This article covers useful information about an extraction tool called Volatility. It allows the configuration of environments as well as provides multiple plugins. Moreover, you will also understand why you should use this tool over others. The app is available on many platforms, including OnWorks. This website will allow you to use the tool online. Before we learn about how you can run this app on OnWorks, let us tell you more about the tool itself.
What is Volatility tool?
The Volatility tool is a framework that contains an open collection of tools. These tools are implemented with python, which runs under the GNU (General Public License 2). Volatility is for those analysts who extract digital artifacts from volatile memory (RAM) samples.
Volatility tool is an open-source framework that is free to use by anyone. As a result, you can download the framework and start to analyze and extract artifacts. Moreover, you do not have to pay anything to use this framework. It is crucial for the analyzers to understand what is going on underneath the hood. There is no obstacle that stands between you and the source code. Meaning you can explore and do anything with the code. As a result, you will learn more about your project and work more effectively.
Basic information regarding the Volatility tool is presented here in this article. Moreover, knowing the ups and downs of such a tool also helps you follow its installation process. This framework provides its users the ability to configure the environment and work with plugins. Volatility tools have several benefits when it comes to users utilizing internal components of the framework. This framework has active developers working behind it. As a result, it keeps evolving over time, and the capabilities, plugins, installations, and other things may change in the future.
Before you get into using the volatility tool, you need to know about its main features. The volatility tool was initially not designed for only extraction of artifacts from memory forensics applications. Here are a few reasons why you should use Volatility:
- A single framework
This framework supports volatile memory of 32-bit and 64-bit of Windows, Mac, and Linux. In addition, it covers 32-but android systems. The modular design of the Volatility tool makes the framework easy to support new operating systems.
- Open Source
Since this tool is open-source, you can read the full source code. As a result, you can learn from it and extend your knowledge. Ultimately, you will become a much more effective analyst.
- Written in Python
Python is a common language used in the world of programming. On top of that, the forensic and reverse engineering industry also uses this language. As a result, users can take advantage of the libraries that python provides.
Volatility tool is available in all those operating systems that understand python language. The tool is far superior to other analyst tools that only run on windows.
How to run the Volatility tool on OnWOrks
This tool is freely available on the OnWorks platform. You can access the app directly from this website using any browser. Here is a step-by-step guide to using this tool online:
- Visit the official website of OnWorks.
- Search for “Volatility Tool” from the search bar.
- When you enter the tool page, you will have multiple options to run the app. Select your preferred OS and click on it.
- Now click on “Start” and wait for 20 seconds.
- After that, the “Enter” button will appear on the screen; simply click on it.
- Now, wait for a few more seconds, and the tool will open up on the server.
Volatility supports investigations of the following memory images:
- 32-bit Windows XP (Service Pack 2 and 3)
- 32-bit Windows 2003 Server (Service Pack 0, 1, 2)
- 32-bit Windows Vista (Service Pack 0, 1, 2)
- 32-bit Windows 2008 Server (Service Pack 1, 2)
- 32-bit Windows 7 (Service Pack 0, 1)
- 32-bit Windows 8, 8.1, and 8.1 Update 1
- 32-bit Windows 10 (initial support)
- 64-bit Windows XP (Service Pack 1 and 2)
- 64-bit Windows 2003 Server (Service Pack 1 and 2)
- 64-bit Windows Vista (Service Pack 0, 1, 2)
- 64-bit Windows 2008 Server (Service Pack 1 and 2)
- 64-bit Windows 2008 R2 Server (Service Pack 0 and 1)
- 64-bit Windows 7 (Service Pack 0 and 1)
- 64-bit Windows 8, 8.1, and 8.1 Update 1
- 64-bit Windows Server 2012 and 2012 R2
- 64-bit Windows 10 (including at least 10.0.14393)
- 64-bit Windows Server 2016 (including at least 10.0.14393.0)
- 32-bit 10.5.x Leopard (the only 64-bit 10.5 is Server, which isn’t supported)
- 32-bit 10.6.x Snow Leopard
- 32-bit 10.7.x Lion
- 64-bit 10.6.x Snow Leopard
- 64-bit 10.7.x Lion
- 64-bit 10.8.x Mountain Lion
- 64-bit 10.9.x Mavericks
- 64-bit 10.10.x Yosemite
- 64-bit 10.11.x El Capitan
- 64-bit 10.12.x Sierra
- 64-bit 10.13.x High Sierra
- 64-bit 10.14.x Mojave
- 64-bit 10.15.x Catalina
- 32-bit Linux kernels 2.6.11 to 5.5
- 64-bit Linux kernels 2.6.11 to 5.5
- OpenSuSE, Ubuntu, Debian, CentOS, Fedora, Mandriva, etc.
Memory format support
Volatility supports a variety of sample file formats and the ability to convert between these formats:
- Raw/Padded Physical Memory
- Firewire (IEEE 1394)
- Expert Witness (EWF)
- 32- and 64-bit Windows Crash Dump
- 32- and 64-bit Windows Hibernation (from Windows 7 or earlier)
- 32- and 64-bit Mach-O files
- Virtualbox Core Dumps
- VMware Saved State (.vmss) and Snapshot (.vmsn)
- HPAK Format (FastDump)
- QEMU memory dumps
- LiME format
The supported address spaces (RAM types) are:
- AMD64PagedMemory – Standard AMD 64-bit address space
- ArmAddressSpace – Address space for ARM processors
- FileAddressSpace – This is a direct file AS
- HPAKAddressSpace – This AS supports the HPAK format
- IA32PagedMemoryPae – This class implements the IA-32 PAE paging address space.
- It is responsible
- IA32PagedMemory – Standard IA-32 paging address space
- LimeAddressSpace – Address space for Lime
- MachOAddressSpace – Address space for mach-o files to support atc-ny memory reader
- · OSXPmemELF – This AS supports VirtualBox ELF64 coredump format
- · QemuCoreDumpElf – This AS supports Qemu ELF32 and ELF64 coredump format
- · VirtualBoxCoreDumpElf64 – This AS supports VirtualBox ELF64 coredump format
- · VMWareAddressSpace – This AS supports VMware snapshot (VMSS) and saved state
- (VMSS) files
- VMWareMetaAddressSpace – This AS supports the VMEM format with VMSN/VMSS metadata
- WindowsCrashDumpSpace32 – This AS supports windows Crash Dump format
- WindowsCrashDumpSpace64BitMap – This AS supports Windows BitMap Crash Dump
- WindowsCrashDumpSpace64 – This AS supports ts windows Crash Dump format
- WindowsHiberFileSpace32 – This is a hibernate address space for windows hibernation files
There are exemplar memory images for tests at
Use this tool whenever you want directly from OnWorks. You do not have to download the app separately due to its availability on the cloud server. As a result, you need a working device and an internet connection to run this tool. Beginners can start using the volatility tool since it uses python language. It is a popular yet very common computing language.