The Volatility Framework demonstrates our committment to and belief in the importance of open source digital investigation tools . Volatile Systems is committed to the belief that the technical procedures used to extract digital evidence should be open to peer analysis and review. We also believe this is in the best interest of the digital investigation community, as it helps increase the communal knowledge about systems we are forced to investigate. Similarly, we do not believe the availability of these tools should be restricted and therefore encourage people to modify, extend, and make derivative works, as permitted by the GPL.
Capabilities
The Volatility Framework currently provides the following extraction capabilities for memory samples
Image date and time:
- Running processes
- Open network sockets
- Open network connections
- DLLs loaded for each process
- Open files for each process
- Open registry handles for each process
- A process' addressable memory
- OS kernel modules
- Mapping physical offsets to virtual addresses (strings to process)
- Virtual Address Descriptor information
- Scanning examples: processes, threads, sockets, connections,modules
- Extract executables from memory samples
- Transparently supports a variety of sample formats (ie, Crash dump, Hibernation, DD)
- Automated conversion between formats
This video shows grabbing the windows NTLM passwords from a memory dump and then using John the Ripper to crack them.
DOWNLOAD HERE
Command Reference with Examples