What’s new in Volatility 3?

In last years, the way that operating systems are developed, deployed, and maintained evolved quickly.
Similarly, the skillsets of memory analysts and their preferred work flows have changed to meet a world with increasingly large volumes of complex data.
In order to address these challenges, the Volatility development team has developed an entirely new version of the framework.

Let’s try to take a look at new features of Volatility 3.

Richard Davis, on his YouTube channel 13Cubed [4], has published an interesting video about Volatility 3 and its new features:

In this episode, we’ll take a look at the first public beta of Volatility 3. We’ll start by covering all of the significant changes and improvements this major new version will bring. Then, we’ll spin up a virtual machine and take it for a test drive.

Starting from this video, adding my own opinion, I’ve collected a list of highlights:

  • Entire framework (backend and plugins) was completely rewritten and redesigned in Python 3.
  • Much simpler integration into other libraries and user interfaces
  • Natively supports multi-processing and memory caches
  • Automatic detection of profiles for all supported OSs (about time!)
  • 32bit apps on 64bit kernels natively supported
  • Automated evaluation of in-memory code
  • Plugins are versioned and can directly call other plugins
  • Automating operating system and application support and automatic analysis of multiple samples at once
  • No longer released under GPL: the new license is the “Volatility Software License 1.0[3].

How to try Volatility 3?

Two simple steps!

First, clone the latest version of Volatility 3 from GitHub [1]:

git clone https://github.com/volatilityfoundation/volatility3.git

Then download symbol table packs for the operating systems you need to analyze:

Symbol tables zip files must be placed, as named, into the volatility/symbols directory.

Finally, start python3 vol.py.

For example, to get information on a Windows memory sample, run python3 vol.py -f <imagepath> windows.info:

Yeah, it’s insanely fast!

In this example, I’ve used a Stuxnet memory sample [2].

References

  1. https://github.com/volatilityfoundation/volatility3
  2. Stuxnet Memory Sample
  3. Volatility Software License
  4. 13Cubed – YouTube
  5. Volatility 3 1.0.0-beta.1 documentation

Comments

This site uses Akismet to reduce spam. Learn how your comment data is processed.