[Dailydave] Volatility 2.4 is now available!

Andrew Case atcuno at gmail.com
Wed Aug 13 10:46:48 EDT 2014


The Volatility Team is happy to announce that Volatility 2.4 is now
available! It adds support for Windows 8, 8.1, 2012, and 2012 R2 memory
dumps, Mac OS X Mavericks (up to 10.9.4), and Linux kernels up to 3.16.
New plugins include the ability to extract cached Truecrypt passphrases
and master keys from Windows and Linux memory dumps, investigate Mac
user activity (such as pulling their contact database, calendar items,
PGP encrypted mails, OTR Adium chat messages, etc), and analyze advanced
Linux rootkits. See below for a detailed change log.

Binary releases, including pre-built executables for Windows and Mac OS
X can be found on the Volatility Foundation website:
http://www.volatilityfoundation.org. We've also now moved our source
code repository to Github: https://github.com/volatilityfoundation. Note
that there's a separate repository containing over 160 Linux profiles
for 32- and 64-bit OpenSuSE, Redhat, Debain, Ubuntu, Fedora, and CentOS
(thanks Kevin!); and all Mac OS X profiles from 10.5 to 10.9.4.

The detailed change log is below:

Windows Memory Forensics
------------------------

Truecrypt plugins (summary, cached passphrases, master keys)
Apihooks support for 64-bit memory images
Apihooks plugin detects JMP FAR hook instructions
Hashdump, Cachedump, and Lsadump plugins updated for x64 and Win8/2012
Callbacks and timers plugins work on 64-bit memory images
Mftparser identifies NTFS alternate data streams
Mftparser -D option extracts MFT-resident files to disk
Ability to scan for multiple executive object types concurrently with a
single pass through the memory dump
Procmemdump and procexedump condensed into "procdump" (and --memory
option available)
Envars plugin has a --silent flag to ignore common/default environment
variables
Vadtree plugin in graphviz output mode (--output=dot) color codes nodes
per heap, stack, mapped file, DLL, etc.
Getsids plugin automatically resolves user and service SIDs
Timeliner plugin supports --machine to identify the source in
multi-source timelines
Verinfo (PE version info) plugin updated and moved into core framework
Strings translator prints "FREE MEMORY" for data found in deallocated
regions (used to skip them)
Vadinfo plugin allows --addr to specify one region rather than printing
them all
Yarascan plugin allows you to control --size (bytes in preview) and
--reverse (show data *before* a hit)
Volshell plugin has new APIs proc(), addrspace(), getprocs(), and
getmods() for easy access
All process based plugins accept --name (process name regular expression
filter)
Added the auditpol plugin to check audit policies
Added the cmdline plugin to show process command line arguments
Volshell plugin can recursively print structure members (similar to
windbg's dt /r)
New pooltracker plugin allows analysis of kernel pool tag statistics
New bigpools plugin allows finding big page pool allocations
Svcscan plugin prints service start type (manual, automatic, disabled, etc)
Added a plugin to find and print text on the Notepad application's heap
PE dumping plugins (procdump, dlldump, moddump) support --fix to fix the
image base value
Joblinks plugin for getting information for job objects
Address Spaces / File Formats
Support for QEMU virtual machine memory images
Support for "split" VMware files (memory in .vmem and metadata in
.vmss/.vmsn)
Support for Windows BitMap crash dumps (created by Windows 8 / 2012 on BSOD)


Mac Memory Forensics
---------------------

Support for Mavericks through 10.9.4
Mac string translation added
Recover sent and received Adium messages, including those protected by OTR
Enumerate contacts from the Contact application's database
Extract the HTML content of notes from the Notes application
Ability to reveal clear-text PGP emails sent or received with the Mail
application
Locate Apple Keychain encryption keys in memory (for cracking with
Chainbreaker)
Find API hooks in both the kernel and process memory
List IP and socket filters
Extract loaded kernel extension to disk
Find suspicious process mappings (i.e. injected code)
Find hidden kernel extensions
Recovered files cached in memory


Linux Memory Forensics
----------------------

Support for Linux kernels through 3.16
Linux string translation added
Detect API hooks in both userland processes and the kernel
Detect GOT/PLT overwrites
Find hollowed executables
Find suspicious process mappings
Library listing using the loader’s data structures
Extract process ELF executables and libraries to disk
List network interfaces in promiscuous mode
List processes that are using raw sockets
Find hidden kernel modules
List Netfilter hooks
Extract cached Truecrypt passphrases


If you have any questions or issues related to the release then feel
free to contact me or to leave an issue on the github tracker.

-- 
Thanks,
Andrew (@attrc)


More information about the Dailydave mailing list