Volatility 2.1 (Malware and 64-bits)
This is the first release to support all major 64-bit versions of Windows. It also included the ability to convert raw memory images to crash dumps, extract command history and console input/output buffers, and an API for accessing cached registry keys and values from memory. Ten new plugins were added with a specific focus on malware analysis.
Released: August 2012
Release Highlights
-
New Address Spaces (AMD64PagedMemory, WindowsCrashDumpSpace64)
-
Majority of Existing Plugins Updated with x64 Support
-
Merged Malware Plugins into Volatility Core with Preliminary x64 Support
-
WindowsHiberFileSpace32 Overhaul (also includes x64 Support)
-
Now supports all major x64 Windows Operating Systems
-
Plugin Additions
-
Printing Process Environment Variables (envvars)
-
Inspecting the Shim Cache (shimcache)
-
Profiling Command History and Console Usage (cmdscan, consoles)
-
Converting x86 and x64 Raw Dumps to MS Crash Dump (raw2dmp)
-
-
Plugin Enhancements
-
Verbose details for kdbgscan and kpcrscan
-
idt/gdt/timers plugins cycle automatically for each CPU
-
apihooks detects LSP/winsock procedure tables
-
-
New Output Formatting Support (Table Rendering)
-
New Mechanism for Profile Modifications
-
New Registry API Support
-
New Volshell Commands
-
Updated Documentation and Command Reference
Operating System Support
-
32- and 64-bit Windows 7 (all service packs)
-
32- and 64-bit Windows Server 2008 (all service packs)
-
64-bit Windows Server 2008 R2 (all service packs)
-
32- and 64-bit Windows Vista (all service packs)
-
32- and 64-bit Windows Server 2003 (all service packs)
-
32- and 64-bit Windows XP (SP2 and SP3)
Memory Format Support
-
Raw/Padded Physical Memory
-
Firewire (IEEE 1394)
-
Expert Witness (EWF)
-
32- and 64-bit Windows Crash Dump
-
32- and 64-bit Windows Hibernation