Volatility 2.0 forensic tool supports more Windows versions
Version 2.0 of Volatility, the open source forensic tool, has been released. According to the developers, the 2.0 release "was an opportunity for us to completely refactor the code base and rewrite most of the underlying subsystems".
Volatility 2.0 offers a new configuration and caching subsystem, an updated scanning framework and sees the integration of a whole range of plugins to make life easier for users. Other changes include new Pluggable address spaces with automated election, the addition of new address spaces (i.e. EWF, Firewire), and updated usage and development documentation. Official support for Windows 7, Vista, and Server 2003 and 2008 has been added.
The forensic tool, written in Python, can be used to analyse memory dumps from Windows systems. In contrast to traditional hard drive analysis, it enables forensic investigators to gain an idea of what processes were active when the memory dump was collected, what network connections were present, and so on.
More details about the release can be found in a post on the Volatility blog. Volatility 2.0 is available to download. Hosted on Google Code and sponsored by Volatile Systems, Volatility is released under version 2 of the GNU General Public License (GPLv2). An upcoming episode of CSI:Internet will include examples of what users can do with Volatility.
- Metasploit attack framework reaches version 4, a report from The H.
- CSI:Internet - Living in SYN, a feature from The H.