Volatility framework for extracting data from memory and disk images
Volatility is a framework designed to extract data from a disk image that is available in RAM memory. This tool is considered able to be run on any operating system that supports Python.
It has the capacity for working with memory dumps from 32-bit and 64-bit systems for Windows, as well as macOS, Linux, and Android operating systems. It has a modular design, so it is well adapted to new versions of the different systems.
Memory analysis can provide very valuable information since we can see the state of the machine at the time of capturing. This tool has the capacity to extract information related to existing network connections, processes, open files, connected users, and other information that will disappear when the system is restarted.
Among the main features that we can extract, we can highlight the following:
- Processes that were running in the image generation datetime
- Open network ports...