View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0000695Kali Linux[All Projects] Tool Upgrade Requestpublic2013-11-08 09:362013-12-11 16:48
Reportersaberzaid Assigned Todookie  
PrioritynormalSeverityminorReproducibilityhave not tried
Status resolvedResolutionfixed 
Product Version 
Target VersionFixed in Version1.0.6 
Summary0000695: Volatility 2.3.1
DescriptionThe Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. The extraction techniques are performed completely independent of the system being investigated but offer unprecedented visibilty into the runtime state of the system. The framework is intended to introduce people to the techniques and complexities associated with extracting digital artifacts from volatile memory samples and provide a platform for further work into this exciting area of research.

Release Highlights

    Windows
        new plugins to parse IE history/index.dat URLs, recover shellbags data, dump cached files (exe/pdf/doc/etc), extract the MBR and MFT records, explore recently unloaded kernel modules, dump SSL private and public keys/certs, and display details on process privileges
        added plugins to detect poison ivy infections, find and decrypt configurations in memory for poison ivy, zeus v1, zeus v2 and citadelscan 1.3.4.5
        apihooks detects duqu style instruction modifications (MOV reg32, imm32; JMP reg32)
        crashinfo displays uptime, systemtime, and dump type (i.e. kernel, complete, etc)
        psxview plugin adds two new sources of process listings from the GUI APIs
        screenshots plugin shows text for window titles
        svcscan automatically queries the cached registry for service dlls
        dlllist shows load count to distinguish between static and dynamic loaded dlls
    New address spaces
        added support for VirtualBox ELF64 core dumps, VMware saved state (vmss) and snapshot (vmsn) files, and FDPro's non-standard HPAK format
        associated plugins: vboxinfo, vmwareinfo, hpakinfo, hpakextract
    Mac
        new MachO address space for 32- and 64-bit Mac memory samples
        over 30+ plugins for Mac memory forensics
    Linux/Android
        new ARM address space to support memory dumps from Linux and Android devices on ARM
        added plugins to scan linux process and kernel memory with yara signatures, dump LKMs to disk, and check TTY devices for rootkit hooks
        added plugins to check the ARM system call and exception vector tables for hooks

download:

http://code.google.com/p/volatility/downloads/list

Activities

dookie

2013-12-11 16:48

reporter   ~0001202

Upgraded in volatility_2.3.1-1kali0. It will be in the repos soon.

Thanks for the report.

Issue History

Date Modified Username Field Change
2013-11-08 09:36 saberzaid New Issue
2013-12-11 16:48 dookie Note Added: 0001202
2013-12-11 16:48 dookie Status new => resolved
2013-12-11 16:48 dookie Fixed in Version => 1.0.6
2013-12-11 16:48 dookie Resolution open => fixed
2013-12-11 16:48 dookie Assigned To => dookie
2021-05-31 13:37 rhertzog Category Tool Upgrade => Tool Upgrade Request