Volatility (software)
Volatility is an open-source memory forensics framework for incident response and malware analysis. It is written in Python and supports Microsoft Windows, Mac OS X, and Linux.
Volatility was created by Aaron Walters, drawing on academic research he did in memory forensics.
Operating system support
Volatility supports investigations of the following memory images:Windows:
- 32-bit Windows XP
- 32-bit Windows 2003 Server
- 32-bit Windows Vista
- 32-bit Windows 2008 Server
- 32-bit Windows 7
- 32-bit Windows 8, 8.1, and 8.1 Update 1
- 32-bit Windows 10
- 64-bit Windows XP
- 64-bit Windows 2003 Server
- 64-bit Windows Vista
- 64-bit Windows 2008 Server
- 64-bit Windows 2008 R2 Server
- 64-bit Windows 7
- 64-bit Windows 8, 8.1, and 8.1 Update 1
- 64-bit Windows Server 2012 and 2012 R2
- 64-bit Windows 10
- 64-bit Windows Server 2016
- 32-bit 10.5.x Leopard
- 32-bit 10.6.x Snow Leopard
- 32-bit 10.7.x Lion
- 64-bit 10.6.x Snow Leopard
- 64-bit 10.7.x Lion
- 64-bit 10.8.x Mountain Lion
- 64-bit 10.9.x Mavericks
- 64-bit 10.10.x Yosemite
- 64-bit 10.11.x El Capitan
- 64-bit 10.12.x Sierra
- 64-bit 10.13.x High Sierra
- 64-bit 10.14.x Mojave
- 64-bit 10.15.x Catalina
- 32-bit Linux kernels 2.6.11 to 5.5
- 64-bit Linux kernels 2.6.11 to 5.5
- OpenSuSE, Ubuntu, Debian, CentOS, Fedora, Mandriva, etc.
Memory format support
- Raw/Padded Physical Memory
- Firewire
- Expert Witness
- 32- and 64-bit Windows Crash Dump
- 32- and 64-bit Windows Hibernation
- 32- and 64-bit Mach-O files
- Virtualbox Core Dumps
- VMware Saved State and Snapshot
- HPAK Format
- QEMU memory dumps
- LiME format