[Dailydave] Volatility 2.3 Released!

Andrew Case atcuno at gmail.com
Fri Oct 25 12:38:21 EDT 2013


The Volatility Foundation is very excited to announce the official
release of Volatility 2.3! While the main goal of this release was Mac
OS X (x86, x64) and Android Arm support, we also included a number of
other exciting new capabilities! Highlights of this release include:

    Mac OS X
        New MachO address space for 32-bit and 64-bit Mac memory samples
        Over 30+ plugins for Mac memory forensics
    Linux/Android
        New ARM address space to support memory dumps from Linux and
Android devices on ARM hardware
        Plugins to scan Linux process and kernel memory with yara
signatures, dump LKMs to disk, and check TTY devices for rootkit hooks
        Plugins to check the ARM system call and exception vector
tables for hooks
    Windows
        New plugins:
            Parse IE history/index.dat URLs
            Recover shellbags data
            Dump cached files (exe/pdf/doc/etc)
            Extract the MBR and MFT records
            Explore recently unloaded kernel modules
            Dump SSL private and public keys/certs
            Display details on process privileges
            Detect poison ivy infections
            Find and decrypt configurations in memory for poison ivy,
zeus v1, zeus v2 and citadelscan 1.3.4.5
        Plugin Enhancements:
            Apihooks detects duqu style instruction modifications
            Crashinfo displays uptime, systemtime, and dump type
            Psxview plugin adds two new sources of process listings
from the GUI APIs
            Screenshots plugin shows text for window titles
            Svcscan automatically queries the cached registry for service dlls
            Dlllist shows load count to distinguish between static and
dynamic loaded dlls
    New Address Spaces
        VirtualBox ELF64 core dumps
        VMware saved state (vmss)
        VMware snapshot (vmsn) files
        FDPro's non-standard HPAK format
        New plugins: vboxinfo, vmwareinfo, hpakinfo, hpakextract

We also wanted to take this opportunity to recognize those on the
development team who's continued dedication to open source forensics
and the Volatility community has made this release possible: Mike
Auty, Andrew Case, Michael Hale Ligh, Jamie Levy, and AAron Walters.
These people volunteer their time and skills to bring you the most
advanced and innovative memory forensics framework in the world!
Finally, shoutz to the Volatility Community for their continued
support and feedback! In particular, the following members of the
Volatility community made significant contributions to this release:

    Cem Gurkok for his work on the privileges plugin for Windows
    Nir Izraeli for his work on the VMware snapshot address space (see
also the vmsnparser project)
    @osxmem of the volafox project (Mac OS X & BSD Memory Analysis Toolkit)
    @osxreverser of reverse.put.as for his help with OSX memory analysis
    Carl Pulley for numerous bug reports, example patches, and plugin testing
    Andreas Schuster for his work on poison ivy plugins for Windows
    Joe Sylve for his work on the ARM address space and significant
contributions to linux and mac capabilities
    Philippe Teuwen for his work on the virtual box address space
    Santiago Vicente for his work on the citadel plugins for Windows


More information about the Dailydave mailing list