Volatility 2.5

[Nytro]

This is the first release since the publication of The Art of Memory Forensics! It adds support for Windows 10 (initial), Linux kernels 4.2.3, and Mac OS X El Capitan. Additionally, the unified output rendering gives users the flexibility of asking for results in various formats (html, sqlite, json, xlsx, dot, text, etc.) while simplifying things for plugin developers. In short, less code leads to more functionality. This is especially useful for framework designers (GUIs, web interfaces, library APIs), because you can interface with a plugin directly and ask for json, which you then store, process, or modify however you want.

This release also coincides with the Community repo - a collection of Volatility plugins written and maintained by authors in the forensics community. Many of these are the result of the last 3 years of Volatility plugin contests, but some were just written for fun. Either way, its an entire arsenal of plugins that you can easily extend into your existing Volatility installation.

Released: October 2015

• Volatility 2.5 Windows Standalone Executable
  
• Volatility 2.5 Mac OS X Standalone Executables
  
• Volatility 2.5 Linux Standalone Executables
  
• Volatility 2.5 Source Code (.zip)
  
• Integrity Hashes
  
• View the README
  
• View the CREDITS
  

Release Highlights

• Windows
  
  • Added profiles for Windows 8.1 Update 1
    
  • Added basic support for Windows 10
    
  • New plugin to print AmCache information from the registry (amcache)
    
  • New plugin to dump registry files to disk (dumpregistry)
    
  • New plugin to detect hidden/unlinked service record structures (servicediff)
    
  • New plugin to print the shutdown time from the registry (shutdowntime)
    
  • New plugin to print editbox controls from the GUI subsystem (editbox)
    
  • Malfind plugin detects injected code with erased PE headers
    
  • Imagecopy and raw2dmp can display the number of bytes copied or converted
    
  • Fix an issue with the memmap and memdump offsets being inconsistent
    
  • Fix an issue with vadtree's graphviz fill colors not being rendered by some viewers
    
  • Update the well known SIDs reported by the getsids plugin
    
  • Add an optional --max-size parameter to yarascan, dump_maps, etc
    
  • Fix an issue translating strings in PAE and x64 images
    
  • Add options to yarascan for case-insensitive search
    
  • Add options to yarascan to scan process and kernel memory at once
    

  [*] Mac OSX

  • Added profiles and support for Mac 10.10 Yosemite and 10.11 El Capitan
    
  • New plugin to print and extract compressed swap data (mac_compressed_swap)
    
  • New plugin to automatically detect Mac OS X profiles (mac_get_profile)
    
  • New plugin(s) to report Kauth scopes and listeners (mac_list_kauth_scopes | listeners)
    
  • New plugin to identify applications with promiscuous sockets (mac_list_raw)
    
  • New plugin to find hidden threads (mac_orphan_threads)
    
  • New plugin to print process environment variables (mac_psenv)
    
  • New plugin to print basic and complex thread data (mac_threads, mac_threads_simple)
    

  [*] Linux/Android

  • Addd support for Linux kernels up to 4.2.3
    
  • New plugin to print Linux dynamic environment variables (linux_dynamic_env)
    
  • New plugin to print the current working directory of processes (linux_getcwd)
    
  • New plugin to carve for network connection structures (linux_netscan)
    
  • Speed improvements to various plugins
    
  • Improve handling of mprotect() Linux memory regions
    

Operating System Support

• 64-bit Windows Server 2012 and 2012 R2
  
• 32- and 64-bit Windows 10 (initial/basic support)
  
• 32- and 64-bit Windows 8, 8.1, and 8.1 Update 1
  
• 32- and 64-bit Windows 7 (all service packs)
  
• 32- and 64-bit Windows Server 2008 (all service packs)
  
• 64-bit Windows Server 2008 R2 (all service packs)
  
• 32- and 64-bit Windows Vista (all service packs)
  
• 32- and 64-bit Windows Server 2003 (all service packs)
  
• 32- and 64-bit Windows XP (SP2 and SP3)
  
• 32- and 64-bit Linux kernels from 2.6.11 to 4.2.3
  
• 32-bit 10.5.x Leopard (the only 64-bit 10.5 is Server, which isn't supported)
  
• 32- and 64-bit 10.6.x Snow Leopard
  
• 32- and 64-bit 10.7.x Lion
  
• 64-bit 10.8.x Mountain Lion (there is no 32-bit version)
  
• 64-bit 10.9.x Mavericks (there is no 32-bit version)
  
• 64-bit 10.10.x Yosemite (there is no 32-bit version)
  
• 64-bit 10.11.x El Capitan (there is no 32-bit version)
  

Memory Format Support

• Raw/Padded Physical Memory
  
• Firewire (IEEE 1394)
  
• Expert Witness (EWF)
  
• 32- and 64-bit Windows Crash Dump
  
• 32- and 64-bit Windows Hibernation
  
• 32- and 64-bit MachO files
  
• Virtualbox Core Dumps
  
• VMware Saved State (.vmss) and Snapshot (.vmsn)
  
• HPAK Format (FastDump)
  
• QEMU memory dumps
  

Sursa: http://www.volatilityfoundation.org/#!25/c1f29

[Byte-ul]

Ce face chestia asta?

Ai pus changelog-ul si ce suporta, dar nu scrie nicaieri ce face si la ce e bun.

[malsploit]

Ce face chestia asta?

Ai pus changelog-ul si ce suporta, dar nu scrie nicaieri ce face si la ce e bun.

Volatility is an advanced memory forensic framework written in python. Once the memory image has been acquired Volatility framework can be used to perform memory forensics on the acquired memory image. Volatility can be installed on multiple operating systems (Windows, Linux, Mac OS X), Installation details of volatility can be found at

E o chestie foarte tare. Pe scurt. Iei un dump de ram si iti permite sa cauti prin el dupa procese, strings, dll-uri etc.

[Nytro]

Toata lumea trebuie sa stie ce e Volatility.

[tjt]

Pentru cine doreste sa se uite prin cartea The Art Of Memory Forensics:

GirlShare - Download The Art of Memory Forensics.pdf