n4rr34n6 / volatility3 Goto Github PK

============================================================================
Volatility 3: The volatile memory extraction framework
============================================================================

Volatility is the world’s most widely used framework for extracting digital
artifacts from volatile memory (RAM) samples. The extraction techniques are
performed completely independent of the system being investigated but offer
visibility into the runtime state of the system. The framework is intended
to introduce people to the techniques and complexities associated with
extracting digital artifacts from volatile memory samples and provide a
platform for further work into this exciting area of research.

In 2019, the Volatility Foundation released a complete rewrite of the
framework, Volatility 3. The project was intended to address many of the
technical and performance challenges associated with the original
code base that became apparent over the previous 10 years. Another benefit
of the rewrite is that Volatility 3 could be released under a custom
license that was more aligned with the goals of the Volatility community,
the Volatility Software License (VSL). See the LICENSE file for more details.

Requirements
============

- Python 3.5.3 or later. http://www.python.org
- Pefile 2017.8.1 or later. https://pypi.org/project/pefile/

Optional Dependencies
=====================

- yara-python 3.8.0 or later. https://github.com/VirusTotal/yara-python
- capstone 3.0.0 or later. https://www.capstone-engine.org/download.html

Downloading Volatility
======================

The latest stable version of Volatility will always be the master
branch of the GitHub repository. You can get the latest version of
the code using the following command:

git clone https://github.com/volatilityfoundation/volatility3.git

Quick Start
===========

1. Clone the latest version of Volatility from GitHub:

    git clone https://github.com/volatilityfoundation/volatility3.git

2. To see available options, run "python vol.py -h"

3. To get more information on a Windows memory sample and to make sure
Volatility supports that sample type, run
'python -f <imagepath> windows.info’

   Example:

    $ python vol.py —f /home/user/samples/stuxnet.vmem windows.info

4. Run some other plugins. The -f or —-single-location is not strictly
required, but most plugins expect a single sample. Some also
require/accept other options.  Run "python vol.py <plugin> -h"
for more information on a particular command.

Documentation
=============

The framework is documented through doc strings and can be built using sphinx.

The latest generated copy of the documentation can be found at:
https://volatility3.readthedocs.io/en/latest/

Licensing and Copyright
=======================

Copyright (C) 2007-2019 Volatility Foundation

All Rights Reserved

https://www.volatilityfoundation.org/license/vsl-v1.0

Bugs and Support
================

If you think you've found a bug, please report it at:

    https://github.com/volatilityfoundation/volatility3/issues

In order to help us solve your issues as quickly as possible,
please include the following information when filing a bug:

* The version of Volatility you're using
* The operating system used to run Volatility
* The version of Python used to run Volatility
* The suspected operating system of the memory sample
* The complete command line you used to run Volatility

For community support, please join us on slack:

https://www.volatilityfoundation.org/slack

Contact
=======

For information or requests, contact:

Volatility Foundation

Web: http://www.volatilityfoundation.org
     http://volatility-labs.blogspot.com

Email: volatility (at) volatilityfoundation (dot) org

Twitter: @volatility