Volatility 3: The volatile memory extraction framework
Volatility is the world's most widely used framework for extracting digital artifacts from volatile memory (RAM) samples. The extraction techniques are performed completely independent of the system being investigated but offer visibility into the runtime state of the system. The framework is intended to introduce people to the techniques and complexities associated with extracting digital artifacts from volatile memory samples and provide a platform for further work into this exciting area of research.
In 2019, the Volatility Foundation released a complete rewrite of the framework, Volatility 3. The project was intended to address many of the technical and performance challenges associated with the original code base that became apparent over the previous 10 years. Another benefit of the rewrite is that Volatility 3 could be released under a custom license that was more aligned with the goals of the Volatility community, the Volatility Software License (VSL). See the LICENSE file for more details.
Quick Start
Install the required dependencies: pip install --user -e " .[full] " See available options: vol -h To get more information on a Windows memory sample and to make sure Volatility supports that sample type, run vol -f
Installing
Volatility 3 requires Python 3.8.0 or later and is published on the PyPi registry.
pip install volatility3
If you want to use the latest development version of Volatility 3 we recommend you manually clone this repository and install an editable version of the project. We recommend you use a virtual environment to keep installed dependencies separate from system packages.
The latest stable version of Volatility will always be the stable branch of the GitHub repository. The default branch is develop .
... continue reading