In case you may have missed it, I’m excited to announce The Order of Volatility has officially released Volatility 2.0. Despite the fact that Volatility continues to be the most advanced memory forensics framework available, Volatility 2.0 was an opportunity for us to completely refactor the code base and rewrite most of the underlying subsystems. Highlights of this release include:
- Restructured and depolluted namespace
- Usage and Development Documentation
- New Configuration Subsystem
- New Caching Subsystem
- New Pluggable address spaces with automated election
- New Address Spaces (i.e. EWF, Firewire)
- Updated Object Model and Profile Subsystems (VolatilityMagic)
- Support for Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7
- Updated Scanning Framework
- Volshell integration
- Over 40 new plugins!
In particular, I also wanted to take this moment to recognize those on the development team who helped push to make this release possible: Mike Auty, Andrew Case, Michael Cohen, Brendan Dolan-Gavitt, Michael Hale Ligh, and Jamie Levy. Finally, shoutz to the Volatility Community and those who live on #volatility for their continued support!
As with the last release of Volatility, the Volatility Team once again hosted the Open Memory Forensics Workshop (OMFW). This was an opportunity for the Volatility Team to highlight a number of the new features in the 2.0 release and get to know the community that uses the framework. OMFW attendees saw Moyix demonstrate how to automatically generate Volatility plugins. They heard attc discuss the upcoming Volatility support for Linux and Android. They saw Gleeda demonstrate the power of memory driven temporal reconstruction. Finally, they saw MHL set the bar for what it takes to perform real memory analysis. Thanks to the OMFW sponsors: DFRWS, Volatile Systems, and Terremark Worldwide!
If you were unable to attend, both Moyix and MHL have released their presentations. MHL has also released a detailed write-up of the analysis discussed in his presentation and a Stuxnet infected memory sample that aspiring analysts can use to walk through the analysis techniques he describes. You may also want to compare MHL’s analysis to those that have been previously presented by other organizations and you will see the Volatility difference. It’s not surprising that commercial vendors are unwilling to accept the Volatility PuSu Challenge: Own Tools (Sorry you can’t use Vol), Any OS, Any Hardware, Any time!
If your going to be in Vegas, let me know!