Volatility Free Digital Forensic Software
World's Most Popular and Widely Used Memory Forensics Tool
Volatility an open-source memory extraction utility framework. It's most popular incident response and malware analysis framework to analyse raw memory dumps.
Overview
The Volatility framework is a free and open-source memory forensics tool. It is to monitor incident response and malware analysis. Volatility memory dump analysis tool was created by Aaron Walters in academic research while analyzing memory forensics. Volatility is a completely open collection of tools, written in Python language and released under the GNU General Public License. It is used for extraction of digital artifacts from volatile memory (RAM) samples and supports Linux, Windows and Mac OS.
Volatility memory forensics framework is intended to introduce extraction techniques and complexities associated with digital artifacts from volatile memory samples at runtime. Volatility memory extraction utility framework runs on any platform that supports Python. Volatility forensics open source software has 5.1K GitHub stars and 1.1k GitHub forks.
System Requirements
Requirements to install and configure Volatility forensic tool include:
- Python version 2.6 or later (but not 3.x)
- A Windows, Linux, or Mac OS X machine
- Distorm3 for analysis of 64-bit Windows
- Some plugins require 3rd party libraries
- Git
Features
Volatility open source memory analysis tools has many useful and rich features which are listed below:
- Detect active connections
- Analyse potential malware in the memory dump
- List all the open files in the system
- Dump registry hives
- List the password hashes of the users
- Extract browser and command prompt history
- List loaded drivers
- Supports a variety of file formats
- Open Source
Installation Instructions
Install Volatility On Linux
In this guide, we will describe how to install Volatility on Linux. It is really easy to install and configure Volatility on any LTS version of Ubuntu. Below installation steps assume that all the depency packages are installed and up to date on your operating system. Let’s get started. First of all, you can get the source code by either downloading a stable release or cloning from github using command:
git clone https://github.com/volatilityfoundation/volatility.git
Install a few packages/libraries as prerequisites on Volatility Linux with command:
sudo apt-get install pcregrep libpcre++-dev python-dev -y
This git clone will create a volatility source code folder on your system and now run Volatility directory from there. If you have downloaded the zip or tar source code archive there are two ways to install the code:
-
Extract the archive and run setup.py. This will take care of copying files to the right locations on your disk. Running setup.py is only necessary if you want to importing the Volatility namespace from other Python scripts as a library.
-
Extract the archive to a directory of your choice. For using Volatility just do python /path/to/directory/vol.py. This is a cleaner method since no files are ever moved outside of your chosen directory. It makes easier to upgrade to new versions when they are released. Also, you can easily have multiple versions of Volatility installed in separate directories for example /home/me/vol2.0 and /home/me/vol2.1.
For the most comprehensive plugin support, you should install the following libraries and packages
Congratulations! You have successfully installed Volatility on Linux. Enjoy!
FAQs
What is Volatility used for?
Volatility is the world’s most widely used best volatile memory forensics framework. It was created by Aaron Walters while drawing on academic research for analyzing memory forensics RAM in 32 bit/64 bit systems.
Is Volatility free?
Yes, Volatility is free to use advance memory forensics framework.
Is Volatility open source?
Yes, Volatility is an open-source memory forensics framework for incident response and malware analysis. Volatility memory analysis open source code repository is available on Github.
Is there an alternative to Volatility?
One of the best alternative to Volatility digital forensics tool is Autopsy Forensic Browser that is available as both free and open-source for Linux, Mac and Windows. Other alternates to Volatility are Caine (Free, Open Source), Rekall (Free, Open Source) and Cado Live (Free).
What is the latest stable version of Volatility?
The latest stable version is 2.6. You can grab the source code, Python installer, or Windows standalone executable from the downloads page.
What is the latest development version of Volatility?
The latest development version is 2.6 which you can clone by checking out the main branch using git like ($ git clone git@github.com:volatilityfoundation/volatility.git).