volatility内存取证软件，可用于windows环境下

============================================================================ Volatility Framework - Volatile memory extraction utility framework ============================================================================ The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. The extraction techniques are performed completely independent of the system being investigated but offer visibilty into the runtime state of the system. The framework is intended to introduce people to the techniques and complexities associated with extracting digital artifacts from volatile memory samples and provide a platform for further work into this exciting area of research. The Volatility distribution is available from: http://www.volatilityfoundation.org/#!releases/component_71401 Volatility should run on any platform that supports Python (http://www.python.org) Volatility supports investigations of the following memory images: Windows: * 32-bit Windows XP Service Pack 2 and 3 * 32-bit Windows 2003 Server Service Pack 0, 1, 2 * 32-bit Windows Vista Service Pack 0, 1, 2 * 32-bit Windows 2008 Server Service Pack 1, 2 (there is no SP0) * 32-bit Windows 7 Service Pack 0, 1 * 32-bit Windows 8, 8.1, and 8.1 Update 1 * 32-bit Windows 10 (initial support) * 64-bit Windows XP Service Pack 1 and 2 (there is no SP0) * 64-bit Windows 2003 Server Service Pack 1 and 2 (there is no SP0) * 64-bit Windows Vista Service Pack 0, 1, 2 * 64-bit Windows 2008 Server Service Pack 1 and 2 (there is no SP0) * 64-bit Windows 2008 R2 Server Service Pack 0 and 1 * 64-bit Windows 7 Service Pack 0 and 1 * 64-bit Windows 8, 8.1, and 8.1 Update 1 * 64-bit Windows Server 2012 and 2012 R2 * 64-bit Windows 10 (including at least 10.0.14393) * 64-bit Windows Server 2016 (including at least 10.0.14393.0) Note: Please see the guidelines at the following link for notes on compatibility with recently patched Windows 7 (or later) memory samples: https://github.com/volatilityfoundation/volatility/wiki/2.6-Win-Profiles Linux: * 32-bit Linux kernels 2.6.11 to 4.2.3 * 64-bit Linux kernels 2.6.11 to 4.2.3 * OpenSuSE, Ubuntu, Debian, CentOS, Fedora, Mandriva, etc Mac OSX: * 32-bit 10.5.x Leopard (the only 64-bit 10.5 is Server, which isn't supported) * 32-bit 10.6.x Snow Leopard * 64-bit 10.6.x Snow Leopard * 32-bit 10.7.x Lion * 64-bit 10.7.x Lion * 64-bit 10.8.x Mountain Lion (there is no 32-bit version) * 64-bit 10.9.x Mavericks (there is no 32-bit version) * 64-bit 10.10.x Yosemite (there is no 32-bit version) * 64-bit 10.11.x El Capitan (there is no 32-bit version) * 64-bit 10.12.x Sierra (there is no 32-bit version) Volatility does not provide memory sample acquisition capabilities. For acquisition, there are both free and commercial solutions available. If you would like suggestions about suitable acquisition solutions, please contact us at: volatility (at) volatilityfoundation (dot) org Volatility supports a variety of sample file formats and the ability to convert between these formats: - Raw linear sample (dd) - Hibernation file (from Windows 7 and earlier) - Crash dump file - VirtualBox ELF64 core dump - VMware saved state and snapshot files - EWF format (E01) - LiME format - Mach-O file format - QEMU virtual machine dumps - Firewire - HPAK (FDPro) For a more detailed list of capabilities, see the following: https://github.com/volatilityfoundation/volatility/wiki Also see the community plugins repository: https://github.com/volatilityfoundation/community Example Data ============ If you want to give Volatility a try, you can download exemplar memory images from the following url: http://222.178.203.72:19005/whst/63/=fhsgtazbnl//volatilityfoundation/volatility/wiki/Memory-Samples Mailing Lists ============= Mailing lists to support the users and developers of Volatility can be found at the following address: http://lists.volatilesystems.com/mailman/listinfo Contact ======= For information or requests, contact: Volatility Foundation Web: http://www.volatilityfoundation.org http://volatility-labs.blogspot.com http://volatility.tumblr.com Email: volatility (at) volatilityfoundation (dot) org IRC: #volatility on freenode Twitter: @volatility Requirements ============ - Python 2.6 or later, but not 3.0. http://www.python.org Some plugins may have other requirements which can be found at: https://github.com/volatilityfoundation/volatility/wiki/Installation Quick Start =========== 1. Unpack the latest version of Volatility from volatilityfoundation.org 2. To see available options, run "python vol.py -h" or "python vol.py --info" Example: $ python vol.py --info Volatility Foundation Volatility Framework 2.6 Address Spaces -------------- AMD64PagedMemory - Standard AMD 64-bit address space. ArmAddressSpace - Address space for ARM processors FileAddressSpace - This is a direct file AS. HPAKAddressSpace - This AS supports the HPAK format IA32PagedMemory - Standard IA-32 paging address space. IA32PagedMemoryPae - This class implements the IA-32 PAE paging address space. It is responsible LimeAddressSpace - Address space for Lime LinuxAMD64PagedMemory - Linux-specific AMD 64-bit address space. MachOAddressSpace - Address space for mach-o files to support atc-ny memory reader OSXPmemELF - This AS supports VirtualBox ELF64 coredump format QemuCoreDumpElf - This AS supports Qemu ELF32 and ELF64 coredump format VMWareAddressSpace - This AS supports VMware snapshot (VMSS) and saved state (VMSS) files VMWareMetaAddressSpace - This AS supports the VMEM format with VMSN/VMSS metadata VirtualBoxCoreDumpElf64 - This AS supports VirtualBox ELF64 coredump format Win10AMD64PagedMemory - Windows 10-specific AMD 64-bit address space. WindowsAMD64PagedMemory - Windows-specific AMD 64-bit address space. WindowsCrashDumpSpace32 - This AS supports windows Crash Dump format WindowsCrashDumpSpace64 - This AS supports windows Crash Dump format WindowsCrashDumpSpace64BitMap - This AS supports Windows BitMap Crash Dump format WindowsHiberFileSpace32 - This is a hibernate address space for windows hibernation files. Profiles -------- VistaSP0x64 - A Profile for Windows Vista SP0 x64 VistaSP0x86 - A Profile for Windows Vista SP0 x86 VistaSP1x64 - A Profile for Windows Vista SP1 x64 VistaSP1x86 - A Profile for Windows Vista SP1 x86 VistaSP2x64 - A Profile for Windows Vista SP2 x64 VistaSP2x86 - A Profile for Windows Vista SP2 x86 Win10x64 - A Profile for Windows 10 x64 Win10x64_10586 - A Profile for Windows 10 x64 (10.0.10586.306 / 2016-04-23) Win10x64_14393 - A Profile for Windows 10 x64 (10.0.14393.0 / 2016-07-16) Win10x86 - A Profile for Windows 10 x86 Win10x86_10586 - A Profile for Windows 10 x86 (10.0.10586.420 / 2016-05-28) Win10x86_14393 - A Profile for Windows 10 x86 (10.0.14393.0 / 2016-07-16) Win2003SP0x86 - A Profile for Windows 2003 SP0 x86 Win2003SP1x64 - A Profile for Windows 2003 SP1 x64 Win2003SP1x86 - A Profile for Windows 2003 SP1 x86 Win2003SP2x64 - A Profile for Windows 2003 SP2 x64 Win2003SP2x86 - A Profile for Windows 2003 SP2 x86 Win2008R2SP0x64 - A Profile for Windows 2008 R2 SP0 x64 Win2008R2SP1x64 - A Profile for Windows 2008 R2 SP1 x64 Win2008R2SP1x64_23418 - A Profile for Windows 2008 R2 SP1 x64 (6.1.7601.23418 / 2016-04-09) Win2008SP1x64 - A Profile for Windows 2008 SP1 x64 Win2008SP1x86 - A Profile for Windows 2008 SP1 x86 Win2008SP2x64 - A Profile for Windows 2008 SP2 x64 Win2008SP2x86 -