-
Notifications
You must be signed in to change notification settings - Fork 1.3k
Volatility Documentation Project
gleeda edited this page Sep 8, 2015
·
40 revisions
This is a catalog of research, documentation, analysis, and tutorials generated by members of the volatility community. If you've written about volatility and don't see your work represented in the list, please let us know. The items are in time order, with the most recent items appearing at the top of the table.
| Year | Month | Type | Title | Author |
|---|---|---|---|---|
| 2015 | August | Blog | Volatility plugin for PlugX updated | Fabien Perigaud (@0xf4b) |
| 2015 | August | Blog | Memory Forensics – Detecting Galileo RCS on Windows | Joe Greenwood (@SeawolfRN) |
| 2015 | August | Blog | Python script to combine psscan and pslist Output | thepcn3rd (@lokut) |
| 2015 | July | Code | ksfinder: Retrieve exported kernel symbols from physical memory dumps | @emd3l |
| 2015 | June | Blog | Memory Analysis of DarkComet using VolDiff | @aim4r |
| 2015 | May | Video | Evolve - Running multiple plugins at the start | James Habben (@JamesHabben) |
| 2015 | April | Code | linux_python_strings | Ying Li (@cyli) |
| 2015 | April | Code | Evolve | James Habben (@JamesHabben) |
| 2015 | April | Video | EVolve Teaser | James Habben (@JamesHabben) |
| 2015 | April | Video Presentation | Where in your RAM is "python san_diego.py"? - PyCon 2015 | Ying Li (@cyli) |
| 2015 | February | Code | Dyrescan | Kudelski Security |
| 2015 | February | Blog | Volatility plugin for Dyre | Kudelski Security |
| 2015 | January | Blog | Triaging a System Infected with Poweliks | Corey Harrell (@corey_harrell) |
| 2015 | January | Blog | Hunting and Decrypting Communications of Gh0st RAT in Memory | Monnappa (@monnappa22) |
| 2014 | December | Blog | Pattern-Based Approach for In-Memory ShellCodes Detection | Emanuele De Lucia |
| 2014 | December | Blog | Parsing the hiberfil.sys, searching for slack space | DiabloHorn |
| 2014 | December | Book | Black Hat Python (Chapter 11 Automating Offensive Forensics) | Justin Seitz (@jms_dot_py) |
| 2014 | November | Blog | Volatilisons Linux: partie 2 (French) | Frederic Baguelin (@udgover) |
| 2014 | November | Video Presentation | Reverse All the Things with PANDA | Brendan Dolan-Gavitt (@moyix) |
| 2014 | November | Code | Detekt - Malware Triaging Tool | Claudio Guarnieri (@botherder) |
| 2014 | November | Presentation | Science, Sharing, and Repeatability in Memory Forensics | Brendan Dolan-Gavitt (@moyix) |
| 2014 | November | Presentation | Next Generation Memory Forensics | The @volatility developers |
| 2014 | November | Blog | 9447 2014 CTF Write Up: coor coor (using Volatility to extract OTR keys) | Bernardo Rodrigues |
| 2014 | November | Blog | Viewing Thread Information in Mac Memory | Cem Gurkok (@CGurkok) |
| 2014 | November | Blog | Tracing Bits of Coins in Mac Memory | Cem Gurkok (@CGurkok) |
| 2014 | November | Blog | Finding Call Reference Hooks in Mac Memory | Cem Gurkok (@CGurkok) |
| 2014 | November | Blog | Detecting Shadow TrustedBSD Policy Tables In Mac Memory | Cem Gurkok (@CGurkok) |
| 2014 | November | Presentation | [Memory Forensics for IR- Leveraging Volatility to Hunt Advanced Actors] (http://www.slideshare.net/jared703/vol-ir-jgss114) | Jared Greenhill (@jared703) |
| 2014 | October | Blog | Vol-MsDecompress (plugin contest) | Jamaal Speights (@jamaalspeights) |
| 2014 | October | Video | SecTor 2014 - Unmasking Careto through Memory Analysis | Andrew Case (@attrc) |
| 2014 | September | Blog | How to remotely acquire physical memory using @fresponse and @volatility | Ryan Bentz (@grayhatninja) |
| 2014 | September | Blog | Announcing the BETA release of DAMM | Vico Marziale (@vicomarziale) |
| 2014 | September | Blog | Volatility autoruns plugin | Thomas Chopitea (@tomchop_) |
| 2014 | August | Blog | Volatility Plugin – SQLite Helper | Dave Lassalle (@superponible) |
| 2014 | August | Blog | Volatility Plugin – Firefox History | Dave Lassalle (@superponible) |
| 2014 | August | Blog | Volatility Plugin – Java IDX Parser | Dave Lassalle (@superponible) |
| 2014 | August | Blog | Volatility Plugin – Chrome History | Dave Lassalle (@superponible) |
| 2014 | August | Blog | Volatility Plugin – Office Trust Records | Dave Lassalle (@superponible) |
| 2014 | August | Blog | Volatility Plugin – SSDeep for malfind and apihooks | Dave Lassalle (@superponible) |
| 2014 | August | Blog | Fast Malware Triage Using Openioc_scan Volatility Plugin | Takahiro Haruyama (@cci_forensics) |
| 2014 | June | Paper | In lieu of swap: Analyzing compressed RAM in Mac OS X and Linux | Golden G. Richard III and Andrew Case |
| 2014 | June | Paper | Applying Memory Forensics to Rootkit Detection | Igor Korkin and Ivan Nesterov |
| 2014 | May | Video | TWC: Recalling Windows Memories | Paula Januszkiewicz |
| 2014 | May | Blog | Acquiring Linux Memory from a Server Far Far Away | Dan Caban |
| 2014 | May | Slides | Mo' Memory No' Problem | Glenn P. Edwards, Jr. (@HiddenIllusion) and Ian Ahl (@TekDefense) |
| 2014 | May | Blog | Targeted Forensics: Mapping a Process to a Malicious Command and Control | Justin Grosfelt |
| 2014 | May | Blog | Mr Silverlight Drive-by Meet Volatility Timelines | Corey Harrell (@corey_harrell) |
| 2014 | May | Blog | GETTING STARTED WITH MEMORY FORENSICS | Salim Awad |
| 2014 | May | Code | Volatility USN Journal Parser | Tom Spencer |
| 2014 | May | Blog | Post-Mortem Memory Analysis of Cold-Booted Android Devices | Hilgers, Macht, Muller, Spreitzenbarth |
| 2014 | April | Blog | Windows Logon Password – Get Windows Logon Password using Wdigest in Memory Dump | For-MD (http://for-md.org) |
| 2014 | April | Blog | Hyper-V 2012 and 2012 R2 live virtual machine memory acquisition and analysis | Wyatt Roersma (@WyattRoersma) |
| 2014 | April | Blog | Rewriting/anonymizing artifacts | Glenn P. Edwards Jr. (@hiddenillusion) |
| 2014 | March | Blog | Analyzing a Linux Memory Dump | Ric Messier (@ricmessier) |
| 2014 | March | Blog | Finding Advanced Malware Using Volatility | Monnappa (@monnappa22) |
| 2014 | March | Blog | Uroburos Rootkit Hook Analysis and Driver Extraction | @spresec |
| 2014 | March | Code | OpenVPN credentials extractor | Phaeilo |
| 2014 | March | Blog | Creating Volatility Linux Profiles (openSUSE) | @Evild3ad79 |
| 2014 | March | Blog | Creating Volatility Linux Profiles (Debian/Ubuntu) | @Evild3ad79 |
| 2014 | February | Presentation | Hunting Mac Malware with Memory Forensics | Andrew Case (@attrc) |
| 2014 | February | Presentation | Hunting for OS X Rootkits in Memory | Cem Gurkok (@CGurkok) |
| 2014 | February | Blog | Dumping DarkComet config out of memory using volatility | @dfirn00b |
| 2014 | February | Blog | Malware with No Strings Attached - Dynamic Analysis | Brian Baskin (@bbaskin) |
| 2014 | February | Blog | Finding malicious DLLs with Volatility | Chris Gates (@carnal0wnage) |
| 2014 | January | Presentation | memory forensics introductory work shop | Sandro Suffert (@suffert) |
| 2014 | January | Blog | Forensics Analysis of Anti-Forensic Activities | Jack Crook (@jackcr) |
| 2014 | January | Blog | PlugX "v2": meet "SController" | F4b (@0xf4b) |
| 2014 | January | Blog | PHDays CTF 2014 - FreeBDSM | Mariano Graziano (@emd3l) |
| 2013 | December | Blog | Cryptolocker Analysis with Volatility | Cornel |
| 2013 | December | Blog | Another look at a cross-platform DDoS botnet | Andre' Di Mino (@sempersecurus) |
| 2013 | December | Blog | ANALYZING DARKCOMET IN MEMORY | Ian Ahl (@!TekDefense) |
| 2013 | December | Blog | The botmaster: jackcr - 12/27/13 memory image | Kyle Oetken (@kyleoetken) |
| 2013 | December | Blog | Malware Capabilities and Conspiracy Theory | Jack Crook (@jackcr) |
| 2013 | December | Blog | Analizando un trozito de memoria | jony |
| 2013 | December | Blog | A Forensic Overview of a Linux perlbot | Andre' Di Mino (@sempersecurus) |
| 2013 | December | Blog | DC3 Forensic Challenge - Memory Analysis | J. Oquendo |
| 2013 | November | Blog | Hunting APT RAT 9002 In Memory Using Volatility Plugin | Monnappa (@monnappa22) |
| 2013 | November | Blog | Analyzing Malicious Processes | Jack Crook (@jackcr) |
| 2013 | November | Blog | Volatility 2.3 and FireEye's diskless, memory-only Trojan.APT.9002 | Russ !McRee (@holisticinfosec) |
| 2013 | October | Blog | Locating injected code in memory | Jack Crook (@jackcr) |
| 2013 | October | Blog | Analyzing Hyper-V Saved State files in Volatility | Wyatt Roersma (@!WyattRoersma) |
| 2013 | October | Blog/Paper | GrrCON DFIR Challenge 2013 | Wyatt Roersma (@!WyattRoersma) |
| 2013 | October | Code | Filelist and Virustotal Volatility Plugins | Sebastien Bourdon-Richard |
| 2013 | October | Blog | Dumping Malware Configuration Data from Memory with Volatility | Brian Baskin (@bbaskin) |
| 2013 | October | Blog | VOLSHELL FOR THE WEB! | Martijn Veken (@martijnveken) |
| 2013 | September | Blog | The Hunt for Memory Malware | Albert Fruz |
| 2013 | August | Blog | ebCTF 2013: FOR100 | Gabriel Laskar |
| 2013 | August | Code | Hashtest | Andy White |
| 2013 | August | Blog | Total Recall Script Released | Melissa (@sk3tchymoos3) |
| 2013 | August | Code | Some scripts/plugins for Volatility | Glenn P. Edwards Jr (@hiddenillusion) |
| 2013 | August | Code | Volatility Interface to the Binary Analysis Platform | Carl Pulley |
| 2013 | August | Blog | Quick Volatility overview and R.E. analysis of Win32.Chebri | Evilcry |
| 2013 | August | Blog | JackCR ISSA 2013 Netwars Challange - Memory Issues | Bryan Nolen (@!BryanNolen) |
| 2013 | August | Blog | vadimm | Jamaal Speights (@jamaalspeights) |
| 2013 | August | Video | Topics in post-mortem debugging | Adam Leventhal (@ahl) |
| 2013 | August | Blog | How to install Volatility on Mac OS X (Version 10.8.4) | Evild3ad (@Evild3ad79) |
| 2013 | August | Paper | Integrity Verification of User Space Code | White, Schatz, Foo |
| 2013 | July | Blog | Hooking IDT in OS X and Detection | Cem Gurkok (@CGurkok) |
| 2013 | July | Blog | Advanced Malware Analysis Training Session 7 – Malware Memory Forensics | Monnappa (@monnappa22) |
| 2013 | July | Blog | Back to Defense: Finding Hooks in OS X with Volatility | Cem Gurkok (@CGurkok) |
| 2013 | July | Blog | Zeus trojan memory forensics with Volatility | Javier Nieto Arevalo |
| 2013 | July | Code | Linux Threads and CPU Registers Plugins | Edwin Smulders (0x445554434859) |
| 2013 | July | Blog | Offensive Volatility: Messing with the OS X Syscall Table | Cem Gurkok (@CGurkok) |
| 2013 | July | Blog | Ethscan: volatility memory forensics framework plugin for recovering Ethernet frames from memory. | Jamaal Speights (@jamaalspeights) |
| 2013 | June | Paper | Hypervisor Memory Forensics (pdf) | Mariano Graziano (@emd3l) |
| 2013 | June | Blog | Analizando un trozito de memoria | neofito (@neosysforensics) |
| 2013 | June | Blog | Volatility 2.2 Class/Api Documentation | Jamaal Speights (@jamaalspeights) |
| 2013 | May | Blog | Zues Analysis - Memory Forensics Via Volatility | Zubair Ashraf (@zashraf1337) |
| 2013 | May | Blog | Automatic Plugin Generation with Dalvik Inspector | Joe Sylve (@jtsylve) and Vico Marziale (@vicomarziale) |
| 2013 | May | Blog | check_dtrace - A Volatility Plugin Arises | Cem Gurkok (@CGurkok) |
| 2013 | April | Blog | Actaeon - Hypervisors Hunter | Mariano Graziano (@emd3l) |
| 2013 | April | Blog | Forensic Analysis of Memory on Linux | Peter Schulik |
| 2013 | April | Blog | Cyber Defense Exercise 2013: Extracting cached passphrases in Truecrypt | syreal |
| 2013 | April | Blog | Hunting D-Trace Rootkits with The Volatility Framework | Cem Gurkok (@CGurkok) |
| 2013 | April | Blog | Android Application (Dalvik) Memory Analysis & the Chuli Malware | Joe Sylve (@jtsylve) and Vico Marziale (@vicomarziale) |
| 2013 | March | Slides | Memory Forensics - Helping to Find What's Not There | Melissa Augustine (@sk3tchymoos3) |
| 2013 | March | Blog | Live Linux forensics in a KVM based environment | charley pfaff (@bl4ck_0ut) |
| 2013 | March | Paper | Indicators of Compromise in Memory Forensics | Chad Robertson (@chrooted) |
| 2013 | March | Blog | OSX Live Memory Forensics with Volatility | Jon Schipp (@jonschipp) |
| 2013 | March | Presentation | Memory Analysis with Volatility | Russ !McRee (@holisticinfosec) |
| 2013 | March | Presentation | Memory Analysis with Volatility | Karl Sigler (@ksigler) |
| 2013 | February | Blog | Memory Dump Hash Cracking | Mike Machnik (@machn1k) |
| 2013 | February | Video | Using LiME & Volatility to analyze Linux memory | Brian Keefer (@chort0) |
| 2013 | February | Video | Using Cuckoobox & Volatility to analyze APT1 malware | Brian Keefer (@chort0) |
| 2013 | February | Slides | My First Incident Response Team | Brian Keefer (@chort0) |
| 2013 | February | Blog | Manipulating Memory for Fun & Profit | Frederic Bourla |
| 2013 | February | Blog | Using OSForensics with Volatility | @PassMarkInc |
| 2013 | February | Blog | Volatility – Memory Analysis Tool | Rehan Bashir (@rehan2001) |
| 2013 | February | Blog | Set up your keylogger to report by email? Bad idea! (The case of Ardamax) | Alberto Ortega (@a0rtega) |
| 2013 | January | Paper | Live Memory Forensics on Android with Volatility | Holger Macht |
| 2013 | January | Slides | Defeating Windows Memory Forensics | Luka Milkovic |
| 2013 | January | Blog | Volatility vs Citadel 1.3.4.5 | Santiago Vicente @smvicente |
| 2013 | January | Blog | Stabuniq Financial Infostealer Trojan Analysis | Quequero & Evilcry |
| 2012 | December | Blog | Hunting Malware with Memory Analysis | Jeremy Scott (@Solutionary) |
| 2012 | December | Paper | @Jackcr Forensic Challenge | Bryan Nolen (@!BryanNolen) |
| 2012 | December | Paper | Hunting Mac OS X Rootkits with Memory Forensics | K. Lee, J. Kim, H. Koo |
| 2012 | November | Blog | jackr forensic challenge 2 | @infoseckitten, @magicked, @alwaysreit |
| 2012 | November | Video | DFIROnline: Android Forensics with Volatility and LiME | Andrew Case (@attrc) |
| 2012 | November | Blog | APTish Attack via Metasploit - Part III - Memory Analysis | Patrick Olsen (@patrickrolsen) |
| 2012 | November | Blog | @jackcr forensic challenge | @infoseckitten, @magicked, @alwaysreit |
| 2012 | November | Blog | Memory Forensics for Malware Analysis | Andrew !McNicol |
| 2012 | November | Blog | Automating Volatility | @martijnveken |
| 2012 | November | Paper | Blacksheep: Detecting Compromised Hosts in Homogeneous Crowds | UC Santa Barbara |
| 2012 | October | Slides | Case Study - Rootkit Analysis | m0nna (@monnappa22) |
| 2012 | October | Blog | Backdoors are Forever: Hacking Team and the Targeting of Dissent? | Morgan Marquis-Boire (@headhntr) |
| 2012 | October | Blog | Blackhole & Cridex: Season 2 Episode 1: Intuit Spam & SSL traffic analysis | Andre' Di Mino (@sempersecurus) |
| 2012 | September | Paper | Acquiring Digital Evidence from Botnet Attacks | Junewon Park |
| 2012 | September | Blog | cr0security rootkit analysis | Teguh P. Alko |
| 2012 | September | Blog | Linux, Volatility, and Profiles | neofito (@neosysforensics) |
| 2012 | August | Paper/Slides | Virtual Machine Introspection in a Hybrid Honeypot Architecture | Lengyel, et. al. |
| 2012 | August | Code | userspace.py | Andrew White |
| 2012 | August | Blog | Using Volatility Framework as a Library | Adam Pridgen |
| 2012 | August | Blog | Identifying a mounted TrueCrypt volume from artifacts in volatile memory | Adam Bridge (bridgeythegeek) |
| 2012 | August | Blog | Pen Test Privilege Escalation Through Suspended Virtual Machines | Mark Baggett (@markbaggett) |
| 2012 | August | Blog | Cridex Analysis Using Volatility | Andre M. !DiMino (@sempersecurus) |
| 2012 | August | Blog | Extracting processes binary w/ volatility, disk image | @ykx100 |
| 2012 | August | Magazine | Malware Memory Forensics | Monnappa |
| 2012 | August | Blog | Configure Volatility framework on Windows OS | Stefano Antenucci |
| 2012 | August | Blog | Recoving tmpfs from Memory with Volatility | Andrew Case (@attrc) |
| 2012 | June | Slides | You suck at Memory Analysis | Francisco Gama T. R. (@blackthorne) |
| 2012 | June | Blog | QuickPost: Flame & Volatility | Michael Ligh (@iMHLv2) |
| 2012 | June | Blog | Announcing Mac Support in Volatility | Andrew Case (@attrc) |
| 2012 | June | Slides | Mac Memory Analysis with Volatility | Andrew Case (@attrc) |
| 2012 | June | Blog | LiME 1.1 Released | Joe Sylve (@jtsylve) |
| 2012 | June | Blog/Video | Training Session Part 8 – Practical Reversing (III) – Memory Forensics | Monnappa |
| 2012 | June | Code | Volatility plugin to detect Poison Ivy in memory and dump run-time config | Andreas Schuster (@forensikblog) |
| 2012 | June | Video | Memory Analysis During Incident Response | Brett Cunningham |
| 2012 | June | Video | Volatility Know How's | MrKishorD |
| 2012 | June | Blog | Using Volatility with EnCase | Mark Morgan |
| 2012 | July | Blog | From Bahrain With Love: FinFisher’s Spy Kit Exposed? | Morgan Marquis-Boire |
| 2012 | July | Blog | Xtreme RAT analysis | Malware.lu ([email protected]) |
| 2012 | July | Blog | Volatility Guide - Living Doc | s0ck3t |
| 2012 | May | Paper | sKyWIper (a.k.a. Flame, Flamer): A complex malware for targeted attacks | CrySyS Lab (@CrySysLab) |
| 2012 | May | Blog | Tracking Malware Crumb in Memory | @ykx100 |
| 2012 | April | Blog | Memory Forensics Cheat Sheet | @chadtilbury |
| 2012 | April | Blog | YARA + Volatility ... the beginning | @hiddenillusion |
| 2012 | April | Blog | IETab_IE65 Malware Memory Analysis | @patrickrolsen |
| 2012 | April | Blog | Registry Analysis in Volatility | Tamer Hassan |
| 2012 | April | Blog | Malware Memory Analysis - Volatility | Basement Tech |
| 2012 | April | Video | VOLATILITY & DUMPIT : DEADLY COMBO TO GET UR PASSWORDS | anupam50 |
| 2012 | March | Video | Malgram Dynamic Analyses (SRI International) uses Volatility in their sandbox | SRI International |
| 2012 | March | Blog | From Hibernation file to Malware analysis with Volatility | Christiaan Beek |
| 2012 | March | Blog/Video | Capstone Project: Volatile Memory Analysis – Identifying Rogue Executables | Ben Rogers |
| 2012 | March | Magazine | Memory Timelines Using Volatility’s Timeliner | Nick Baronian |
| 2012 | March | Slides | One-byte Modification for Breaking Memory Forensic Analysis | Takahiro Haruyama and Hiroshi Suzuki |
| 2012 | February | Blog | RAM dump with VirtualBox: via ELF64 coredump | Philippe Teuwen |
| 2012 | February | Blog | Suspected South Korean Malware | @patrickrolsen |
| 2012 | January | Blog | Malware Analysis with SIFT and Volatility | @patrickrolsen |
| 2012 | January | Blog | Running Volatility Memory Forensics Framework on your android phone! | Jamaal Speights |
| 2012 | January | Slides | Android Mind Reading: Memory Acquisition and Analysis with DMD and Volatility | Joe Sylve (@jtsylve) |
| 2012 | January | Video | Android Mind Reading: Memory Acquisition and Analysis with DMD and Volatility | Joe Sylve (@jtsylve) |
| 2012 | January | Paper | Acquisition and Analysis of Volatile Memory from Android Devices | Joe Sylve (@jtsylve) & Andrew Case (@attrc) |
| 2012 | January | Blog | Ramnit, Zeus and the BAT! Part 2 | cbentle2 |
| 2011 | December | Slides | Hunting Malware with Volatiltiy 2.0 | Frank Boldewin |
| 2011 | November | Video | Using Volatility: Suspicious Process (1/2) | Melissa (@sk3tchymoos3) |
| 2011 | November | Video | Using Volatility: Suspicious Process (Part 2/2) | Melissa (@sk3tchymoos3) |
| 2011 | November | Blog | GRR: Google Rapid Response and Volatility | AAron Walters |
| 2011 | November | Blog | Sandia National Laboratories: Virtual Machine Introspection (VMI) Tools and Volatility Support | AAron Walters |
| 2011 | November | Blog | Memory Forensics: Pull Process & Network Connections from a Memory Dump | c0decstuff |
| 2011 | November | Blog | Memory Forensics: How to Pull Passwords from a Memory Dump | Daniel Dieterle |
| 2011 | November | Blog | Análisis avanzado de memoria de sistemas Microsoft Windows con Volatility | Sergio Hernando (@sergiohernando) |
| 2011 | November | Blog | Using Volatility: Suspicious Process | Melissa (@sk3tchymoos3) |
| 2011 | November | Blog | Memory Forensics: Analyzing a Stuxnet Memory Dump (And you can too!) | Daniel Dieterle |
| 2011 | October | Article | CSI:Internet Episode 4: Open heart surgery | Frank Boldewin |
| 2011 | October | Blog | Dirt Jumper DDoS Bot - New versions, New targets | Andre M. !DiMino (@sempersecurus) |
| 2011 | October | Blog | [Volatility Memory Forensics | Federal Trojan aka R2D2](http://www.evild3ad.com/1136/volatility-memory-forensics-federal-trojan-aka-r2d2/) |
| 2011 | October | Blog | [Volatility Memory Forensics | Graphviz](http://www.evild3ad.com/1088/volatility-memory-forensics-graphviz/) |
| 2011 | October | Blog | Ain't Nuthin But a K(Timer) Thing, Baby | Michael Ligh (@iMHLv2) |
| 2011 | October | Blog | ZeroAccess, Volatility, and Kernel Timers | Michael Ligh (@iMHLv2) |
| 2011 | October | Video | Windows Password Retrieval and Hacking | Melissa (@sk3tchymoos3) |
| 2011 | September | Article | CSI:Internet Episode 3: A trip into RAM | Frank Boldewin |
| 2011 | September | Blog | MORTO – From a Memory-Dump Point of View | p4r4n0id |
| 2011 | September | Blog | Shylock In-Depth Malware Analysis | Brad Arndt (@bradarndt) |
| 2011 | September | Blog | toolsmith: Memory Analysis with DumpIt and Volatility | Russ !McRee (@holisticinfosec) |
| 2011 | September | Blog | Volatility Memory Forensics Basic Usage for Malware Analysis | Evild3ad (@Evild3ad79) |
| 2011 | September | Blog | Zeus Analysis in Volatility 2.0 | Brad Arndt (@bradarndt) |
| 2011 | September | Blog | Volatility 2.0 Plugin Vscan | Brad Arndt (@bradarndt) |
| 2011 | September | Blog | Volatility 2.0: Timeliner, RegistryAPI, evtlogs and more | Jamie Levy (@gleeda) |
| 2011 | September | Blog | Abstract Memory Analysis: Zeus Encryption Keys | Michael Ligh (@iMHLv2) |
| 2011 | August | Slides | Linux Memory Analysis Workshop | Andrew Case (@attrc) |
| 2011 | June | Slides | Linux Memory Analysis with Volatility | Andrew Case (@attrc) |
| 2011 | June | Paper | A survey of main memory acquisition and analysis techniques for the windows operating system | Stefan Vomel and Felix C. Freiling |
| 2011 | August | Blog | Volatility 2.0 and OMFW | Jamie Levy (@gleeda) |
| 2011 | July | Blog/Paper | Forensic Challenge 2011 - Forensic Analysis of a Compromised Server | Mau, Kahlich, Erasmus, Quintero, & Anand |
| 2011 | June | Blog | Stuxnet's Footprint in Memory with Volatility 2.0 | Michael Ligh (@iMHLv2) |
| 2011 | June | Slides | Forensic Memory Analysis of Android’s Dalvik VM | Andrew Case (@attrc) |
| 2011 | May | Blog | Analyzing Malware Hollow Processes | Eric Monti |
| 2011 | April | Blog | Volatility 1.4: new, great (and with a shiny new plugin) | lg |
| 2011 | April | Blog | Using "volatility" to study the CVE-2011-0611 Adobe Flash 0-day | Andre M. !DiMino (@sempersecurus) |
| 2011 | April | Blog | Volatility 1.4 UserAssist plugin | Jamie Levy (@gleeda) |
| 2011 | April | Blog | What's the Difference? (A Brief Volatility 1.4 Plugin Tutorial) | Jamie Levy (@gleeda) |
| 2011 | April | Blog | Detecting/Memory Forging Attempt by a Rootkit | Michael Ligh (@iMHLv2) |
| 2011 | April | Blog | Investigating Windows Threads with Volatility | Michael Ligh (@iMHLv2) |
| 2011 | April | Blog | Applying Forensic Tools to Virtual Machine Introspection | Brendan Dolan-Gavitt (@moyix) |
| 2011 | April | Blog | Nuit du hack 2011 CTF Forensic | Alexmin |
| 2011 | April | Blog | Apr. 8 CVE-2011-0611 Flash Player Zero day | Mila |
| 2011 | March | Blog | Carberp Analysis via Volatility | Evilcry |
| 2011 | March | Blog | Update: Volatility printkey Plugin | Jamie Levy (@gleeda) |
| 2011 | March | Blog | Volatility 1.4 get_plugins Script | Jamie Levy (@gleeda) |
| 2011 | March | Blog | Volatility's New Netscan Module | Michael Ligh (@iMHLv2) |
| 2011 | March | Blog | The Mis-leading 'Active' in PsActiveProcessHead and ActiveProcessLinks | Michael Ligh (@iMHLv2) |
| 2011 | March | Blog | Automatically Generating Memory Forensic Tools | Brendan Dolan-Gavitt (@moyix) |
| 2011 | March | Blog | Analyzing the New Honeynet Memory Analysis Challenge with Volatility | Andrew Case (@attrc) |
| 2011 | March | Blog | Bringing Linux Support to Volatility | Andrew Case (@attrc) |
| 2011 | March | Blog | Volatility (Undead Security) | Matt?? |
| 2011 | February | Blog | Shylock via volatility | Evilcry |
| 2011 | January | Blog | A Quick Look at Volatility 1.4 RC1 - What's New? | Lenny Zeltser (@lennyzeltser) |
| 2011 | January | Paper | De-Anonymizing Live CDs through Physical Memory Analysis | Andrew Case (@attrc) |
| 2010 | December | Blog | Identifying Memory Images | Jamie Levy (@gleeda) |
| 2010 | December | Blog | Command Line Kung Fu: Episode #127: Making a Difference | Hal Pomeranz (@hal_pomeranz) |
| 2010 | December | Blog | REMnux: A Linux Distribution for Reverse-Engineering Malware | Lenny Zeltser (@lennyzeltser) |
| 2010 | December | Blog | Peeling Apart TDL4 and Other Seeds of Evil Part I | Curt Wilson |
| 2010 | November | Blog | Volatility Memory Forensics | lg |
| 2010 | Septmeber | Blog | Recent Advances in Memory Forensics | Andreas Schuster (@forensikblog) |
| 2010 | August | Blog | Upated Volatility SQLite plugins | Jamie Levy (@gleeda) |
| 2010 | July | Blog | Finding Object Roots in Vista (KPCR) | Bradley Schatz |
| 2010 | July | Blog | GDI Utilities: Taking Screenshots of Memory Dumps | Brendan Dolan-Gavitt (@moyix) |
| 2010 | July | Blog | Plugin Post: Robust Process Scanner | Brendan Dolan-Gavitt (@moyix) |
| 2010 | May | Blog | Memory forensics with SIFT 2.0, Volatility, and PTK | Russ !McRee (@holisticinfosec) |
| 2010 | May | Blog | Adding new structure definitions to Volatility | Bradley Schatz |
| 2010 | April | Blog | Challenge 3 of the Forensic Challenge 2010 - Banking Troubles | @pstutz |
| 2010 | April | Blog | Reading RAM using Firewire | muelli |
| 2010 | March | Paper(s) | Challenge 3 of the Forensic Challenge 2010 - Banking Troubles | Pascucci, Hudak, and Pulley |
| 2010 | February | Blog | EnCase EnScripts for Memory Forensics | Takahiro Haruyama (@cci_forensics) |
| 2010 | January | Blog | Análisis de un caso ¿real?, #3 | neofito (@neosysforensics) |
| 2010 | January | Blog | Volatility's Output Rendering Functions | Jamie Levy (@gleeda) |
| 2010 | January | Blog | Cross-view analysis with Volatility | Andreas Schuster (@forensikblog) |
| 2010 | January | Blog | Using Volatility for Rootkit Detection | Xeno Kovah |
| 2009 | December | Blog | New and Updated Volatility Plug-ins Part II | Michael Ligh (@iMHLv2) |
| 2009 | November | Paper | Robust Signatures for Kernel Data Structures | Brendan Dolan-Gavitt (@moyix) |
| 2009 | October | Blog | Walk-Through: Volatility Batch File Maker and Volatility's ProcDump | Forensiczone |
| 2009 | October | Blog | Volatility Batch File Maker | Forensiczone |
| 2009 | October | Blog | Volatility 1.3.2 is out! | neofito (@neosysforensics) |
| 2009 | August | Blog | Installing Volatility Plugins | Jamie Levy (@gleeda) |
| 2009 | July | Blog | Modificando Volatility | neofito (@neosysforensics) |
| 2009 | July | Blog | New and Updated Volatility Plug-ins | Michael Ligh (@iMHLv2) |
| 2009 | June | Slides | Windows Memory Forensics with Volatility | Andreas Schuster (@forensikblog) |
| 2009 | May | Blog | Análisis de un caso ¿real?, #2 | neofito (@neosysforensics) |
| 2009 | May | Blog | Volatility Plug-in for IAT/EAT/Inline Hook Detection | Michael Ligh (@iMHLv2) |
| 2009 | April | Blog | Reading Passwords from the Keyboard buffer | Andreas Schuster (@forensikblog) |
| 2009 | April | Blog | Searching for Mutants | Andreas Schuster (@forensikblog) |
| 2009 | April | Blog | Symbolic Link Objects | Andreas Schuster (@forensikblog) |
| 2009 | April | Blog | Scanning for Drivers | Andreas Schuster (@forensikblog) |
| 2009 | April | Blog | Linking File Objects to Processes | Andreas Schuster (@forensikblog) |
| 2009 | April | Blog | Enumerate Object Types | Andreas Schuster (@forensikblog) |
| 2009 | March | Blog | Tuneando Volatility | neofito (@neosysforensics) |
| 2009 | March | Blog | Análisis de un caso ¿real? | neofito (@neosysforensics) |
| 2009 | March | Blog | Volatility y RegRipper, ¡juntos! | neofito (@neosysforensics) |
| 2009 | March | Blog | Dumping Memory to Extract Password Hashes | CG |
| 2009 | March | Blog | Using Volatility for Introspection | Brendan Dolan-Gavitt (@moyix) |
| 2009 | March | Blog | RegRipper and Volatility Prototype | Brendan Dolan-Gavitt (@moyix) |
| 2009 | March | Video | Advanced Memory Analysis | Brendan Dolan-Gavitt (@moyix) |
| 2009 | January | Blog | Using Volatility (1.3_Beta) | Forensiczone |
| 2009 | January | Blog | Memory Registry Tools! | Brendan Dolan-Gavitt (@moyix) |
| 2008 | November | Blog | Recovering Coreflood Binaries with Volatility | Michael Ligh (@iMHLv2) |
| 2008 | November | Blog | Locating Hidden Clampi DLLs (VAD-style) | Michael Ligh (@iMHLv2) |
| 2008 | October | Blog | Plugin Post: Moddump | Brendan Dolan-Gavitt (@moyix) |
| 2008 | October | Slides | Upping the ‘Anti’: Using Memory Analysis to Fight Malware | AAron Walters |
| 2008 | September | Blog | Window Messages as a Forensic Resource | Brendan Dolan-Gavitt (@moyix) |
| 2008 | September | Paper | Forensic analysis of the Windows registry in memory | Brendan Dolan-Gavitt (@moyix) |
| 2008 | August | Blog | Auditing the System Call Table | Brendan Dolan-Gavitt (@moyix) |
| 2008 | August | Blog | Introducing Volshell | Brendan Dolan-Gavitt (@moyix) |
| 2008 | August | Blog | Linking Processes to Users | Brendan Dolan-Gavitt (@moyix) |
| 2008 | August | Paper | Digital Forensics Research Workshop 2008 - Submission for Forensic Challenge | M. I. Cohen, D. J. Collett, A. Walters |
| 2008 | August | Slides | Volatility 1.3 Open Memory Forensics Workshop | AAron Walters |
| 2008 | May | Blog | DFRWS 2008 - Registry Forensics in Memory | Brendan Dolan-Gavitt (@moyix) |
| 2007 | February | Blog | 64bit Crash Dumps | Andreas Schuster (@forensikblog) |
| 2008 | February | Paper | Using Hashing to Improve Volatile Memory Forensic Analysis | AAron Walters |
| 2007 | December | Blog | Searching for Page Directories 3 | Andreas Schuster (@forensikblog) |
| 2007 | October | Blog | Hashing of Program Files | Andreas Schuster (@forensikblog) |
| 2007 | September | Paper | The VAD Tree: A process-eye view of physical memory | Brendan Dolan-Gavitt (@moyix) |
| 2007 | August | Blog | From Volatools to Volatility | Andreas Schuster (@forensikblog) |
| 2007 | May | Blog | Copies of Page Directories | Andreas Schuster (@forensikblog) |
| 2007 | May | Blog | Searching for Page Directories 2 | Andreas Schuster (@forensikblog) |
| 2007 | May | Blog | Searching for Page Directories 1 | Andreas Schuster (@forensikblog) |
| 2007 | May | Blog | Walking the VAD Tree | Andreas Schuster (@forensikblog) |
| 2007 | March | Blog | Volatools | Andreas Schuster (@forensikblog) |
| 2007 | February | Paper | Volatools: Integrating Volatile Memory Forensics into the Digital Investigation Process | A. Walters and N. Petroni |
| 2007 | January | Blog | How trustworthy is hardware-based memory acquisition? | Andreas Schuster (@forensikblog) |
| 2006 | December | Blog | Crash without CtrlScroll | Andreas Schuster (@forensikblog) |
| 2006 | October | Blog | Searching in Pool Allocations | Andreas Schuster (@forensikblog) |
| 2006 | September | Blog | Memory dumping over FireWire - UMA issues | Arne Vidstrom |
| 2006 | July | Slides | FATKit: Detecting Malicious Library Injection and Upping the “Anti” | AAron Walters |
| 2006 | June | Blog | DFRWS 2006 Paper | Andreas Schuster (@forensikblog) |
| 2006 | June | Blog | Reconstructing a Binary 3 | Andreas Schuster (@forensikblog) |
| 2006 | April | Blog | Reconstructing a Binary 2 | Andreas Schuster (@forensikblog) |
| 2006 | April | Blog | Reconstructing a Binary 1 | Andreas Schuster (@forensikblog) |
| 2006 | April | Blog | Reconstructing the Process Memory | Andreas Schuster (@forensikblog) |
| 2006 | March | Blog | DMP File Structure | Andreas Schuster (@forensikblog) |
| 2006 | March | Blog | Converting Virtual into Physical Addresses | Andreas Schuster (@forensikblog) |
| 2006 | March | Blog | Search for Processes and Threads | Andreas Schuster (@forensikblog) |
| 2006 | February | Blog | Dating the execution of certain routines | Andreas Schuster (@forensikblog) |
| 2006 | February | Blog | _DISPATCHER_HEADER | Andreas Schuster (@forensikblog) |
| 2006 | February | Blog | More on Processes and Threads | Andreas Schuster (@forensikblog) |
| 2006 | February | Paper | FATKit: A Framework for the Extraction and Analysis of Digital Forensic Data from Volatile System Memory | Petroni, Walters, Fraser, Arbaugh |
| 2005 | December | Blog | Timestamps in Thread and Process Objects | Andreas Schuster (@forensikblog) |
Volatility Foundation
Getting Started
- FAQ
- Installation
- Linux
- Mac
- Android
- Basic Usage
- 2.6 Win Profiles
- Encrypted KDBG
- Pyinstaller Builds
- Unified Output
Command References
Development
Miscellaneous
Physical Address Spaces