2011-04-27

Volatility 1.4: new, great (and with a shiny new plugin)

The Volatility developers did a great job with their re-architecture of the already extremely useful Volatility memory forensics tool. And there's a new plugin to go with it ...


Major changes include:
  • Volatility now supports multiple flavours of Windows.
  • The code was rewritten to greatly speed up processing of memory dumps.
  • The developers included comprehensive documentation covering all aspects of the tool: installation / use / development / architecture.
  • Installation is much simpler.
What is not covered in the Volatility documentation is explained clearly in the last 4 chapters of Malware Analyst's Cookbook, Michael Hale Ligh et al, Wiley 2011. A must read if you are serious about forensics in general and Volatility in particular.

Because of the major changes all plugins had to be rewritten. In the process, the Regripper plugin disappeared because the legacy Perl code was fundamentally incompatible with the new architecture.

Undaunted, the intrepid writer of this blog forged ahead to produce a port of Regripper to python expressly for Volatility 1.4.

To find the details about Volatility 1.4, check out the wiki, check out the code on the Volatility site: http://code.google.com/p/volatility/

For the new reglist.py plugin for Volatility 1.4, look here: http://code.google.com/p/lgvtotal/

No comments: