Export to GitHub

volatility - Release23.wiki

Introduction

This page contains the release notes for Volatility 2.3.

Release Highlights

  • Windows
    • new plugins to parse IE history/index.dat URLs, recover shellbags data, dump cached files (exe/pdf/doc/etc), extract the MBR and MFT records, explore recently unloaded kernel modules, dump SSL private and public keys/certs, and display details on process privileges
    • added plugins to detect poison ivy infections, find and decrypt configurations in memory for poison ivy, zeus v1, zeus v2 and citadelscan 1.3.4.5
    • apihooks detects duqu style instruction modifications (MOV reg32, imm32; JMP reg32)
    • crashinfo displays uptime, systemtime, and dump type (i.e. kernel, complete, etc)
    • psxview plugin adds two new sources of process listings from the GUI APIs
    • screenshots plugin shows text for window titles
    • svcscan automatically queries the cached registry for service dlls
    • dlllist shows load count to distinguish between static and dynamic loaded dlls
  • New address spaces
    • added support for VirtualBox ELF64 core dumps, VMware saved state (vmss) and snapshot (vmsn) files, and FDPro's non-standard HPAK format
    • associated plugins: vboxinfo, vmwareinfo, hpakinfo, hpakextract
  • Mac
    • new MachO address space for 32- and 64-bit Mac memory samples
    • over 30+ plugins for Mac memory forensics
  • Linux/Android
    • new ARM address space to support memory dumps from Linux and Android devices on ARM
    • added plugins to scan linux process and kernel memory with yara signatures, dump LKMs to disk, and check TTY devices for rootkit hooks
    • added plugins to check the ARM system call and exception vector tables for hooks

Operating Systems

Volatility supports the following operating systems and versions. All Windows profiles are included in the standard Volatility package. You can download sample Linux profiles from the LinuxProfiles wiki page or read LinuxMemoryForensics on how to build your own. You can download a single archive of 38 different Mac OSX profiles or read MacMemoryForensics to build your own.

  • Windows
    • 32-bit Windows XP Service Pack 2 and 3
    • 32-bit Windows 2003 Server Service Pack 0, 1, 2
    • 32-bit Windows Vista Service Pack 0, 1, 2
    • 32-bit Windows 2008 Server Service Pack 1, 2
    • 32-bit Windows 7 Service Pack 0, 1
    • 64-bit Windows XP Service Pack 1 and 2
    • 64-bit Windows 2003 Server Service Pack 1 and 2
    • 64-bit Windows Vista Service Pack 0, 1, 2
    • 64-bit Windows 2008 Server Service Pack 1 and 2
    • 64-bit Windows 2008 R2 Server Service Pack 0 and 1
    • 64-bit Windows 7 Service Pack 0 and 1
  • Linux
    • 32-bit Linux kernels 2.6.11 to 3.5
    • 64-bit Linux kernels 2.6.11 to 3.5
    • OpenSuSE, Ubuntu, Debian, CentOS, Fedora, Mandriva, etc
  • Mac OSX
    • (new) 32-bit 10.5.x Leopard (the only 64-bit 10.5 is Server, which isn't supported)
    • (new) 32-bit 10.6.x Snow Leopard
    • (new) 64-bit 10.6.x Snow Leopard
    • (new) 32-bit 10.7.x Lion
    • (new) 64-bit 10.7.x Lion
    • (new) 64-bit 10.8.x Mountain Lion (there is no 32-bit version)

Address Spaces

  • FileAddressSpace - This is a direct file AS
  • Standard Intel x86 address spaces
    • IA32PagedMemoryPae
    • IA32PagedMemory
  • AMD64PagedMemory - This AS supports AMD 64-bit address spaces
  • WindowsCrashDumpSpace32 - This AS supports windows Crash Dump format (x86)
  • WindowsCrashDumpSpace64 - This AS supports windows Crash Dump format (x64)
  • WindowsHiberFileSpace32 - This AS supports windows hibernation files (x86 and x64)
  • EWFAddressSpace - This AS supports expert witness (EWF) files
  • FirewireAddressSpace - This AS supports direct memory access over firewire
  • LimeAddressSpace - This AS supports LiME (Linux Memory Extractor)
  • (new) MachOAddressSpace - This AS supports 32- and 64-bit Mac OSX memory dumps
  • (new) ArmAddressSpace - This AS supports memory dumps from 32-bit ARM (there is no 64-bit ARM yet)
  • (new) VirtualBoxCoreDumpElf64 - This AS supports memory dumps from VirtualBox virtual machines
  • (new) VMware Snapshot - This AS supports VMware saved state (.vmss) and VMware snapshot (.vmsn) files. Note: these are not raw memory dumps like the typical .vmem files.
  • (new) HPAKAddressSpace - This AS supports ".hpak" files produced by H.B. Gary's FDPro tool.

Plugins

  • Windows
    • Image Identification
      • imageinfo - Identify information for the image
      • kdbgscan - Search for and dump potential KDBG values
      • kpcrscan - Search for and dump potential _KPCR values
    • Process and DLLs
      • pslist - Print active processes by following the _EPROCESS list
      • pstree - Print process list as a tree
      • psscan - Scan Physical memory for _EPROCESS pool allocations
      • psdispscan - Scan Physical memory for _EPROCESS objects based on Dispatch Headers (Windows XP x86 only)
      • dlllist - Print list of loaded DLLs for each process
      • dlldump - Dump DLLs from a process address space
      • handles - Print list of open handles for each process
      • getsids - Print the SIDs owning each process
      • verinfo - Print a PE file's version information
      • enumfunc - Enumerate a PE file's imports and exports
      • envars - Display process environment variables
      • cmdscan - Extract command history by scanning for _COMMAND_HISTORY
      • consoles - Extract command history by scanning for _CONSOLE_INFORMATION
      • (new) privs - Identify the present and/or enabled windows privileges for each process
    • Process Memory
      • memmap - Print the memory map
      • memdump - Dump the addressable memory for a process
      • procexedump - Dump a process to an executable file
      • procmemdump - Dump a process to an executable memory sample
      • vadwalk - Walk the VAD tree
      • vadtree - Walk the VAD tree and display in tree format
      • vadinfo - Dump the VAD info
      • vaddump - Dumps out the vad sections to a file
      • evtlogs - Parse XP and 2003 event logs from memory
      • (new) iehistory - Extract and parse Internet Explorer history and URL cache
    • Kernel Memory and Objects
      • modules - Print list of loaded modules
      • modscan - Scan Physical memory for _LDR_DATA_TABLE_ENTRY objects
      • moddump - Extract a kernel driver to disk
      • ssdt - Print the Native and GDI System Service Descriptor Tables
      • driverscan - Scan physical memory for _DRIVER_OBJECT objects
      • filescan - Scan physical memory for _FILE_OBJECT objects
      • mutantscan - Scan physical memory for _KMUTANT objects
      • symlinkscan - Scans for symbolic link objects
      • thrdscan - Scan physical memory for _ETHREAD objects
      • (new) dumpfiles - Reconstruct files from the windows cache manager and shared section objects
      • (new) unloadedmodules - Show recently unloaded kernel modules (which indirectly tells you which ones recently loaded)
    • Win32k / GUI Memory
      • sessions - List details on _MM_SESSION_SPACE (user logon sessions)
      • wndscan - Pool scanner for tagWINDOWSTATION (window stations)
      • deskscan - Poolscaner for tagDESKTOP (desktops)
      • atomscan - Pool scanner for _RTL_ATOM_TABLE
      • atoms - Print session and window station atom tables
      • clipboard - Extract the contents of the windows clipboard
      • eventhooks - Print details on windows event hooks
      • gathi - Dump the USER handle type information
      • messagehooks - List desktop and thread window message hooks
      • screenshot - Save a pseudo-screenshot based on GDI windows
      • userhandles - Dump the USER handle tables
      • windows - Print Desktop Windows (verbose details)
      • wintree - Print Z-Order Desktop Windows Tree
      • gditimers - Analyze GDI timer objects and their callbacks
    • Networking
      • connections - Print open connections (XP and 2003 only)
      • connscan - Scan Physical memory for _TCPT_OBJECT objects (XP and 2003 only)
      • sockets - Print open sockets (XP and 2003 only)
      • sockscan - Scan Physical memory for _ADDRESS_OBJECT (XP and 2003 only)
      • netscan - Scan physical memory for network objects (Vista, 2008, and 7)
    • Registry
      • hivescan - Scan Physical memory for _CMHIVE objects
      • hivelist - Print list of registry hives
      • printkey - Print a registry key, and its subkeys and values
      • hivedump - Recursively prints all keys and timestamps in a given hive
      • hashdump - Dumps passwords hashes (LM/NTLM) from memory (x86 only)
      • lsadump - Dump (decrypted) LSA secrets from the registry (XP and 2003 x86 only)
      • userassist - Parses and output User Assist keys from the registry
      • shimcache - Parses the Application Compatibility Shim Cache registry key
      • getservicesids - Calculate SIDs for windows services in the registry
      • (new) shellbags - This plugin parses and prints Shellbag information obtained from the registry
    • File Formats
      • crashinfo - Dump crash-dump information
      • hibinfo - Dump hibernation file information
      • imagecopy - Copies a physical address space out as a raw DD image
      • raw2dmp - Converts a physical memory sample to a windbg crash dump
      • (new) vboxinfo - Display header and memory runs information from VirtualBox core dumps
      • (new) vmwareinfo - Display header and memory runs information from VMware vmss or vmsn files
      • (new) hpakinfo - Display header and memory runs information from .hpak files
      • (new) hpakextract - Extract (and decompress if necessary) the raw physical memory dump from an .hpak file
    • Malware
      • malfind - Find hidden and injected code
      • svcscan - Scan for Windows services
      • ldrmodules - Detect unlinked DLLs
      • impscan - Scan for calls to imported functions
      • apihooks - Detect API hooks in process and kernel memory (x86 only)
      • idt - Dumps the Interrupt Descriptor Table (x86 only)
      • gdt - Dumps the Global Descriptor Table (x86 only)
      • threads - Investigate _ETHREAD and _KTHREADs
      • callbacks - Print system-wide notification routines (x86 only)
      • driverirp - Driver IRP hook detection
      • devicetree - Show device tree
      • psxview - Find hidden processes with various process listings
      • timers - Print kernel timers and associated module DPCs (x86 only)
    • File System
      • (new) mbrparser - Scans for and parses potential Master Boot Records (MBRs)
      • (new) mftparser - Scans for and parses potential MFT entries
    • Miscellaneous
      • strings - Match physical offsets to virtual addresses
      • volshell - Shell to interactively explore a memory image
      • bioskbd - Reads the keyboard buffer from Real Mode memory
      • patcher - Patches memory based on page scans
      • (new) timeliner - Produce timelines in body file format, excel 2007 spreadsheets, or text
      • (new) dumpcerts - Extract SSL private and public keys/certs
  • Linux/Android
    • Processes
      • linux_pslist - Gather active tasks by walking the task_struct->task list
      • linux_psaux - Gathers processes along with full command line and start time
      • linux_pstree - Shows the parent/child relationship between processes
      • linux_pslist_cache - Gather tasks from the kmem_cache
      • linux_pidhashtable - Enumerates processes through the PID hash table
      • linux_psxview - Find hidden processes with various process listings
      • linux_lsof - Lists open files
    • Process Memory
      • linux_memmap - Dumps the memory map for linux tasks
      • linux_proc_maps - Gathers process maps for linux
      • linux_dump_map - Writes selected process memory mappings to disk
      • linux_bash - Recover bash history from bash process memory
    • Kernel Memory and Objects
      • linux_lsmod - Gather loaded kernel modules
      • linux_tmpfs - Recovers tmpfs filesystems from memory
      • (new) linux_moddump - Extract an LKM from memory to disk (.text segment only)
    • Networking
      • linux_arp - Print the ARP table
      • linux_ifconfig - Gathers active interfaces
      • linux_netstat - Lists open sockets
      • linux_route_cache - Recovers the routing cache from memory
      • linux_pkt_queues - Writes per-process packet queues out to disk
      • linux_sk_buff_cache - Recovers packets from the sk_buff kmem_cache
    • Malware/Rootkits
      • linux_check_afinfo - Verifies the operation function pointers of network protocols
      • linux_check_creds - Checks if any processes are sharing credential structures
      • linux_check_fop - Check file operation structures for rootkit modifications
      • linux_check_idt - Checks if the IDT has been altered
      • linux_check_modules - Compares module list to sysfs info, if available
      • linux_check_syscall - Checks if the system call table has been altered
      • (new) linux_check_syscall_arm - Checks if the system call table has been altered (ARM)
      • (new) linux_check_tty - Check TTY devices for rootkit hooks
      • (new) linux_check_evt_arm - Check ARM exception vector table for hooks
    • System Information
      • linux_cpuinfo - Prints info about each active processor
      • linux_dmesg - Gather dmesg buffer
      • linux_iomem - Provides output similar to /proc/iomem
      • linux_mount - Gather mounted fs/devices
      • linux_mount_cache - Gather mounted fs/devices from kmem_cache
      • linux_slabinfo - Mimics /proc/slabinfo on a running machine
      • linux_dentry_cache - Gather files from the dentry cache
      • linux_find_file - Extract cached file contents from memory via inodes
      • linux_vma_cache - Gather VMAs from the vm_area_struct cache
      • (new) linux_keyboard_notifier - Parses the keyboard notifier call chain
    • Miscellaneous
      • (new) linux_volshell - Shell to interactively explore Linux/Android memory captures
      • (new) linux_yarascan - Scan process and kernel memory with yara signatures
  • Mac OSX
    • Processes
      • (new) mac_pslist - List running processes
      • (new) mac_tasks - List active tasks
      • (new) mac_pstree - Show parent/child relationship of processes
      • (new) mac_lsof - Lists per-process open files
      • (new) mac_pgrp_hash_table - Walks the process group hash table
      • (new) mac_pid_hash_table - Walks the pid hash table
      • (new) mac_dead_procs - List dead/terminated processes
      • (new) mac_psaux - Prints processes with their command-line arguments (argv)
    • Process Memory
      • (new) mac_proc_maps - Print information on allocated process memory ranges
      • (new) mac_dump_maps - Dumps memory ranges of processes
    • Kernel Memory and Objects
      • (new) mac_list_sessions - Enumerates sessions
      • (new) mac_list_zones - Enumerates zones (allocated/freed object counts)
      • (new) mac_lsmod - Lists loaded kernel modules
      • (new) mac_mount - Prints mounted device information
    • Networking
      • (new) mac_arp - Prints the arp table
      • (new) mac_ifconfig - Lists network interface information for all devices
      • (new) mac_netstat - Lists active per-process network connections
      • (new) mac_route - Prints the routing table
    • Malware/Rootkits
      • (new) mac_check_sysctl - Check for unknown sysctl handlers
      • (new) mac_check_syscalls - Check for hooked syscall table entries
      • (new) mac_check_trap_table - Checks to see if mach trap table entries are hooked
      • (new) mac_ip_filters - Reports any hooked IP filters
      • (new) mac_notifiers - Detects rootkits that add hooks into I/O Kit (e.g. LogKext)
      • (new) mac_trustedbsd - List malicious trustedbsd policies
    • System Information
      • (new) mac_dmesg - Prints the kernel debug buffers
      • (new) mac_find_aslr_shift - Find the ASLR shift value for 10.8+ images
      • (new) mac_machine_info - Prints machine information about the sample
      • (new) mac_version - Prints the Mac version
      • (new) mac_print_boot_cmdline - Prints the mac boot command line
    • Miscellaneous
      • (new) mac_volshell - Shell to interactively explore mac memory captures
      • (new) machoinfo - Display header and memory runs for Mach-O memory dumps
      • (new) mac_yarascan - Scan for Yara signatures in process or kernel memory

Credits

In alphabetical order:

  • Cem Gurkok for his work on the privileges plugin for Windows
  • Nir Izraeli for his work on the VMware snapshot address space (see also the vmsnparser project)
  • @osxmem of the volafox project (Mac OS X & BSD Memory Analysis Toolkit)
  • @osxreverser of reverse.put.as for his help with OSX memory analysis
  • Carl Pulley for numerous bug reports, example patches, and plugin testing
  • Andreas Schuster for his work on poison ivy plugins for Windows
  • Joe Sylve for his work on the ARM address space and significant contributions to linux and mac capabilities
  • Philippe Teuwen for his work on the virtual box address space
  • Santiago Vicente for his work on the citadel plugins for Windows