Binary releases, including pre-built executables for Windows and Mac OS X can be found on the Volatility Foundation website: http://www.volatilityfoundation.org. We've also now moved our source code repository to Github: https://github.com/volatilityfoundation. Note that there's a separate repository containing over 160 Linux profiles for 32- and 64-bit OpenSuSE, Redhat, Debain, Ubuntu, Fedora, and CentOS (thanks Kevin!); and all Mac OS X profiles from 10.5 to 10.9.4.
The detailed change log is below:
Windows Memory Forensics
Windows Memory Forensics
- Truecrypt plugins (summary, cached passphrases, master keys)
- Apihooks support for 64-bit memory images
- Apihooks plugin detects JMP FAR hook instructions
- Hashdump, Cachedump, and Lsadump plugins updated for x64 and Win8/2012
- Callbacks and timers plugins work on 64-bit memory images
- Mftparser identifies NTFS alternate data streams
- Mftparser -D option extracts MFT-resident files to disk
- Ability to scan for multiple executive object types concurrently with a single pass through the memory dump
- Procmemdump and procexedump condensed into "procdump" (and --memory option available)
- Envars plugin has a --silent flag to ignore common/default environment variables
- Vadtree plugin in graphviz output mode (--output=dot) color codes nodes per heap, stack, mapped file, DLL, etc.
- Getsids plugin automatically resolves user and service SIDs
- Timeliner plugin supports --machine to identify the source in multi-source timelines
- Verinfo (PE version info) plugin updated and moved into core framework
- Strings translator prints "FREE MEMORY" for data found in deallocated regions (used to skip them)
- Vadinfo plugin allows --addr to specify one region rather than printing them all
- Yarascan plugin allows you to control --size (bytes in preview) and --reverse (show data *before* a hit)
- Volshell plugin has new APIs proc(), addrspace(), getprocs(), and getmods() for easy access
- All process based plugins accept --name (process name regular expression filter)
- Added the auditpol plugin to check audit policies
- Added the cmdline plugin to show process command line arguments
- Volshell plugin can recursively print structure members (similar to windbg's dt /r)
- New pooltracker plugin allows analysis of kernel pool tag statistics
- New bigpools plugin allows finding big page pool allocations
- Svcscan plugin prints service start type (manual, automatic, disabled, etc)
- Added a plugin to find and print text on the Notepad application's heap
- PE dumping plugins (procdump, dlldump, moddump) support --fix to fix the image base value
- Joblinks plugin for getting information for job objects
Address Spaces / File Formats
- Support for QEMU virtual machine memory images
- Support for "split" VMware files (memory in .vmem and metadata in .vmss/.vmsn)
- Support for Windows BitMap crash dumps (created by Windows 8 / 2012 on BSOD)
Mac Memory Forensics
- Support for Mavericks through 10.9.4
- Mac string translation added
- Recover sent and received Adium messages, including those protected by OTR
- Enumerate contacts from the Contact application's database
- Extract the HTML content of notes from the Notes application
- Ability to reveal clear-text PGP emails sent or received with the Mail application
- Locate Apple Keychain encryption keys in memory (for cracking with Chainbreaker)
- Find API hooks in both the kernel and process memory
- List IP and socket filters
- Extract loaded kernel extension to disk
- Find suspicious process mappings (i.e. injected code)
- Find hidden kernel extensions
- Recovered files cached in memory
Linux Memory Forensics
- Support for Linux kernels through 3.16
- Linux string translation added
- Detect API hooks in both userland processes and the kernel
- Detect GOT/PLT overwrites
- Find hollowed executables
- Find suspicious process mappings
- Library listing using the loader’s data structures
- Extract process ELF executables and libraries to disk
- List network interfaces in promiscuous mode
- List processes that are using raw sockets
- Find hidden kernel modules
- List Netfilter hooks
- Extract cached Truecrypt passphrases
No comments:
Post a Comment