Volatility 3 v2.5.0 is released. This release includes new Linux plugins and Linux process dumping. It adds and improved core API, support for Xen ELF file format, improved Linux subsystem support, and includes tutorials for the documentation.

Volatility 3 v2.4.0 is released. This is a major version release and includes new plugins for Linux and Windows. It also introduces the concept of modules and module requirements. Other features in this release include unified symbol handling and ISF file caching between OS versions, better QEVM support (fixed the QEMU PCI hole), exposed an API for automatic PDB symbol table use, improved contributed documentation, as well asl various bug fixes and changes across the codebase.

Volatility 3 v2.0.0 is released. This release includes new plugins, such as Windows networking plugins, Windows crashinfo and skeleton_key_check, Linux kmsg plugin. It also includes new layers AVML and LeechCore, QEMU layer performance optimization, improved access to Windows library symbols, better offline and remote support, as well as improved documentation

and working with python requirements.

Volatility 3 v1.0.1 (Python 3 Rewrite) is released. In 2020, the Volatility Foundation publicly released a complete rewrite of the framework, Volatility 3. The project was intended to address many of the technical and performance challenges associated with the original code base that became apparent since its original release in 2007. Another benefit of the rewrite is that Volatility 3 could be released under a custom license that was more aligned with the goals of the Volatility community, the Volatility Software License (VSL). Details about the rewrite of Volatility 3 can be found in this presentation: Volatility 3 Public Beta: Insider’s Preview.

Volatility 2.6 (Windows 10 / Server 2016) is released. This release improves support for Windows 10 and adds support for Windows Server 2016, MacOS Sierra 10.12, and Linux with KASLR kernels. A lot of bug fixes went into this release as well as performance enhancements (especially related to page table parsing and virtual address space scanning). See below for a more detailed list of the changes in this version.

Volatility 2.4 is released. The release of this version coincides with the publication of The Art of Memory Forensics. It adds support for Windows 8, 8.1, 2012, and 2012 R2 memory dumps and MacOS X Mavericks (up to 10.9.4). New plugins include the ability to extract cached Truecrypt passphrases and master keys from Windows and Linux memory dumps, investigate Mac user activity (such as pulling their contact database, calendar items, PGP encrypted mails, OTR Adium chat messages, etc), and analyze advanced Linux rootkits.

The 1st Annual Volatility Framework Plugin Contest is announced. This contest is inspired and modeled after the Hex-Rays Plugin Contest. As in the case of IDA, Volatility was designed with the belief that talented analysts should only be limited by their creativity not the tools they use. In this spirit, Volatility has a flexible architecture that can be extended in numerous ways: analysis plugins (operating system plugins, application plugins, etc), volshell commands, address spaces, profiles, or user interfaces. This contest is intended to inspire people to demonstrate their creativity, become a memory analysis pioneer, win the admiration of your peers, and give back to the community.

Volatility 2.1 (Malware and 64-bits) is released. This is the first release to support all major 64-bit versions of Windows. It also included the ability to convert raw memory images to crash dumps, extract command history and console input/output buffers, and an API for accessing cached registry keys and values from memory. Ten new plugins were added with a specific focus on malware analysis.

AAron Walters posts a challenge to the memory forensics community: detect the “undetectable” by using Volatility to find artifacts in memory for a new Metasploit payload known to be leveraging a technique known as Reflective DLL Injection. Less than 24 hours later, Michael Hale Ligh is the first person to respond to the challenge and proves that Volatility can find hidden DLLs and other injected code blocks.

The inaugural Open Source Memory Forensics Workshop is held in Baltimore, Maryland. This is the first ever workshop focused on open source volatile memory analysis, bringing together digital investigation researchers and practitioners to discuss the latest advancements in volatile memory analysis.

AAron Walters presents Advanced Volatile Memory Analysis at the 2008 DoD Cyber Crime Conference. This talk focuses on advanced techniques being used in volatile memory analysis (VMA). It also discusses a number of open source tools and resources he has made available to the digital investigation community. The session also explores VMA is being used to perform automated malware analysis, and demonstrates how he is combining VMA with file system analysis to help reconstruct and visualize the digital crime scene.

The Volatility Framework 1.1.1 is first publicly released, having evolved from FATKit and VolaTools. The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. The goal behind the open development of the Volatility Framework is to bring together systems researchers who believe in bettering the state of the digital forensics community. The framework is intended to introduce the techniques and complexities associated with extracting digital artifacts from volatile memory samples and provide a platform for further work in this exciting area of research. The Volatility Framework runs on any platform where Python is supported.

AAron Walters publishes FATKit: Detecting Malicious Library Injection and Upping the “Anti”, which discusses how the Forensic Analysis ToolKit (FATKit) can facilitate the process of enumerating suspicious artifacts manifested as a result of remote library injection. Previously published techniques focused on detecting attacks in real time, but this paper specifically focuses on the ability to extract memory-resident evidence from information systems under investigation. One significant differentiator from the majority of previous work is that the integrity of the potentially compromised operating system is not relied upon; instead, analysis is performed offline on a trusted capture of volatile memory (RAM).