Volatility (software)
Generated by GPT-5-miniExpansion Funnel Raw 100 → Dedup 0 → NER 0 → Enqueued 0
| Volatility (software) | |
|---|---|
| Name | Volatility |
| Author | Aaron Walters; Michael Hale Ligh |
| Developer | Volatility Foundation |
| Released | 2007 |
| Programming language | Python (programming language) |
| Operating system | Linux, Microsoft Windows, macOS |
| Genre | Digital forensics, Computer security, Incident response |
| License | GNU General Public License |
Volatility (software) Volatility is an open-source memory forensics framework used in digital forensics, computer security, incident response, and malware analysis. Created to parse volatile memory images, it supports investigators, researchers, and responders from organizations such as CERT Coordination Center, SANS Institute, ENISA, National Institute of Standards and Technology, and Europol. The project collaborates with contributors across academia and industry including Carnegie Mellon University, MITRE Corporation, FireEye, and Google (company).
Overview
Volatility originated from research by practitioners tied to Carnegie Mellon University and was popularized through training at SANS Institute and publications in venues like Black Hat USA and Defcon. It addresses challenges highlighted by incidents investigated by FBI, NATO Cooperative Cyber Defence Centre of Excellence, U.S. Department of Defense, and CERT-EU. Analysts use it alongside tools from Wireshark, Sleuth Kit, Autopsy (computer forensics), YARA, and ClamAV to correlate volatile memory artifacts with disk artifacts described in standards such as those from National Institute of Standards and Technology and frameworks like MITRE ATT&CK. The community includes contributors from Splunk, Kaspersky Lab, CrowdStrike, Microsoft, and Trend Micro.
Architecture and Components
The framework is implemented primarily in Python (programming language) and structured around a modular plugin architecture similar to extensible systems used by Metasploit Framework and Volatility Foundation projects. Core components include a memory layer abstraction, address translation subsystems, object model parsers for operating systems such as Microsoft Windows, Linux, and macOS, and a plugin engine. Integration points mirror those in SIFT Workstation, RECONNOITER, and OSSEC by exposing APIs for parsing page tables, kernel structures, and process lists. The project leverages community-maintained symbol tables and profiles, echoing practices from Linux Foundation collaborations and Open Web Application Security Project initiatives.
Supported Platforms and File Formats
Volatility supports memory captured from Microsoft Windows (NT family), Linux distributions including Ubuntu, Red Hat Enterprise Linux, and Fedora (operating system), and macOS releases. It parses physical and virtual memory images from hypervisors and cloud environments such as VMware ESXi, Oracle VM VirtualBox, Microsoft Hyper-V, KVM, Amazon Web Services, Google Cloud Platform, and Microsoft Azure. File formats include raw memory dumps, crash dumps used by Windows Error Reporting, AFF (Advanced Forensic Format), ELF core dumps, and formats produced by acquisition tools like FTK Imager, LiME (Linux Memory Extractor), WinPmem, and DumpIt. The project interoperates with standards and tools from Digital Forensics XML, Open Container Initiative, and formats referenced by NIST Computer Forensics Tool Testing.
Features and Plugins
Volatility provides plugins to enumerate processes, threads, network sockets, loaded modules, registry hives, handles, and kernel objects; these are comparable to outputs from Process Explorer, TCPView, RegRipper, and Autoruns. Plugins perform timeline construction analogous to Plaso, extract indicators of compromise used in STIX and MAEC, and assist malware analysis workflows by dumping executable memory regions for analysis in Ghidra, IDA Pro, and Binary Ninja. Community plugins implement detection techniques discussed in publications at USENIX, IEEE Symposium on Security and Privacy, and ACM CCS. The plugin ecosystem includes contributions named for investigators and labs associated with SANS Institute summits, Black Hat Europe, and DFIR Summit sessions.
Use Cases and Workflow
Investigators use Volatility for live incident response by acquiring memory with tools such as FTK Imager, WinPmem, and LiME then analyzing images to find running malware instances, rootkits, and in-memory artifacts cited in MITRE ATT&CK techniques. Response workflows integrate with case management systems used by INTERPOL, Europol, U.S. Secret Service, and corporate teams at IBM Security and Cisco Talos to produce timelines and indicators for threat hunting platforms like Splunk, Elastic (company), and AlienVault. Academic researchers combine Volatility outputs with datasets from CVE (Common Vulnerabilities and Exposures), NVD, and VirusTotal for reproducible studies published in IEEE Transactions on Information Forensics and Security and conference proceedings from Black Hat USA and Defcon.
Development, Contributions, and Licensing
The project is governed by the Volatility Foundation and hosted in open source repositories with contributors from organizations such as FireEye, Google (company), Microsoft, Kaspersky Lab, Mandiant, and independent researchers. Development follows collaborative workflows similar to Linux kernel and Apache Software Foundation projects, using issue trackers, code review, and continuous integration. Volatility is released under the GNU General Public License which governs derivative works and redistribution similar to licenses used by GIMP and GNU Project software. Academic and commercial contributions cite coordinated disclosure practices used by CERT Coordination Center and MITRE Corporation.
Category:Free software Category:Digital forensics tools Category:Computer security