Volatility Framework
Definition
An open-source memory forensics framework written in Python. It parses raw memory images using OS-specific symbol information to reconstruct kernel data structures and extract artefacts: process lists, network connections, loaded drivers, registry hives, injected code regions, and strings. Version 3 uses public symbol files and does not require pre-built profiles.
Related terms
- LiME (Linux Memory Extractor)
- A loadable kernel module that acquires physical memory from Linux, macOS, and Android systems. It maps the physical address space and either...
- Order of volatility
- The sequence in which digital evidence should be collected, ranked from most to least transient. Defined in RFC 3227. CPU registers and...
- Physical memory image
- A byte-for-byte copy of all installed RAM on a running system, acquired at the hardware or kernel level. Contains all data structures,...
- Process injection
- A technique used by malware and attackers to execute code inside the address space of a legitimate running process. Common methods include...
- Reflective DLL loading
- A technique that loads a Windows DLL directly from memory without registering it with the OS loader. The DLL resolves its own...
Explained in
- Memory Acquisition and Analysis in Incident ResponseAn open-source memory forensics framework written in Python. It parses raw memory images using OS-specific symbol information to reconstruct kernel data struct...