Location: PHPKode > projects > Ptk-forensics > ptk/Volatility-1.3_Beta/README.txt
============================================================================
Volatility Framework - Volatile memory extraction utility framework
============================================================================

The Volatility Framework is a completely open collection of tools,
 implemented in Python under the GNU General Public License, for the
extraction of digital artifacts from volatile memory (RAM) samples.
The extraction techniques are performed completely independent of the
system being investigated but offer visibilty into the runtime state
of the system. The framework is intended to introduce people to the
techniques and complexities associated with extracting digital artifacts
from volatile memory samples and provide a platform for further work into
this exciting area of research.

The Volatility distribution is available from: 
https://www.volatilesystems.com/default/volatility

Volatility should run on any platform that supports 
Python (http://www.python.org)

Volatility supports investigations of Microsoft Windows XP Service 
Pack 2 memory images. 

Volatility does not provide memory sample acquisition
capabilities. For acquisition, there are both free and commercial
solutions available. If you would like suggestions about suitable 
acquisition solutions, please contact us at:

volatility (at) volatilesystems (dot) com

Volatility currently provides the following extraction capabilities for 
memory samples:

  - Image date and time
  - Running processes
  - Open network sockets
  - Open network connections
  - DLLs loaded for each process
  - Open files for each process
  - Open registry keys for each process
  - OS kernel modules
  - Mapping physical offsets to virtual addresses
  - Virtual Address Descriptor information
  - Addressable memory for each process
  - Memory maps for each process
  - Extract executable samples
  - Scanning examples: processes, threads, 
       sockets, connections, modules

Volatility also supports a variety of sample file formats and the
ability to convert between these formats:

  - Raw linear sample (dd)
  - Hibernation file
  - Crash dump file

Example Data
============

If you want to give Volatility a try, you can download exemplar
data hosted by NIST at the following url:

http://www.cfreds.nist.gov/mem/memory-images.rar

In particular, you may want to check out the following sample: 

xp-laptop-2005-07-04-1430.img

Mailing Lists
=============

Mailing lists to support the users and developers of Volatility
can be found at the following address:

http://www.volatilesystems.com/mailman/listinfo


Contact
=======
For information or requests, contact:

Volatile Systems

Web: http://www.volatilesystems.com/
     http://volatility.tumblr.com/
     
Email: volatility (at) volatilesystems (dot) com

IRC: #volatility on freenode

Requirements
============
- Python 2.5 or later. http://www.python.org

Quick Start
===========
1. Unpack the latest version of Volatility from
   https://www.volatilesystems.com/default/volatility

2. To see available options, run "python volatility"

   Example:

  > python volatility
	Volatile Systems Volatility Framework v1.3
	Copyright (C) 2007,2008 Volatile Systems
	Copyright (C) 2007 Komoku, Inc.
	This is free software; see the source for copying conditions.
	There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

	usage: volatility cmd [cmd_opts]

	Run command cmd with options cmd_opts
	For help on a specific command, run 'volatility cmd --help'

	Supported Internel Commands:
		connections    	Print list of open connections
		connscan       	Scan for connection objects
		connscan2      	Scan for connection objects
		datetime       	Get date/time information for image
		dlllist        	Print list of loaded dlls for each process
		dmp2raw        	Convert a crash dump to a raw dump
		dmpchk         	Dump crash dump information
		files          	Print list of open files for each process 
		hibinfo        	Convert hibernation file to linear sample
		ident          	Identify image properties 
		memdmp         	Dump the addressable memory for a process
		memmap         	Print the memory map
		modscan        	Scan for modules
		modscan2       	Scan for module objects
		modules        	Print list of loaded modules
		procdump       	Dump a process to an executable sample
		pslist         	Print list of running processes
		psscan         	Scan for EPROCESS objects
		psscan2        	Scan for process objects
		raw2dmp        	Convert a raw dump to a crash dump
		regobjkeys     	Print list of open regkeys for each process
		sockets        	Print list of open sockets
		sockscan       	Scan for socket objects
		sockscan2      	Scan for socket objects
		strings        	Match physical offsets to virtual addresses
		thrdscan       	Scan for ETHREAD objects
		thrdscan2      	Scan for thread objects
		vaddump        	Dump the Vad sections to files
		vadinfo        	Dump the VAD info
		vadwalk        	Walk the vad tree

	Supported Plugin Commands:
		memmap_ex_2    	Example: Print the memory map
		pslist_ex_1    	Example: Print list running processes
		pslist_ex_3    	Example: Print list running processes
		usrdmp_ex_2    	Example: Dump the address space for a process

	Example: volatility pslist -f /path/to/my/file

3. To get more information on a sample and to make sure Volatility
   supports that sample type, run 'python volatility ident -f <imagename>'

   Example:
   
  > python volatility ident -f c:\images\image1.dump
              Image Name: c:\images\image1.dump
              Image Type: XP SP2
                 VM Type: nopae
                     DTB: 0x39000
                Datetime: Mon Feb 19 20:52:08 2007

4. Run some other tools. -f is a required option for all tools. Some
   also require/accept other options. Run "volatility <cmd> --help" for
   more information on a particular command.


Licensing and Copyright
=======================

Copyright (C) 2007,2008 Volatile Systems

Original Source:
Copyright (C) 2007 Komoku, Inc.
All Rights Reserved

This program is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public License
as published by the Free Software Foundation; either version 2
of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  
02111-1307, USA.


Bugs and Support
================
There is no support provided with Volatility. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR
PURPOSE. Bugs may be reported to volatility (at) volatilesystems (dot) com. 
However, Volatile Systems makes no guarantees of any corrective
action or reply, written or verbal.

Missing or Truncated Information
================================
Volatile Systems makes no claims about the validity or correctness of the
output of Volatility. Many factors may contribute to the
incorrectness of output from Volatility including, but not
limited to, malicious modifications to the operating system,
incomplete information due to swapping, and information corruption on
image acquisition. 


Command Descriptions
====================
The following is a short description of some commands supported by
Volatility.

connections
-----------
Lists all open connections that were active at the time of the memory
sample's acquisition. If -t and -b are not specified, Volatility
will attempt to infer reasonable values.

  Options:
     -f   <Image>   Image file to load
     -b   <base>    Hexadecimal physical offset of valid Directory Table Base
     -t   <type>    Image type (pae, nopae, auto)

connscan
--------
Scans the flat physical address space for connection objects. 

  Options:
     -f   <Image>   Image file to load
     -s   <start>   Hexadecimal physical offset to begin scan
     -e   <end>     Hexadecimal physical offset to end scan
     -l             Scan in slow mode (verifies all constraints)

datetime
--------
Print the system date and time recognized by the Windows kernel at the
time the image was acquired. If -t and -b are not specified, Volatility
will attempt to infer reasonable values.

  Options:
     -f   <Image>   Image file to load
     -b   <base>    Hexadecimal physical offset of valid Directory Table Base
     -t   <type>    Image type (pae, nopae, auto)

dlllist
-------
For each process running in the system, identify the base virtual
address, size, and filesystem path to all DLLs loaded in that
process. If -t and -b are not specified, Volatility
will attempt to infer reasonable values. 

NOTE: dlllist output may be very verbose. 

  Options:
     -f   <Image>   Image file to load
     -b   <base>    Hexadecimal physical offset of valid Directory Table Base
     -t   <type>    Image type (pae, nopae, auto)
     -o   <offset>  Hexadecimal physical offset of EPROCESS object
     -p   <pid>     Pid of process

dmp2raw
-------
Convert sample stored in Crash Dump format to a raw linear sample,
similar to that produced by dd.

  Options:
     -f   <Image>   Crash dump file to load
     -o   <outfile>  Raw output file

dmpchk
-------
Extract meta information stored in Crash Dump file.

  Options:
     -f   <Image>   Crash dump file to load

files
-----
For each process running in the system, identify all open file handles
and the absolute filesystem path to that file. If -t and -b are not
specified, Volatility will attempt to infer reasonable values.

NOTE: files output may be very verbose. 

  Options:
     -f   <Image>   Image file to load
     -b   <base>    Hexadecimal physical offset of valid Directory Table Base
     -t   <type>    Image type (pae, nopae, auto)
     -o   <offset>  Hexadecimal physical offset of EPROCESS object
     -p   <pid>     Pid of process

hibinfo
-------
Extract meta information stored in a hibernation file and convert
sample to a raw linear sample.

  Options:
     -f   <Image>    Hibernation file to load
     -d   <outfile>  Raw output file
     -q              Dump only header information

ident
-----
For the given image, attempt to identify the operating system type,
virtual address translation mechanism, and a starting directory table
base (DTB). The output of ident can be used to speedup other commands
when using the -t and -b options with those commands. Options -t and
-b will be ignored when running ident itself.

  Options:
     -f   <Image>   Image file to load
     -b   <base>    IGNORED
     -t   <type>    IGNORED

memdmp
-----
For each process running in the system, attempt to dump its
addressable storage. If -t and -b are not specified, Volatility 
will attempt to infer reasonable values.

  Options:
     -f   <Image>   Image file to load
     -b   <base>    Hexadecimal physical offset of valid Directory Table Base
     -t   <type>    Image type (pae, nopae, auto)
     -o   <offset>  Hexadecimal physical offset of EPROCESS object
     -p   <pid>     Pid of process

memmap
-----
For each process running in the system, attempt to dump its memory map. 
If -t and -b are not specified, Volatility will attempt to infer 
reasonable values.

  Options:
     -f   <Image>   Image file to load
     -b   <base>    Hexadecimal physical offset of valid Directory Table Base
     -t   <type>    Image type (pae, nopae, auto)
     -o   <offset>  Hexadecimal physical offset of EPROCESS object
     -p   <pid>     Pid of process

modscan
------
Scans the flat physical address space for kernel modules. If -t and -b are not specified, Volatility will attempt to infer reasonable values. 

  Options:
     -f   <Image>   Image file to load
     -s   <start>   Hexadecimal physical offset to begin scan
     -b   <base>    Hexadecimal physical offset of valid Directory Table Base
     -t   <type>    Image type (pae, nopae, auto)
     -e   <end>     Hexadecimal physical offset to end scan
     -l             Scan in slow mode (verifies all constraints)

modules
-------
For the given image, list all kernel modules loaded at the time of
acquisition. If -t and -b are not specified, Volatility will
attempt to infer reasonable values. 

  Options:
     -f   <Image>   Image file to load
     -b   <base>    Hexadecimal physical offset of valid Directory Table Base
     -t   <type>    Image type (pae, nopae, auto)

procdump
-------
For each process in the given image, extract an executable sample. 
If -t and -b are not specified, Volatility will attempt to infer 
reasonable values. 

  Options:
     -f   <Image>   Image file to load
     -b   <base>    Hexadecimal physical offset of valid Directory Table Base
     -t   <type>    Image type (pae, nopae, auto)
     -o   <offset>  Hexadecimal physical offset of EPROCESS object
     -p   <pid>     Pid of process
     -m   <mode>    Strategy to use when extracting executable sample. Use
                    "disk" to save using disk-based section sizes or "mem"
                    for memory based sections (default": "mem").

pslist
------
For the given image, list all processes that were running, along with
some corresponding metadata such as process creation time. If -t and
-b are not specified, Volatility will attempt to infer reasonable
values.  

  Options:
     -f   <Image>   Image file to load
     -b   <base>    Hexadecimal physical offset of valid Directory Table Base
     -t   <type>    Image type (pae, nopae, auto)

psscan
------
Scans the flat physical address space for EPROCESS objects. 

  Options:
     -f   <Image>   Image file to load
     -s   <start>   Hexadecimal physical offset to begin scan
     -e   <end>     Hexadecimal physical offset to end scan
     -l             Scan in slow mode (verifies all constraints)
     -d             Print output in dot format

raw2dmp
-------
Convert a raw linear sample into a format that can be analyzed using
the Microsoft Windows Debugger (windbg).

  Options:
     -f   <Image>   Crash dump file to load
     -o   <outfile>  Raw output file

regobjkeys
-----
For each process running in the system, identify all open registry handles. 
If -t and -b are not specified, Volatility will attempt to infer 
reasonable values.

NOTE: files output may be very verbose. 

  Options:
     -f   <Image>   Image file to load
     -b   <base>    Hexadecimal physical offset of valid Directory Table Base
     -t   <type>    Image type (pae, nopae, auto)
     -o   <offset>  Hexadecimal physical offset of EPROCESS object
     -p   <pid>     Pid of process

sockets
-------
For the given image, list all open sockets registered with the kernel
and the corresponding process for which the socket was opened and
associated socket creation time. If -t and -b are not specified,
Volatility will attempt to infer reasonable values. 

  Options:
     -f   <Image>   Image file to load
     -b   <base>    Hexadecimal physical offset of valid Directory Table Base
     -t   <type>    Image type (pae, nopae, auto)

sockscan
------
Scans the flat physical address space for socket objects. 

  Options:
     -f   <Image>   Image file to load
     -s   <start>   Hexadecimal physical offset to begin scan
     -e   <end>     Hexadecimal physical offset to end scan
     -l             Scan in slow mode (verifies all constraints)

strings
-------
For a given image and a file with lines of the form <offset>:<string>,
output the corresponding process and virtual addresses where that
string can be found. Expected input for this tool is the output of
Microsoft Sysinternals' Strings utility, or another utility that
provides similarly formatted offset:string mappings. Note that the
input offsets are physical offsets from the start of the file/image. 
If -t and -b are not specified, Volatility will attempt to infer
reasonable values. 

NOTE: strings output may be very verbose.

  Options:
     -f   <Image>       Image file to load
     -s   <Stringfile>  File with lines of the form <offset>:<string>
     -b   <base>        Hexadecimal physical offset of valid Directory Table Base
     -t   <type>        Image type (pae, nopae, auto)

thrdscan
------
Scans the flat physical address space for ETHREAD objects. 

  Options:
     -f   <Image>   Image file to load
     -s   <start>   Hexadecimal physical offset to begin scan
     -e   <end>     Hexadecimal physical offset to end scan
     -l             Scan in slow mode (verifies all constraints)

vadwalk
-------

For the given image, print the Virtual Address Descriptors (VAD)
tree associated with a particular process. Depending on the command
line options the information will be printed in a number of different
formats. If -t and -b are not specified, Volatility will attempt
to infer reasonable values.

  Options:
     -f   <Image>   Image file to load
     -b   <base>    Hexadecimal physical offset of valid Directory Table Base
     -t   <type>    Image type (pae, nopae, auto)
     -o   <offset>  Hexadecimal physical offset of a valid EPROCESS object
     -e             Print VAD tree in tree format
     -l             Print VAD tree in table format
     -d             Print VAD tree in Dot file format
     -p   <pid>     Extract VAD information of process with this pid

vadinfo
-------

For the given image, print detailed information about each object
found in the Virtual Address Descriptors (VAD) tree associated with a
particular process.  If -t and -b are not specified, Volatility
will attempt to infer reasonable values.

  Options:
     -f   <Image>   Image file to load
     -b   <base>    Hexadecimal physical offset of valid Directory Table Base
     -t   <type>    Image type (pae, nopae, auto)
     -o   <offset>  Hexadecimal physical offset of a valid EPROCESS object
     -p   <pid>     Extract VAD information of process with this pid

vaddump
-------

For the given image, traverse the Virtual Address Descriptors (VAD)
tree and dump the ranges of memory to files for further analysis. If
-t and -b are not specified, Volatility will attempt to infer
reasonable values.

  Options:
     -f   <Image>   Image file to load
     -b   <base>    Hexadecimal physical offset of valid Directory Table Base
     -t   <type>    Image type (pae, nopae, auto)
     -o   <offset>  Hexadecimal physical offset of a valid EPROCESS object
     -p   <pid>     Extract VAD information of process with this pid
Return current item: Ptk-forensics