Volatility Package Description

The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of
digital artifacts from volatile memory (RAM) samples. The extraction techniques are performed completely independent of the system being
investigated but offer unprecedented visibility into the runtime state of the system. The framework is intended to introduce people to the
techniques and complexities associated with extracting digital artifacts from volatile memory samples and provide a platform for further work into
this exciting area of research.

Volatility supports memory dumps from all major 32- and 64-bit Windows versions and service packs including XP, 2003 Server, Vista, Server 2008,
Server 2008 R2, and Seven. Whether your memory dump is in raw format, a Microsoft crash dump, hibernation file, or virtual machine snapshot,
Volatility is able to work with it. We also now support Linux memory dumps in raw or LiME format and include 35 plugins for analyzing 32- and 64-bit
Linux kernels from 2.6.11 – 3.5.x and distributions such as Debian, Ubuntu, OpenSuSE, Fedora, CentOS, and Mandrake. We support 38 versions of
Mac OSX memory dumps from 10.5 to 10.8.3 Mountain Lion, both 32- and 64-bit. Android phones with ARM processors are also supported. Support
for Windows 8, 8.1, Server 2012, 2012 R2, and OSX 10.9 (Mavericks) is either already in svn or just around the corner

Source: https://github.com/volatilityfoundation/volatility
Volatility Homepage | Kali Volatility Repo

Author: Volatile Systems, Komoku, Inc

License: GPLv2

Tools included in the volatility package

volatility – A memory forensics analysis platform

root@kali:~# volatility -h
Volatility Foundation Volatility Framework 2.4
Usage: Volatility - A memory forensics analysis platform.

Options:
-h, --help list all available options and their default values.
Default values may be set in the configuration file
(/etc/volatilityrc)
--conf-file=/root/.volatilityrc
User based configuration file
-d, --debug Debug volatility
--plugins=PLUGINS Additional plugin directories to use (colon separated)
--info Print information about all registered objects
--cache-directory=/root/.cache/volatility
Directory where cache files are stored
--cache Use caching
--tz=TZ Sets the timezone for displaying timestamps
-f FILENAME, --filename=FILENAME
Filename to use when opening an image
--profile=WinXPSP2x86
Name of the profile to load
-l LOCATION, --location=LOCATION
A URN location from which to load an address space
-w, --write Enable write support
--dtb=DTB DTB Address
--shift=SHIFT Mac KASLR shift address
--output=text Output in this format (format support is module
specific)
--output-file=OUTPUT_FILE
write output in this file
-v, --verbose Verbose information
-g KDBG, --kdbg=KDBG Specify a specific KDBG virtual address
-k KPCR, --kpcr=KPCR Specify a specific KPCR address

Supported Plugin Commands:

apihooks Detect API hooks in process and kernel memory

atoms Print session and window station atom tables
atomscan Pool scanner for atom tables
auditpol Prints out the Audit Policies from HKLM\SECURITY\Policy\PolAdtEv
bigpools Dump the big page pools using BigPagePoolScanner
bioskbd Reads the keyboard buffer from Real Mode memory
cachedump Dumps cached domain hashes from memory
callbacks Print system-wide notification routines
clipboard Extract the contents of the windows clipboard
cmdline Display process command-line arguments
cmdscan Extract command history by scanning for _COMMAND_HISTORY
connections Print list of open connections [Windows XP and 2003 Only]
connscan Pool scanner for tcp connections
consoles Extract command history by scanning for _CONSOLE_INFORMATION
crashinfo Dump crash-dump information
deskscan Poolscaner for tagDESKTOP (desktops)
devicetree Show device tree
dlldump Dump DLLs from a process address space
dlllist Print list of loaded dlls for each process
driverirp Driver IRP hook detection
driverscan Pool scanner for driver objects
dumpcerts Dump RSA private and public SSL keys
dumpfiles Extract memory mapped and cached files
envars Display process environment variables
eventhooks Print details on windows event hooks
evtlogs Extract Windows Event Logs (XP/2003 only)
filescan Pool scanner for file objects
gahti Dump the USER handle type information
gditimers Print installed GDI timers and callbacks
gdt Display Global Descriptor Table
getservicesids Get the names of services in the Registry and return Calculated SID
getsids Print the SIDs owning each process
handles Print list of open handles for each process
hashdump Dumps passwords hashes (LM/NTLM) from memory
hibinfo Dump hibernation file information
hivedump Prints out a hive
hivelist Print list of registry hives.
hivescan Pool scanner for registry hives
hpakextract Extract physical memory from an HPAK file
hpakinfo Info on an HPAK file
idt Display Interrupt Descriptor Table
iehistory Reconstruct Internet Explorer cache / history
imagecopy Copies a physical address space out as a raw DD image
imageinfo Identify information for the image
impscan Scan for calls to imported functions
joblinks Print process job link information
kdbgscan Search for and dump potential KDBG values
kpcrscan Search for and dump potential KPCR values
ldrmodules Detect unlinked DLLs
lsadump Dump (decrypted) LSA secrets from the registry
machoinfo Dump Mach-O file format information
malfind Find hidden and injected code
mbrparser Scans for and parses potential Master Boot Records (MBRs)
memdump Dump the addressable memory for a process
memmap Print the memory map
messagehooks List desktop and thread window message hooks
 mftparser Scans for and parses potential MFT entries
moddump Dump a kernel driver to an executable file sample
modscan Pool scanner for kernel modules
modules Print list of loaded modules
multiscan Scan for various objects at once
mutantscan Pool scanner for mutex objects
notepad List currently displayed notepad text
objtypescan Scan for Windows object type objects
patcher Patches memory based on page scans
poolpeek Configurable pool scanner plugin
printkey Print a registry key, and its subkeys and values
privs Display process privileges
procdump Dump a process to an executable file sample
pslist Print all running processes by following the EPROCESS lists
psscan Pool scanner for process objects
pstree Print process list as a tree
psxview Find hidden processes with various process listings
raw2dmp Converts a physical memory sample to a windbg crash dump
screenshot Save a pseudo-screenshot based on GDI windows
sessions List details on _MM_SESSION_SPACE (user logon sessions)
shellbags Prints ShellBags info
shimcache Parses the Application Compatibility Shim Cache registry key
sockets Print list of open sockets
sockscan Pool scanner for tcp socket objects
ssdt Display SSDT entries
strings Match physical offsets to virtual addresses (may take a while, VERY verbose
svcscan Scan for Windows services
symlinkscan Pool scanner for symlink objects
thrdscan Pool scanner for thread objects
threads Investigate _ETHREAD and _KTHREADs
timeliner Creates a timeline from various artifacts in memory
timers Print kernel timers and associated module DPCs
truecryptmaster Recover TrueCrypt 7.1a Master Keys
truecryptpassphrase TrueCrypt Cached Passprhase Finder
truecryptsummary TrueCrypt Summary
unloadedmodules Print list of unloaded modules
userassist Print userassist registry keys and information
userhandles Dump the USER handle tables
vaddump Dumps out the vad sections to a file
vadinfo Dump the VAD info
vadtree Walk the VAD tree and display in tree format
vadwalk Walk the VAD tree
vboxinfo Dump virtualbox information
verinfo Prints out the version information from PE images
vmwareinfo Dump VMware VMSS/VMSN information
volshell Shell in the memory image
windows Print Desktop Windows (verbose details)
wintree Print Z-Order Desktop Windows Tree
wndscan Pool scanner for window stations
yarascan Scan process or kernel memory with Yara signatures

vol Usage Example

Read the given memory image (-f /root/xp-laptop-2005-07-04-1430.img) and display the processes that were running (pslist):

root@kali:~# volatility -f /root/xp-laptop-2005-07-04-1430.img pslist

Volatility Foundation Volatility Framework 2.4
Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start
---------- -------------------- ------ ------ ------ -------- ------ ------ ------------------------------
0x823c87c0 System 4 0 62 1133 ------ 0
0x8214b020 smss.exe 400 4 3 21 ------ 0 2005-07-04 18:17:26 UTC 0000
0x821c11a8 csrss.exe 456 400 11 551 0 0 2005-07-04 18:17:29 UTC 0000
0x814dc020 winlogon.exe 480 400 18 522 0 0 2005-07-04 18:17:29 UTC 0000
0x815221c8 services.exe 524 480 17 321 0 0 2005-07-04 18:17:30 UTC 0000
0x821d8248 lsass.exe 536 480 20 369 0 0 2005-07-04 18:17:30 UTC 0000
0x814f0020 svchost.exe 680 524 19 206 0 0 2005-07-04 18:17:31 UTC 0000
0x821daa88 svchost.exe 760 524 10 289 0 0 2005-07-04 18:17:31 UTC 0000
0x821463a8 svchost.exe 800 524 75 1558 0 0 2005-07-04 18:17:31 UTC 0000
0x8216c9b0 Smc.exe 840 524 22 421 0 0 2005-07-04 18:17:32 UTC 0000
0x81530228 svchost.exe 932 524 6 93 0 0 2005-07-04 18:17:33 UTC 0000
0x81534c10 svchost.exe 972 524 15 212 0 0 2005-07-04 18:17:34 UTC 0000
0x8202e7e8 spoolsv.exe 1104 524 11 145 0 0 2005-07-04 18:17:38 UTC 0000
0x8152f9a0 ati2evxx.exe 1272 524 4 38 0 0 2005-07-04 18:17:39 UTC 0000
0x820ac020 Crypserv.exe 1356 524 3 34 0 0 2005-07-04 18:17:40 UTC 0000
0x81521da0 DefWatch.exe 1380 524 3 27 0 0 2005-07-04 18:17:40 UTC 0000
0x820b5670 msdtc.exe 1440 524 15 164 0 0 2005-07-04 18:17:40 UTC 0000
0x81fcf460 Rtvscan.exe 1484 524 37 312 0 0 2005-07-04 18:17:40 UTC 0000
0x8204b8e0 tcpsvcs.exe 1548 524 2 105 0 0 2005-07-04 18:17:41 UTC 0000
0x82027a78 snmp.exe 1564 524 5 192 0 0 2005-07-04 18:17:41 UTC 0000
0x8204c558 svchost.exe 1588 524 5 122 0 0 2005-07-04 18:17:41 UTC 0000
0x8202f558 wdfmgr.exe 1640 524 4 65 0 0 2005-07-04 18:17:42 UTC 0000
0x81fb5da0 Fast.exe 1844 524 2 33 0 0 2005-07-04 18:17:43 UTC 0000
0x81fe9da0 mqsvc.exe 1860 524 23 218 0 0 2005-07-04 18:17:43 UTC 0000
0x82022760 mqtgsvc.exe 712 524 9 119 0 0 2005-07-04 18:17:47 UTC 0000
0x81fe6a78 alg.exe 992 524 5 105 0 0 2005-07-04 18:17:50 UTC 0000
0x8202c6a0 ssonsvr.exe 2196 2172 1 24 0 0 2005-07-04 18:17:59 UTC 0000
0x8146e860 explorer.exe 2392 2300 18 489 0 0 2005-07-04 18:18:03 UTC 0000
0x820d1b00 Directcd.exe 2456 2392 4 40 0 0 2005-07-04 18:18:05 UTC 0000
0x81540da0 TaskSwitch.exe 2472 2392 1 24 0 0 2005-07-04 18:18:05 UTC 0000
0x8219dda0 Fast.exe 2480 2392 1 23 0 0 2005-07-04 18:18:05 UTC 0000
0x81462be0 VPTray.exe 2496 2392 2 111 0 0 2005-07-04 18:18:06 UTC 0000
0x8219d960 atiptaxx.exe 2524 2392 1 51 0 0 2005-07-04 18:18:06 UTC 0000
0x814ecc00 jusched.exe 2548 2392 1 22 0 0 2005-07-04 18:18:07 UTC 0000
0x820d1718 EM_EXEC.EXE 2588 2540 2 80 0 0 2005-07-04 18:18:09 UTC 0000
0x814b8a58 WZQKPICK.EXE 2692 2392 1 17 0 0 2005-07-04 18:18:15 UTC 0000
0x81474510 wuauclt.exe 3128 800 3 157 0 0 2005-07-04 18:19:11 UTC 0000
0x81f7fb98 taskmgr.exe 3192 2392 3 65 0 0 2005-07-04 18:19:33 UTC 0000
0x8153f480 cmd.exe 3256 2392 1 29 0 0 2005-07-04 18:20:58 UTC 0000
0x8133d810 firefox.exe 3276 2392 7 189 0 0 2005-07-04 18:21:11 UTC 0000
0xff96b860 PluckSvr.exe 3352 680 6 206 0 0 2005-07-04 18:21:42 UTC 0000
0x813383b0 PluckTray.exe 3612 3352 3 102 0 0 2005-07-04 18:24:00 UTC 0000
0x81488350 PluckUpdater.ex 368 3352 0 -------- 0 0 2005-07-04 18:24:30 UTC 0000
0x81543870 dd.exe