Data

Tools

Indexes

Applications

Experiments

Open Source Science

volatility3

Volatility 3.0 development

https://github.com/volatilityfoundation/volatility3

Science Score: 54.0%

This score indicates how likely this project is to be science-related based on various indicators:

  • CITATION.cff file
    Found CITATION.cff file
  • codemeta.json file
    Found codemeta.json file
  • .zenodo.json file
    Found .zenodo.json file
  • DOI references
  • Academic publication links
  • Committers with academic emails
    8 of 91 committers (8.8%) from academic institutions
  • Institutional organization owner
  • JOSS paper metadata
  • Scientific vocabulary similarity
    Low similarity (14.6%) to scientific vocabulary

Keywords

digital-investigation forensics incident-response malware memory python ram volatility volatility-framework
Last synced: 6 months ago · JSON representation ·

Repository

Volatility 3.0 development

Basic Info
Statistics
  • Stars: 3,411
  • Watchers: 63
  • Forks: 561
  • Open Issues: 124
  • Releases: 13
Topics
digital-investigation forensics incident-response malware memory python ram volatility volatility-framework
Created about 12 years ago · Last pushed 7 months ago
Metadata Files
Readme License Citation

README.md

Volatility 3: The volatile memory extraction framework

Volatility is the world's most widely used framework for extracting digital artifacts from volatile memory (RAM) samples. The extraction techniques are performed completely independent of the system being investigated but offer visibility into the runtime state of the system. The framework is intended to introduce people to the techniques and complexities associated with extracting digital artifacts from volatile memory samples and provide a platform for further work into this exciting area of research.

In 2019, the Volatility Foundation released a complete rewrite of the framework, Volatility 3. The project was intended to address many of the technical and performance challenges associated with the original code base that became apparent over the previous 10 years. Another benefit of the rewrite is that Volatility 3 could be released under a custom license that was more aligned with the goals of the Volatility community, the Volatility Software License (VSL). See the LICENSE file for more details.

Quick Start

  1. Install the required dependencies:

    shell pip install --user -e ".[full]"

  2. See available options:

    shell vol -h

  3. To get more information on a Windows memory sample and to make sure Volatility supports that sample type, run vol -f <imagepath> windows.info:

    shell vol -f /home/user/samples/stuxnet.vmem windows.info

  4. Run some other plugins. The -f or --single-location is not strictly required, but most plugins expect a single sample. Some also require/accept other options. Run vol <plugin> -h for more information on a particular command.

Installing

Volatility 3 requires Python 3.8.0 or later and is published on the PyPi registry.

shell pip install volatility3

If you want to use the latest development version of Volatility 3 we recommend you manually clone this repository and install an editable version of the project. We recommend you use a virtual environment to keep installed dependencies separate from system packages.

The latest stable version of Volatility will always be the stable branch of the GitHub repository. The default branch is develop.

shell git clone https://github.com/volatilityfoundation/volatility3.git cd volatility3/ python3 -m venv venv && . venv/bin/activate pip install -e ".[dev]"

Symbol Tables

Symbol table packs for the various operating systems are available for download at:

https://downloads.volatilityfoundation.org/volatility3/symbols/windows.zip https://downloads.volatilityfoundation.org/volatility3/symbols/mac.zip https://downloads.volatilityfoundation.org/volatility3/symbols/linux.zip

The hashes to verify whether any of the symbol pack files have downloaded successfully or have changed can be found at:

https://downloads.volatilityfoundation.org/volatility3/symbols/SHA256SUMS https://downloads.volatilityfoundation.org/volatility3/symbols/SHA1SUMS https://downloads.volatilityfoundation.org/volatility3/symbols/MD5SUMS

Symbol tables zip files must be placed, as named, into the volatility3/symbols directory (or just the symbols directory next to the executable file).

Windows symbols that cannot be found will be queried, downloaded, generated and cached. Mac and Linux symbol tables must be manually produced by a tool such as dwarf2json.

Important: The first run of volatility with new symbol files will require the cache to be updated. The symbol packs contain a large number of symbol files and so may take some time to update! However, this process only needs to be run once on each new symbol file, so assuming the pack stays in the same location will not need to be done again. Please also note it can be interrupted and next run will restart itself.

Please note: These are representative and are complete up to the point of creation for Windows and Mac. Due to the ease of compiling Linux kernels and the inability to uniquely distinguish them, an exhaustive set of Linux symbol tables cannot easily be supplied.

Documentation

The framework is documented through doc strings and can be built using sphinx.

The latest generated copy of the documentation can be found at: https://volatility3.readthedocs.io/en/latest/

Licensing and Copyright

Copyright (C) 2007-2025 Volatility Foundation

All Rights Reserved

https://www.volatilityfoundation.org/license/vsl-v1.0

Bugs and Support

If you think you've found a bug, please report it at:

https://github.com/volatilityfoundation/volatility3/issues

In order to help us solve your issues as quickly as possible, please include the following information when filing a bug:

  • The version of Volatility you're using
  • The operating system used to run Volatility
  • The version of Python used to run Volatility
  • The suspected operating system of the memory sample
  • The complete command line you used to run Volatility

For community support, please join us on Slack:

https://www.volatilityfoundation.org/slack

Contact

For information or requests, contact:

Volatility Foundation

Web: https://www.volatilityfoundation.org

Blog: https://volatility-labs.blogspot.com

Email: volatility (at) volatilityfoundation (dot) org

Twitter: @volatility

Owner

  • Name: Volatility Foundation
  • Login: volatilityfoundation
  • Kind: organization

Citation (CITATION.cff) 

# This CITATION.cff file was generated with cffinit.
# Visit https://bit.ly/cffinit to generate yours today!

cff-version: 1.2.0
title: Volatility 3
message: >-
  If you reference this software, please feel free to cite
  it using the information below.
type: software
authors:
  - name: Volatility Foundation
    country: US
    website: 'https://www.volatilityfoundation.org/'
identifiers:
  - type: url
    value: 'https://github.com/volatilityfoundation/volatility3'
    description: Volatility 3 source code repository
repository-code: 'https://github.com/volatilityfoundation/volatility3'
url: 'https://github.com/volatilityfoundation/volatility3'
abstract: >-
  Volatility is the world's most widely used framework for
  extracting digital artifacts from volatile memory (RAM)
  samples. The extraction techniques are performed
  completely independent of the system being investigated
  but offer visibility into the runtime state of the system.
  The framework is intended to introduce people to the
  techniques and complexities associated with extracting
  digital artifacts from volatile memory samples and provide
  a platform for further work into this exciting area of
  research.
keywords:
  - malware
  - forensics
  - memory
  - python
  - ram
  - volatility

Committers

Last synced: 9 months ago

All Time
  • Total Commits: 5,199
  • Total Committers: 91
  • Avg Commits per committer: 57.132
  • Development Distribution Score (DDS): 0.468
Past Year
  • Commits: 1,444
  • Committers: 31
  • Avg Commits per committer: 46.581
  • Development Distribution Score (DDS): 0.797
Top Committers
Name Email Commits
Mike Auty m****y@g****m 2,765
Gustavo Moreira g****a@g****m 432
Andrew Case a****w@d****g 354
Abyss Watcher a****r@p****e 227
David McDonald d****a@u****u 216
Donghyun Kim d****9@g****m 161
Eve e****e@t****o 119
Michael Ligh m****h@v****m 102
Dave Lassalle d****e@v****m 88
j-t-1 1****1 81
superponible d****e@s****m 48
Paul Kermann p****n@t****m 44
atcuno a****o@g****m 42
Tejas 4****2 32
Matt Tressler m****0@g****m 31
Jan j****7@g****t 30
k1nd0ne k****e@m****m 27
Analyst a****t@A****n 25
Arthur Deierlein i****o@c****v 25
RuBublik r****r@g****m 21
memoryforensics1 6****1 18
Nick L. Petroni, Jr n****i@v****m 18
hsarkey h****y@v****m 16
KevTheHermit k****t@g****m 16
Elad Levi 9****i@g****m 16
AsafEitani a****e@s****o 15
cpuu c****u@i****m 15
Mike Auty m****e@i****g 14
xabiugarte x****e 12
Jack Wenger j****r@g****m 11
and 61 more...
Committer Domains (Top 20 + Academic)
volexity.com: 10 mwrinfosecurity.com: 1 leonardo.com: 1 localhost.localdomain: 1 mnin.org: 1 ikelos.org: 1 sygnia.co: 1 c0rydoras.dev: 1 analysts-mbp.lan: 1 mail.com: 1 gmx.net: 1 tutanota.com: 1 superponible.com: 1 tuta.io: 1 uno.edu: 1 proton.me: 1 quenda.net: 1 posteo.com: 1 sec.uni-passau.de: 1 microsoft.com: 1 ads.uni-passau.de: 1 rwth-aachen.de: 1 unh.newhaven.edu: 1 llnl.gov: 1 fkie.fraunhofer.de: 1

Issues and Pull Requests

Last synced: 6 months ago

All Time
  • Total issues: 446
  • Total pull requests: 1,134
  • Average time to close issues: 8 months
  • Average time to close pull requests: about 1 month
  • Total issue authors: 240
  • Total pull request authors: 67
  • Average comments per issue: 4.01
  • Average comments per pull request: 2.01
  • Merged pull requests: 854
  • Bot issues: 0
  • Bot pull requests: 0
Past Year
  • Issues: 194
  • Pull requests: 793
  • Average time to close issues: 19 days
  • Average time to close pull requests: 6 days
  • Issue authors: 63
  • Pull request authors: 31
  • Average comments per issue: 1.48
  • Average comments per pull request: 1.62
  • Merged pull requests: 617
  • Bot issues: 0
  • Bot pull requests: 0
View more stats
Top Authors
Issue Authors
  • atcuno (88)
  • ikelos (22)
  • eve-mem (12)
  • superponible (8)
  • gcmoreira (8)
  • Abyss-W4tcher (7)
  • j-t-1 (5)
  • SolitudePy (5)
  • dgmcdona (5)
  • yassine955 (4)
  • vobst (4)
  • garanews (4)
  • the-rectifier (4)
  • lic-8 (3)
  • cmuws8n (3)
Pull Request Authors
  • atcuno (209)
  • ikelos (193)
  • gcmoreira (132)
  • dgmcdona (116)
  • j-t-1 (81)
  • Abyss-W4tcher (80)
  • eve-mem (74)
  • SolitudePy (51)
  • superponible (30)
  • paulkermann (14)
  • joren485 (8)
  • the-rectifier (8)
  • forensicxlab (7)
  • TheMythologist (7)
  • c0rydoras (6)
Top Labels
Issue Labels
parity-release (79) stale (71) needs-more-info (40) question (25) enhancement (20) plugin-request (14) awaiting-user-verification (5) linux/mac (5) windows-pdb (3) low-priority (2) file-format/layers (2) windows (2) bug (2) Windows-10 (1) tracker (1) next-release (1)
Pull Request Labels
parity-release (255) linux_parity_push (34) awaiting-author-fixes (22) awaiting-author-response (11) low-priority (7) needs-more-info (4) Minor API bump (3) next-release (3) awaiting-user-verification (1)

Packages

  • Total packages: 6
  • Total downloads:
    • pypi 37,587 last-month
    • homebrew 219 last-month
  • Total docker downloads: 764,732
  • Total dependent packages: 0
    (may contain duplicates)
  • Total dependent repositories: 11
    (may contain duplicates)
  • Total versions: 58
  • Total maintainers: 4
pypi.org: volatility3

Memory forensics framework

  • Versions: 14
  • Dependent Packages: 0
  • Dependent Repositories: 10
  • Downloads: 37,587 Last month
  • Docker Downloads: 764,732
Rankings
Docker downloads count: 0.8%
Stargazers count: 1.6%
Forks count: 2.9%
Average: 3.9%
Dependent repos count: 4.7%
Downloads: 6.0%
Dependent packages count: 7.4%
Maintainers (3)
awalters ikelos npetroni
Last synced: 6 months ago
proxy.golang.org: github.com/volatilityfoundation/volatility3
  • Versions: 13
  • Dependent Packages: 0
  • Dependent Repositories: 0
Rankings
Stargazers count: 1.5%
Forks count: 1.6%
Average: 5.9%
Dependent packages count: 9.6%
Dependent repos count: 10.8%
Last synced: 6 months ago
alpine-edge: volatility3-pyc

Precompiled Python bytecode for volatility3

  • Versions: 8
  • Dependent Packages: 0
  • Dependent Repositories: 0
Rankings
Dependent repos count: 0.0%
Forks count: 6.7%
Average: 7.2%
Stargazers count: 8.4%
Dependent packages count: 13.9%
Maintainers (1)
fcolista@alpinelinux.org
Last synced: 6 months ago
alpine-edge: volatility3

Volatile memory forensics toolkit

  • Versions: 9
  • Dependent Packages: 0
  • Dependent Repositories: 0
Rankings
Dependent repos count: 0.0%
Forks count: 6.7%
Average: 7.4%
Stargazers count: 8.3%
Dependent packages count: 14.6%
Maintainers (1)
fcolista@alpinelinux.org
Last synced: 6 months ago
alpine-edge: volatility3-doc

Volatile memory forensics toolkit (documentation)

  • Versions: 8
  • Dependent Packages: 0
  • Dependent Repositories: 0
Rankings
Dependent repos count: 0.0%
Forks count: 6.7%
Average: 7.4%
Stargazers count: 8.3%
Dependent packages count: 14.6%
Maintainers (1)
fcolista@alpinelinux.org
Last synced: 6 months ago
formulae.brew.sh: volatility

Advanced memory forensics framework

  • Versions: 6
  • Dependent Packages: 0
  • Dependent Repositories: 1
  • Downloads: 219 Last month
Rankings
Forks count: 8.2%
Stargazers count: 11.9%
Average: 18.6%
Dependent packages count: 19.4%
Downloads: 24.1%
Dependent repos count: 29.5%
Last synced: 6 months ago

Dependencies

.github/workflows/black.yml actions
  • actions/checkout v2 composite
  • psf/black stable composite
.github/workflows/build-pypi.yml actions
  • actions/checkout v3 composite
  • actions/setup-python v4 composite
  • actions/upload-artifact v2 composite
.github/workflows/codeql.yml actions
  • actions/checkout v3 composite
  • github/codeql-action/analyze v2 composite
  • github/codeql-action/autobuild v2 composite
  • github/codeql-action/init v2 composite
.github/workflows/test.yaml actions
  • actions/checkout v3 composite
  • actions/setup-python v4 composite
doc/requirements.txt pypi
  • sphinx >=4.0.0
  • sphinx-rtd-theme >=0.4.3
  • sphinx_autodoc_typehints >=1.4.0
requirements-dev.txt pypi
  • capstone >=3.0.5 development
  • jsonschema >=2.3.0 development
  • leechcorepyc >=2.4.0 development
  • pefile >=2017.8.1 development
  • pycryptodome * development
  • python-snappy ==0.6.0 development
  • yara-python >=3.8.0 development
requirements-minimal.txt pypi
  • pefile >=2017.8.1
requirements.txt pypi
  • capstone >=3.0.5
  • leechcorepyc >=2.4.0
  • pefile >=2017.8.1
  • pycryptodome *
  • python-snappy ==0.6.0
  • yara-python >=3.8.0
test/requirements-testing.txt pypi
  • pefile >=2017.8.1 test
  • pytest >=7.0.0 test
  • yara-python >=3.8.0 test
.github/workflows/install.yml actions
  • actions/checkout v3 composite
  • actions/setup-python v4 composite
.github/workflows/stale.yml actions
  • actions/stale v5 composite
setup.py pypi