波动性:易失性内存取证提取框架
Volatility: The volatile memory forensic extraction framework

原始链接: https://github.com/volatilityfoundation/volatility3

## Volatility 框架总结 Volatility 是一个广泛使用的开源框架,用于分析易失性内存(RAM),以便在事件响应和取证调查中提取数字工件。它独立于目标系统运行,提供对其运行时状态的洞察。 一次重大重写,**Volatility 3**,解决了性能问题并采用了更注重社区的许可协议(VSL)。它需要 Python 3.8+,并且可以通过 pip 安装。用户也可以克隆 GitHub 仓库以获取最新的开发版本。 分析内存样本需要适用于操作系统的适当**符号表**(Windows、macOS、Linux)——可以从 Volatility 基金会下载。如果缺少 Windows 符号,可以自动下载,而 macOS 和 Linux 需要手动创建。首次使用新符号时,会涉及缓存更新,这可能需要一些时间。 在线提供详细文档,该项目欢迎通过 Slack 提交错误报告和社区支持。Volatility 旨在成为易失性内存分析研究和发展平台。

## Volatility Framework 在 Hacker News 上被提及 Volatility Framework,一款用于分析易失性(RAM)内存转储的工具,最近在 Hacker News 上被分享。虽然不是新项目,但用户指出它在不仅仅是安全调查方面的实用性。 一位评论员强调了 Volatility 在排查系统崩溃(如 Windows BSOD)方面的价值,能够提取进程信息甚至截图来了解故障发生前用户活动——尤其是在用户描述有限的情况下,这非常有帮助。 另一位用户质疑发布时机,注意到除了 GitHub 链接之外缺乏背景信息。尽管如此,讨论强调了 Volatility 作为一种强大的诊断和取证工具的持续相关性。
相关文章

原文

Volatility is the world's most widely used framework for extracting digital artifacts from volatile memory (RAM) samples. The extraction techniques are performed completely independent of the system being investigated but offer visibility into the runtime state of the system. The framework is intended to introduce people to the techniques and complexities associated with extracting digital artifacts from volatile memory samples and provide a platform for further work into this exciting area of research.

In 2019, the Volatility Foundation released a complete rewrite of the framework, Volatility 3. The project was intended to address many of the technical and performance challenges associated with the original code base that became apparent over the previous 10 years. Another benefit of the rewrite is that Volatility 3 could be released under a custom license that was more aligned with the goals of the Volatility community, the Volatility Software License (VSL). See the LICENSE file for more details.

  1. Install the required dependencies:

    pip install --user -e ".[full]"
  2. See available options:

  3. To get more information on a Windows memory sample and to make sure Volatility supports that sample type, run vol -f <imagepath> windows.info:

    vol -f /home/user/samples/stuxnet.vmem windows.info
  4. Run some other plugins. The -f or --single-location is not strictly required, but most plugins expect a single sample. Some also require/accept other options. Run vol <plugin> -h for more information on a particular command.

Volatility 3 requires Python 3.8.0 or later and is published on the PyPi registry.

If you want to use the latest development version of Volatility 3 we recommend you manually clone this repository and install an editable version of the project. We recommend you use a virtual environment to keep installed dependencies separate from system packages.

The latest stable version of Volatility will always be the stable branch of the GitHub repository. The default branch is develop.

git clone https://github.com/volatilityfoundation/volatility3.git
cd volatility3/
python3 -m venv venv && . venv/bin/activate
pip install -e ".[dev]"

Symbol table packs for the various operating systems are available for download at:

https://downloads.volatilityfoundation.org/volatility3/symbols/windows.zip

https://downloads.volatilityfoundation.org/volatility3/symbols/mac.zip

https://downloads.volatilityfoundation.org/volatility3/symbols/linux.zip

The hashes to verify whether any of the symbol pack files have downloaded successfully or have changed can be found at:

https://downloads.volatilityfoundation.org/volatility3/symbols/SHA256SUMS

https://downloads.volatilityfoundation.org/volatility3/symbols/SHA1SUMS

https://downloads.volatilityfoundation.org/volatility3/symbols/MD5SUMS

Symbol tables zip files must be placed, as named, into the volatility3/symbols directory (or just the symbols directory next to the executable file).

Windows symbols that cannot be found will be queried, downloaded, generated and cached. Mac and Linux symbol tables must be manually produced by a tool such as dwarf2json.

Important: The first run of volatility with new symbol files will require the cache to be updated. The symbol packs contain a large number of symbol files and so may take some time to update! However, this process only needs to be run once on each new symbol file, so assuming the pack stays in the same location will not need to be done again. Please also note it can be interrupted and next run will restart itself.

Please note: These are representative and are complete up to the point of creation for Windows and Mac. Due to the ease of compiling Linux kernels and the inability to uniquely distinguish them, an exhaustive set of Linux symbol tables cannot easily be supplied.

The framework is documented through doc strings and can be built using sphinx.

The latest generated copy of the documentation can be found at: https://volatility3.readthedocs.io/en/latest/

Copyright (C) 2007-2026 Volatility Foundation

All Rights Reserved

https://www.volatilityfoundation.org/license/vsl-v1.0

If you think you've found a bug, please report it at:

https://github.com/volatilityfoundation/volatility3/issues

In order to help us solve your issues as quickly as possible, please include the following information when filing a bug:

  • The version of Volatility you're using
  • The operating system used to run Volatility
  • The version of Python used to run Volatility
  • The suspected operating system of the memory sample
  • The complete command line you used to run Volatility

For community support, please join us on Slack:

https://www.volatilityfoundation.org/slack

For information or requests, contact:

Volatility Foundation

Web: https://www.volatilityfoundation.org

Blog: https://volatility-labs.blogspot.com

Email: volatility (at) volatilityfoundation (dot) org

Twitter: @volatility

联系我们 contact @ memedata.com