[Vol-users] Volatility 2.3 Released! (Official Mac OS X and Android Support)

AAron Walters awalters at 4tphi.net
Fri Oct 25 11:18:41 CDT 2013


https://code.google.com/p/volatility/

The Volatility Foundation is thrilled to announce the official release 
of Volatility 2.3! While the main goal of this release was Mac OS X (x86, 
x64) and Android Arm support, we also included a number of other exciting 
new capabilities! Highlights of this release include:

Mac OS X:
     * New MachO address space for 32-bit and 64-bit Mac memory samples
     * Over 30+ plugins for Mac memory forensics

Linux/Android:
     * New ARM address space to support memory dumps from Linux and Android 
devices on ARM hardware
     * Plugins to scan Linux process and kernel memory with yara 
signatures, dump LKMs to disk, and check TTY devices for rootkit hooks
     * Plugins to check the ARM system call and exception vector tables for 
hooks

Windows:
     * New plugins:
         - Parse IE history/index.dat URLs
         - Recover shellbags data
         - Dump cached files (exe/pdf/doc/etc)
         - Extract the MBR and MFT records
         - Explore recently unloaded kernel modules
         - Dump SSL private and public keys/certs
         - Display details on process privileges
         - Detect poison ivy infections
         - Find and decrypt configurations in memory for poison ivy, zeus v1, zeus v2 and citadelscan 1.3.4.5
     * Plugin Enhancements:
         - Apihooks detects duqu style instruction modifications
         - Crashinfo displays uptime, systemtime, and dump type
         - Psxview plugin adds two new sources of process listings from the GUI APIs
         - Screenshots plugin shows text for window titles
         - Svcscan automatically queries the cached registry for service dlls
         - Dlllist shows load count to distinguish between static and dynamic loaded dlls

New Address Spaces:
     * VirtualBox ELF64 core dumps
     * VMware saved state (vmss)
     * VMware snapshot (vmsn) files
     * FDPro's non-standard HPAK format
     * New plugins: vboxinfo, vmwareinfo, hpakinfo, hpakextract

We also wanted to take this opportunity to recognize those on the 
development team who's continued dedication to open source forensics and 
the Volatility community has made this release possible: Mike Auty, Andrew 
Case, Michael Hale Ligh, Jamie Levy, and AAron Walters. These people 
volunteer their time and skills to bring you the most advanced and 
innovative memory forensics framework in the world! If you appreciate the 
hard work they put into Volatility, I encourage you help defend the rights 
of open source developers and support developer endorsed events! Finally, 
shoutz to the Volatility Community for their continued support and 
feedback! In particular, the following members of the Volatility community 
made significant contributions to this release:

     - Cem Gurkok for his work on the privileges plugin for Windows
     - Nir Izraeli for his work on the VMware snapshot address space (see also the vmsnparser project)
     - @osxmem of the volafox project (Mac OS X & BSD Memory Analysis Toolkit)
     - @osxreverser of reverse.put.as for his help with OSX memory analysis
     - Carl Pulley for numerous bug reports, example patches, and plugin testing
     - Andreas Schuster for his work on poison ivy plugins for Windows
     - Joe Sylve for his work on the ARM address space and significant contributions to linux and mac capabilities
     - Philippe Teuwen for his work on the virtual box address space
     - Santiago Vicente for his work on the citadel plugins for Windows

If you want to learn more about Volatility 2.3 or just hang out with the 
Volatility development team, I encourage you to register for the Open 
Memory Forensics Workshop 2013.  Please register quickly, we will be 
ending registration by COB Friday, October 25 (Today). There have been a 
couple last minute cancellations, so you may still have a chance to 
reserve a seat!


More information about the Vol-users mailing list