top of page

Volatility

What's the latest stable version of Volatility?

 

The most recent version of the original Volatility code base is Volatility 2.6. This is the most mature and tested version of Volatility after having been supported and maintained since 2007. With respect to active development, it is only receiving minor plugin updates and bug fixes. Based on the current roadmap, development and support will end once Volatility 3 reaches feature parity. You can download the latest version of the Volatility 2.X source here.

 

The most recent version of Volatility 3 can be found here. This version of Volatility is under active development and also the home to the most bleeding edge research in the field of memory forensics. All development efforts are currently focused on getting Volatility 3 to feature parity with the Volatility 2.X code base. 

What operating systems does Volatility 2.X support?

 

We support analyzing memory from the following systems:

  • 32- and 64-bit Windows 10 and Server 2016

  • 64-bit Windows Server 2012 and 2012 R2

  • 32- and 64-bit Windows 8, 8.1, and 8.1 Update 1

  • 32- and 64-bit Windows 7 (all service packs)

  • 32- and 64-bit Windows Server 2008 (all service packs)

  • 64-bit Windows Server 2008 R2 (all service packs)

  • 32- and 64-bit Windows Vista (all service packs)

  • 32- and 64-bit Windows Server 2003 (all service packs)

  • 32- and 64-bit Windows XP (SP2 and SP3)

  • 32- and 64-bit Linux kernels from 2.6.11 to 4.2.3+

  • 32-bit 10.5.x Leopard (the only 64-bit 10.5 is Server, which isn't supported)

  • 32- and 64-bit 10.6.x Snow Leopard

  • 32- and 64-bit 10.7.x Lion

  • 64-bit 10.8.x Mountain Lion (there is no 32-bit version)

  • 64-bit 10.9.x Mavericks (there is no 32-bit version)

  • 64-bit 10.10.x Yosemite (there is no 32-bit version)

  • 64-bit 10.11.x El Capitan (there is no 32-bit version)

  • 64-bit 10.12.x Sierra (there is no 32-bit version)

 

What about hibernation, crash dumps, and page files?

 

The memory formats supported by Volatility 2.X include:

 

  • Raw/Padded Physical Memory

  • Firewire (IEEE 1394)

  • Expert Witness (EWF)

  • 32- and 64-bit Windows Crash Dump

  • 32- and 64-bit Windows Hibernation

  • 32- and 64-bit MachO files

  • Virtualbox Core Dumps

  • VMware Saved State (.vmss) and Snapshot (.vmsn)

  • HPAK Format (FastDump)

  • LiME (Linux Memory Extractor)

  • QEMU VM memory dumps

The Foundation

What is the Volatility Foundation?

The Volatility Foundation is an independent 501(c) (3) non-profit organization. The foundation’s mission is to promote the use of Volatility and memory analysis within the forensics community, to defend the project’s intellectual property (trademarks, licenses, etc.) and longevity, and to help advance innovative memory analysis research.

 

Why was the Volatility Foundation formed?

Since 2007, the Volatility team has been committed to the principles of Open Source development and an advocate for Open Source developers. A critical component of any thriving Open Source community is the people who volunteer their time and effort to develop, maintain, and support these projects. Unfortunately, there is a growing trend of large corporations and unscrupulous individuals that have attempted to exploit the efforts of Open Source communities for their own selfish-interests. While feeling entitled to the software, they make no effort to contribute to the communities that support these projects. The Volatility Foundation was formed to help defend against these threats and protect the developers that sacrifice their time and resources to make the world’s most advanced memory forensics platform free and Open Source.

 

Under what terms can the Volatility trademark be used?

As an Open Source project, it is important to the Volatility Foundation that any uses of the Volatility trademark are in the spirit of Open Source. The Volatility trademark can be used in ways that further the project, encourage the use of Volatility, and benefit the overall good of the Volatility community. The Volatility trademark gives users the assurance and confidence that the project is built by or endorsed by a specific community, group, or person. Any non-nominative commercial use that does not contribute to the benefit of the Volatility community or is a veiled advertisement for a non-endorsed commercial service or product is not authorized. It is unfortunate that the Volatility Foundation and other Open Source projects have been forced to spend the time and resources to address these sorts of violations. Trademark law requires that trademark holders actively protect their trademark or they risk losing it.

 

If you have any questions or concerns about a particular usage of the Volatility trademark, the Volatility Foundation would be happy to help provide clarification. Please contact info@volatilityfoundation.org with any questions or concerns you may have. Special licenses have been granted to organization and individuals that have established a reputation through contributions and furthering the mission of the foundation.

 

Who owns the Volatility source code?

The Volatility source code is owned by the Volatility Foundation and its community. All Volatility contributors retain the rights to their contributions and have explicitly granted permission for their code to be distributed with Volatility under the GPL version 2.

 

Why does the Volatility Foundation need a CLA?

The Volatility Foundation desires to have a Contributor License Agreement (CLA) on file for the protection of the contributor, the foundation, and the Volatility users. The intent of the CLA is that the original copyright holder and the Volatility Foundation both retain (shared) copyright for the contributed code. As a result both parties can use the contribution independently. Except for the shared rights discussed in the document, the contributor retains all right, title, and interest in their contribution. Similar to the requirements of other Open Source foundations, the copyright assignment allows the Volatility Foundation to defend the project should there be a legal dispute regarding the software at some future time. . The contributor is explicitly granting their permission for their code to be included and distributed with Volatility. They are also representing that they are authorized to submit the code for inclusion in Volatility without violating another entities intellectual property rights.

 

What happens to the rights granted to the Volatility Foundation if the foundation is dissolved?

Under the Foundation’s Articles of Incorporation, all assets, including intellectual property, owned by the foundation can only be transferred to another charitable organization that will best accomplish the purposes of the Foundation.

 

What if I'm unable to submit code under the VCLA?

The CLA is only required for code that will be included in the Volatility source repository, maintained by the Volatility development team, and distributed with official releases.

 

How can I help the Volatility Foundation?

The best way to help support the Volatility Foundation is by getting involved and contributing to the project. We also encourage people to vocalize their support for the Open Source forensics community and help fight its exploitation.

bottom of page