Volatility 3 v2.11.0 is released. This release includes several new plugins and improvements.

The inaugural From The Source Conference (FTSCon) is held in Arlington, Virginia. FTSCon is a one-day summit offering a unique opportunity to connect in-person with an international cadre of pioneering researchers and practitioners who work on the most advanced digital investigations. Speakers include developers of your favorite open-source tools and the digital investigators who discovered some of the biggest intrusions of the past year. This event is followed by the first official offering of the Malware and Memory Forensics Training Course to focus on Volatility 3.

Volatility 3 v2.7.0 is released. This release includes new plugins for Linux, Windows, and macOS. It also includes support for configuration files for common CLI options.

Volatility 3 v2.5.0 is released. This release includes new Linux plugins and Linux process dumping. It adds and improved core API, support for Xen ELF file format, improved Linux subsystem support, and includes tutorials for the documentation.

• Abyss Watcher: check_ftrace Plugin
• Abyss Watcher: check_unlinked_modules Plugin
• Abyss Watcher: check_tracepoints Plugin
• Asaf Eitani:  eBPF Programs Plugin
• Aviel Zohar and Or Chechik:  PackerList
• Aviel Zohar and Or Chechik:  MasqueradeProcess
• Aviel Zohar and Or Chechik:  DirectSyscalls
• Aviel Zohar and Or Chechik:  ApiHash
• Felix Guyard: Alternate Data Stream Scanning Plugin
• Felix Guyard: Keepass Plugin
• Felix Guyard: Modern Windows Hibernation File Analysis
• Felix Guyard: Windows Import Address Table Plugin
• Felix Guyard: Remote Analysis on Cloud Object-Storage
• Hyeon Deok Jeong (DFV): hiddenprocess Plugin
• Nitzan Adut: EDRity
• Rifqi Ramadhan: notepad Plugin
• Rifqi Ramadhan: kusertime Plugin
• Rifqi Ramadhan: evtxlog Plugin
• Rifqi Ramadhan: sticky Plugin
• Thomas Clarke: saNSRL Utility
• Thomas Clarke: saNSFW Utility
• Thomas Clarke: dumpfilesNSRL Plugin
• Valentin Obst: bpf_graph Plugin
• Valentin Obst: bpf_listlinks Plugin
• Valentin Obst: bpf_listmaps Plugin
• Valentin Obst: bpf_listprocs Plugin
• Valentin Obst: bpf_listprogs Plugin
• Valentin Obst: bpf_lsm Plugin
• Valentin Obst: bpf_netdev Plugin

• Asaf Eitani:  check_fops Plugin
• Asaf Eitani:  check_seqops Plugin
• Asaf Eitani:  Fileless Plugin
• Aviel Zohar: HandleXView
• Felix Guyard: AnyDesk Plugin
• Felix Guyard: Inodes Plugin
• Felix Guyard: Prefetch Plugin
• Felix Guyard: VolWeb

• Amir Sheffer & Ofek Shaked: Linux Namespaces Support and Docker Plugin
• Felix Guyard: VolWeb
• Frank Block: PTE Analysis Plugins
• Gerhart: Hyper-V Volatility Introspection Layer
• Kevin Breen:  Symbol Generator & Public ISF Server, Cobalt Strike Plugin, Rich Header Plugin, and LastPass Credential Recovery Plugin
• Leonardo Dias da Silva: MultiYara
• MoonGyu Lee, JeongToon Kang, HyeonDeok Jeongm JunSung Park, Mintaek Lim (BoB Tracer of Coin): CryptoScan

Volatility 3 Public Beta is announced at #OSDFCon. Since its initial public release in 2007, Volatility has attracted one of the largest and most active communities of users and developers in the digital forensics industry. As the industry has continued to evolve the way that operating systems are developed, deployed, and maintained, so to have the skillsets of memory analysts. Their preferred work flows have changed to meet a world with increasingly large volumes of complex data. To address these challenges, the Volatility development team has been actively architecting and developing an entirely new version of the framework, while simultaneously supporting users of the current stable version.

• Aleksander Østerud: MemoryDecompression
• Aliz Hammond: Gargoyle
• David Quesada: CSV and Splunk Dashboard
• Lorenz Liebler et al: Volatility Plugin for Approxis
• Peter Casey: Vivedump

Volatility 2.6 (Windows 10 / Server 2016) is released. This release improves support for Windows 10 and adds support for Windows Server 2016, MacOS Sierra 10.12, and Linux with KASLR kernels. A lot of bug fixes went into this release as well as performance enhancements (especially related to page table parsing and virtual address space scanning). See below for a more detailed list of the changes in this version.

Volatility 2.5 (Unified Output / Community) is released. This is the first release since the publication of The Art of Memory Forensics. It adds support for Windows 10 (initial), Linux kernels 4.2.3+, and MacOS X Yosemite and El Capitan. Additionally, the unified output rendering gives users the flexibility of asking for results in various formats (html, sqlite, json, xlsx, dot, text, etc.) while simplifying things for plugin developers. In short, less code leads to more functionality. This is especially useful for framework designers (GUIs, web interfaces, library APIs), because you can interface with a plugin directly and ask for json, which you then store, process, or modify however you want.

Volatility 2.4 is released. The release of this version coincides with the publication of The Art of Memory Forensics. It adds support for Windows 8, 8.1, 2012, and 2012 R2 memory dumps and MacOS X Mavericks (up to 10.9.4). New plugins include the ability to extract cached Truecrypt passphrases and master keys from Windows and Linux memory dumps, investigate Mac user activity (such as pulling their contact database, calendar items, PGP encrypted mails, OTR Adium chat messages, etc), and analyze advanced Linux rootkits.

Volatility 2.3.1 (Mac OSX and Android ARM) is released. This release introduced support for 32- and 64-bit Linux memory samples, an address space for LiME (the Linux Memory Extractor), and a suite of 14 new plugins to investigate Windows GUI space–including clipboard contents, desktop windows, and screenshots.

• Carl Pulley: A plugin to find the nearest function/method within a symbol table
• Cem Gurkok: OS X rootkit detection plugins
• Cem Gurkok: Window’s security permission plugin
• Edwin Smulders: Linux process information, stack analysis, and syscall register plugins
• Jamaal Speights: A plugin that extracts networking packets from memory samples.
• Jeff Bryner: Facebook and Twitter artifact extraction
• Jeremy Jones: A plugin to convert VMware suspended state to Illumos debug format
• Mariano Graziano: Actaeon, Intel VT-x introspection

Volatility 2.1 (Malware and 64-bits) is released. This is the first release to support all major 64-bit versions of Windows. It also included the ability to convert raw memory images to crash dumps, extract command history and console input/output buffers, and an API for accessing cached registry keys and values from memory. Ten new plugins were added with a specific focus on malware analysis.

AAron Walters posts a challenge to the memory forensics community: detect the “undetectable” by using Volatility to find artifacts in memory for a new Metasploit payload known to be leveraging a technique known as Reflective DLL Injection. Less than 24 hours later, Michael Hale Ligh is the first person to respond to the challenge and proves that Volatility can find hidden DLLs and other injected code blocks.

The inaugural Open Source Memory Forensics Workshop is held in Baltimore, Maryland. This is the first ever workshop focused on open source volatile memory analysis, bringing together digital investigation researchers and practitioners to discuss the latest advancements in volatile memory analysis.

AAron Walters presents Advanced Volatile Memory Analysis at the 2008 DoD Cyber Crime Conference. This talk focuses on advanced techniques being used in volatile memory analysis (VMA). It also discusses a number of open source tools and resources he has made available to the digital investigation community. The session also explores VMA is being used to perform automated malware analysis, and demonstrates how he is combining VMA with file system analysis to help reconstruct and visualize the digital crime scene.

The Volatility Framework 1.1.1 is first publicly released, having evolved from FATKit and VolaTools. The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. The goal behind the open development of the Volatility Framework is to bring together systems researchers who believe in bettering the state of the digital forensics community. The framework is intended to introduce the techniques and complexities associated with extracting digital artifacts from volatile memory samples and provide a platform for further work in this exciting area of research. The Volatility Framework runs on any platform where Python is supported.

AAron Walters publishes FATKit: Detecting Malicious Library Injection and Upping the “Anti”, which discusses how the Forensic Analysis ToolKit (FATKit) can facilitate the process of enumerating suspicious artifacts manifested as a result of remote library injection. Previously published techniques focused on detecting attacks in real time, but this paper specifically focuses on the ability to extract memory-resident evidence from information systems under investigation. One significant differentiator from the majority of previous work is that the integrity of the potentially compromised operating system is not relied upon; instead, analysis is performed offline on a trusted capture of volatile memory (RAM).

Volatility 3 v2.11.0 is released. This release includes several new plugins and improvements.

The inaugural From The Source Conference (FTSCon) is held in Arlington, Virginia. FTSCon is a one-day summit offering a unique opportunity to connect in-person with an international cadre of pioneering researchers and practitioners who work on the most advanced digital investigations. Speakers include developers of your favorite open-source tools and the digital investigators who discovered some of the biggest intrusions of the past year. This event is followed by the first official offering of the Malware and Memory Forensics Training Course to focus on Volatility 3.