search

mandiant / VM-Packages

Chocolatey packages supporting the analysis environment projects FLARE-VM & Commando VM.
Apache License 2.0
147 stars 67 forks source link

Package proposal: volatility.vm #189

Open ghost opened 1 year ago

ghost commented 1 year ago

Package Name

volatility

Tool Name

Volatility

Package type

ZIP_EXE

Tool's version number

2.6

Category

Forensic

Tool's authors

The Volatility Foundation

Tool's description

The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. The extraction techniques are performed completely independent of the system being investigated but offer visibility into the runtime state of the system. The framework is intended to introduce people to the techniques and complexities associated with extracting digital artifacts from volatile memory samples and provide a platform for further work into this exciting area of research.

Download URL

https://downloads.volatilityfoundation.org/releases/2.6/volatility_2.6_win64_standalone.zip

Download SHA256 Hash

bb021f3b569bf8ee4a408b2e07b0662699894ff7eecd4473badf0ef0c58f2fce

Why is this tool a good addition?

Volatility is a very powerful tool for Memory Forensics as well as Malware Analysis. It is able to read memory dump to perform listing of running processes, network connection, .dll files, file handles, scanning of malware using YARA rules.

Ana06 commented 4 months ago

I assume this is a Commando-VM tool, @mandiant/commando-vm opinions?

Menn1s commented 4 months ago

Volatility is more of a forensics/IR tool for mem analysis. Not really something for offsec; would this be good for ripping binaries in memory for analysis or is there an entirely separate IR VM we should be adding this to?