 >>> import volatility.plugins.taskmods as taskmods
423 >>> p = taskmods.PSList(config)
424 >>> for process in p.calculate():
425 ... print process
426
429 To see all available plugins, profiles, scanner checks and address spa‐
430 ces:
431 $ vol --info
433 To list all active processes found in a MS Windows 8 SP0 image:
435 $ vol -f win8.raw --profile=Win8SP0x86 pslist
437 To list all active processes found in a MS Windows 8 SP0 image, using a
439 timezone:
440 $ vol -f win8.raw --profile=Win8SP0x86 pslist --tz=America/Sao_Paulo
442 To show the kernel bnuffer from a Linux 3.2.63 image:
444 $ vol -f mem.dd --profile=Linux_3_2_63_x64 linux_dmesg
446
449 This manpage was based in some tests and several official documents
450 about Volatility. For other information and tutorials, see:
451 · http://www.volatilityfoundation.org
453 · https://github.com/volatilityfoundation/volatility/wiki
455
457 Volatility was written by Volatility Foundation and several contribu‐
458 tors. For contact, use the email <info@volatilityfoundation.org>.
459 This manual page was written by Joao Eriberto Mota Filho <erib‐
461 erto@debian.org> for the Debian project (but may be used by others).
462VOLATILITY 2.6.1 Mar 2019 VOLATILITY(1)