[Forensics-changes] [volatility] 01/01: debian directory - first commit.
Eriberto Mota
eriberto-guest at alioth.debian.org
Sat Nov 2 03:30:50 UTC 2013
This is an automated email from the git hooks/post-receive script.
eriberto-guest pushed a commit to branch debian
in repository volatility.
commit b190f35f6c20383df152e4c90fa08cd8cee23e83
Author: Joao Eriberto Mota Filho <eriberto at eriberto.pro.br>
Date: Sat Nov 2 01:30:30 2013 -0200
debian directory - first commit.
---
debian/changelog | 5 +
debian/compat | 1 +
debian/control | 48 +++++
debian/copyright | 79 +++++++
debian/docs | 1 +
debian/gbp.conf | 3 +
debian/links | 1 +
debian/man/notes | 12 ++
debian/man/volatility.1 | 465 ++++++++++++++++++++++++++++++++++++++++
debian/man/volatility.1.header | 1 +
debian/man/volatility.txt | 336 +++++++++++++++++++++++++++++
debian/manpages | 1 +
debian/rules | 13 ++
debian/source/format | 1 +
debian/source/options | 2 +
debian/watch | 2 +
16 files changed, 971 insertions(+)
diff --git a/debian/changelog b/debian/changelog
new file mode 100644
index 0000000..1f3baa7
--- /dev/null
+++ b/debian/changelog
@@ -0,0 +1,5 @@
+volatility (2.3.1-1) unstable; urgency=low
+
+ * Initial release (Closes: #728251)
+
+ -- Joao Eriberto Mota Filho <eriberto at eriberto.pro.br> Sat, 02 Nov 2013 01:10:33 -0200
diff --git a/debian/compat b/debian/compat
new file mode 100644
index 0000000..ec63514
--- /dev/null
+++ b/debian/compat
@@ -0,0 +1 @@
+9
diff --git a/debian/control b/debian/control
new file mode 100644
index 0000000..2e4c6a8
--- /dev/null
+++ b/debian/control
@@ -0,0 +1,48 @@
+Source: volatility
+Section: utils
+Priority: optional
+Maintainer: Debian Forensics <forensics-devel at lists.alioth.debian.org>
+Uploaders: Joao Eriberto Mota Filho <eriberto at eriberto.pro.br>, Michael Prokop <mika at debian.org>
+Build-Depends: debhelper (>= 9), python
+X-Python-Version: >= 2.6
+Standards-Version: 3.9.4
+Homepage: https://code.google.com/p/volatility
+Vcs-Git: git://anonscm.debian.org/collab-maint/volatility.git
+Vcs-Browser: http://anonscm.debian.org/gitweb/?p=forensics/volatility.git;a=summary
+
+Package: volatility
+Architecture: all
+Suggests: lime-forensics-dmks, libraw1394-11
+Depends: ${misc:Depends}, ${python:Depends}, python-crypto, python-imaging, python-openpyxl
+Description: advanced memory forensics framework
+ The Volatility Framework is a completely open collection of tools for the
+ extraction of digital artifacts from volatile memory (RAM) samples. It is
+ useful in forensics analysis. The extraction techniques are performed
+ completely independent of the system being investigated but offer
+ unprecedented visibilty into the runtime state of the system.
+ .
+ Volatility supports memory dumps from all major 32- and 64-bit Windows
+ versions and service packs including XP, 2003 Server, Vista, Server 2008,
+ Server 2008 R2, and Seven. Whether your memory dump is in raw format, a
+ Microsoft crash dump, hibernation file, or virtual machine snapshot,
+ Volatility is able to work with it.
+ .
+ Linux memory dumps in raw or LiME format is supported too. There are several
+ plugins for analyzing 32- and 64-bit Linux kernels and distributions such as
+ Debian, Ubuntu, OpenSuSE, Fedora, CentOS, and Mandrake.
+ .
+ Volatility support several versions of Mac OSX memory dumps from 10.5 to
+ 10.8.3 Mountain Lion, both 32- and 64-bit. Android phones with ARM processors
+ are also supported.
+ .
+ These are some of the data that can be extracted:
+ .
+ - Image information (date, time, CPU count).
+ - Running processes.
+ - Open network sockets and connections.
+ - OS kernel modules loaded.
+ - Memory maps for each process.
+ - Executables samples.
+ - Command histories.
+ - Passwords, as LM/NTLM hashes and LSA secrets.
+ - Others.
diff --git a/debian/copyright b/debian/copyright
new file mode 100644
index 0000000..f6317a1
--- /dev/null
+++ b/debian/copyright
@@ -0,0 +1,79 @@
+Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: volatility
+Source: https://code.google.com/p/volatility
+
+Files: *
+Copyright: 2004 Commonwealth of Australia
+ <{scudette,daveco}@users.sourceforge.net>
+ 2004-2007 4tphi Research <{npetroni,awalters}@4tphi.net>
+ Nick L. Petroni <npetroni at 4tphi.net>
+ 2004-2013 AAron Walters <awalters at 4tphi.net>
+ 2007-2013 Volatility Foundation <volatility at volatilityfoundation.org>
+ Andrew Case <atcuno at gmail.com>
+ Brendan Dolan-Gavitt <bdolangavitt at wesleyan.edu>
+ Michael Cohen <scudette at gmail.com>
+ Michael Hale Ligh <michael.ligh at mnin.org> or
+ <michael.hale at gmail.com>
+ Mike Auty <mike.auty at gmail.com>
+ Timothy D. Morgan
+ 2010 Bradley Schatz <bradley at schatzforensic.com.au>
+ 2011-2013 Jamie Levy (Gleeda) <jamie.levy at gmail.com>
+ 2012 Nir Izraeli <nirizr at gmail.com>
+ 2012-2013 Cem Gurkok <cemgurkok at gmail.com>
+ ? Andreas Schuster <a.schuster at forensikblog.de>
+ attc <atcuno at gmail.com>
+ Joe Sylve - joe.sylve at gmail.com
+ Matthieu (Matt) Suiche
+ Philippe Teuwen <phil at teuwen.org>
+ Santiago Vicente
+License: GPL-2.0
+
+
+Files: contrib/plugins/psdispscan.py
+Copyright: 2007,2008 Brendan Dolan-Gavitt <bdolangavitt at wesleyan.edu>
+License: GPL-2.0+
+
+
+Files: tools/linux/pmem/pmem.c
+Copyright: 2011 Michael Cohen <scudette at gmail.com>
+License: GPL-2.0+ or Apache-2.0
+
+
+Files: debian/*
+Copyright: 2013 Joao Eriberto Mota Filho <eriberto at eriberto.pro.br>
+License: GPL-2.0
+
+
+License: GPL-2.0 or GPL-2.0+
+ This package is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+ .
+ This package is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+ .
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>
+ .
+ On Debian systems, the complete text of the GNU General
+ Public License version 2 can be found in "/usr/share/common-licenses/GPL-2".
+
+
+License: Apache-2.0
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+ .
+ http://www.apache.org/licenses/LICENSE-2.0
+ .
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+ .
+ On Debian systems, the complete text of the Apache License version 2.0
+ can be found in "/usr/share/common-licenses/Apache-2.0".
diff --git a/debian/docs b/debian/docs
new file mode 100644
index 0000000..71dfd5b
--- /dev/null
+++ b/debian/docs
@@ -0,0 +1 @@
+README.txt
diff --git a/debian/gbp.conf b/debian/gbp.conf
new file mode 100644
index 0000000..23e88fe
--- /dev/null
+++ b/debian/gbp.conf
@@ -0,0 +1,3 @@
+[DEFAULT]
+debian-branch = debian
+pristine-tar = True
diff --git a/debian/links b/debian/links
new file mode 100644
index 0000000..6f80d3a
--- /dev/null
+++ b/debian/links
@@ -0,0 +1 @@
+/usr/share/volatility/vol.py /usr/bin/volatility
diff --git a/debian/man/notes b/debian/man/notes
new file mode 100644
index 0000000..eb0108b
--- /dev/null
+++ b/debian/man/notes
@@ -0,0 +1,12 @@
+The manpage was generated from several fonts.
+
+OPTIONS:
+ - volatility -h
+ - http://code.google.com/p/volatility/wiki/Release23#Operating_Systems
+ - http://code.google.com/p/volatility/wiki/Release23#Address_Spaces
+
+PLUGINS:
+ - http://code.google.com/p/volatility/wiki/Release23#Plugins
+
+PROFILES:
+ - http://code.google.com/p/volatility/wiki/VolatilityUsage23#Selecting_a_Profile
diff --git a/debian/man/volatility.1 b/debian/man/volatility.1
new file mode 100644
index 0000000..676c2f6
--- /dev/null
+++ b/debian/man/volatility.1
@@ -0,0 +1,465 @@
+.\"Text automatically generated by txt2man
+.TH VOLATILITY "1" "Oct 2013" "VOLATILITY 2.3" "advanced memory forensics framework"
+.SH NAME
+volatility - advanced memory forensics framework
+.SH SYNOPSIS
+.nf
+.fam C
+\fBvolatility\fP [\fIoption\fP]
+\fBvolatility\fP [\fIplugin\fP] \fB-f\fP [\fIimage\fP] \fB--profile\fP=[profile]
+.fam T
+.fi
+.fam T
+.fi
+.SH DESCRIPTION
+The Volatility Framework is a completely open collection of tools for the
+extraction of digital artifacts from volatile memory (RAM) samples. It is
+useful in forensics analysis. The extraction techniques are performed
+completely independent of the system being investigated but offer
+unprecedented visibilty into the runtime state of the system.
+.PP
+Currently, \fBvolatility\fP supports several versions of the MS Windows, Linux
+and MAC OS:
+.PP
+.nf
+.fam C
+ Windows
+ 32-bit Windows XP Service Pack 2 and 3
+ 32-bit Windows 2003 Server Service Pack 0, 1, 2
+ 32-bit Windows Vista Service Pack 0, 1, 2
+ 32-bit Windows 2008 Server Service Pack 1, 2
+ 32-bit Windows 7 Service Pack 0, 1
+ 64-bit Windows XP Service Pack 1 and 2
+ 64-bit Windows 2003 Server Service Pack 1 and 2
+ 64-bit Windows Vista Service Pack 0, 1, 2
+ 64-bit Windows 2008 Server Service Pack 1 and 2
+ 64-bit Windows 2008 R2 Server Service Pack 0 and 1
+ 64-bit Windows 7 Service Pack 0 and 1
+ Linux
+ 32-bit Linux kernels 2.6.11 to 3.5
+ 64-bit Linux kernels 2.6.11 to 3.5
+ OpenSuSE, Ubuntu, Debian, CentOS, Fedora, Mandriva, etc
+ Mac OSX
+ 32-bit 10.5.x Leopard (the only 64-bit 10.5 is Server, which isn't supported)
+ 32-bit 10.6.x Snow Leopard
+ 64-bit 10.6.x Snow Leopard
+ 32-bit 10.7.x Lion
+ 64-bit 10.7.x Lion
+ 64-bit 10.8.x Mountain Lion (there is no 32-bit version)
+
+.fam T
+.fi
+The supported address spaces (RAM types) are:
+.PP
+.nf
+.fam C
+ FileAddressSpace - This is a direct file AS
+ Standard Intel x86 address spaces
+ IA32PagedMemoryPae
+ IA32PagedMemory
+ AMD64PagedMemory - This AS supports AMD 64-bit address spaces
+ WindowsCrashDumpSpace32 - This AS supports windows Crash Dump format (x86)
+ WindowsCrashDumpSpace64 - This AS supports windows Crash Dump format (x64)
+ WindowsHiberFileSpace32 - This AS supports windows hibernation files (x86 and x64)
+ EWFAddressSpace - This AS supports expert witness (EWF) files
+ FirewireAddressSpace - This AS supports direct memory access over firewire
+ LimeAddressSpace - This AS supports LiME (Linux Memory Extractor)
+ MachOAddressSpace - This AS supports 32- and 64-bit Mac OSX memory dumps
+ ArmAddressSpace - This AS supports memory dumps from 32-bit ARM (there is no 64-bit ARM yet)
+ VirtualBoxCoreDumpElf64 - This AS supports memory dumps from VirtualBox virtual machines
+ VMware Snapshot - This AS supports VMware saved state (.vmss) and VMware snapshot (.vmsn) files. Note: these are not raw memory dumps like the typical .vmem files.
+ HPAKAddressSpace - This AS supports ".hpak" files produced by H.B. Gary's FDPro tool.
+
+.fam T
+.fi
+You can get RAM images for tests at https://code.google.com/p/\fBvolatility\fP/wiki/SampleMemoryImages.
+.SH OPTIONS
+.TP
+.B
+\fB-h\fP, \fB--help\fP
+list all available options and their default values.
+Default values may be set in the configuration file (/etc/volatilityrc)
+.PP
+\fB--conf-file=/root/.volatilityrc\fP
+User based configuration file
+.TP
+.B
+\fB-d\fP, \fB--debug\fP
+Debug \fBvolatility\fP
+.TP
+.B
+\fB--plugins\fP=PLUGINS
+Additional \fIplugin\fP directories to use (colon separated)
+.TP
+.B
+\fB--info\fP
+Print information about all registered objects
+\fB--cache-directory\fP=/root/.cache/\fBvolatility\fP
+Directory where cache files are stored
+.TP
+.B
+\fB--cache\fP
+Use caching
+.TP
+.B
+\fB--tz\fP=TZ
+Sets the timezone for displaying timestamps
+\fB-f\fP FILENAME, \fB--filename\fP=FILENAME
+Filename to use when opening an \fIimage\fP
+\fB--profile\fP=WinXPSP2x86
+Name of the profile to load
+\fB-l\fP LOCATION, \fB--location\fP=LOCATION
+A URN location from which to load an address space
+.TP
+.B
+\fB-w\fP, \fB--write\fP
+Enable write support
+.TP
+.B
+\fB--dtb\fP=DTB
+DTB Address
+.TP
+.B
+\fB--cache-dtb\fP
+Cache virtual to physical mappings
+.TP
+.B
+\fB--output\fP=text
+Output in this format (format support is module
+specific)
+\fB--output-file\fP=OUTPUT_FILE
+write output in this file
+.TP
+.B
+\fB-v\fP, \fB--verbose\fP
+Verbose information
+.TP
+.B
+\fB--shift\fP=SHIFT
+Mac KASLR shift address
+.TP
+.B
+\fB-g\fP KDBG, \fB--kdbg\fP=KDBG
+Specify a specific KDBG virtual address
+.TP
+.B
+\fB-k\fP KPCR, \fB--kpcr\fP=KPCR
+Specify a specific KPCR address
+.SH PLUGINS
+The supported plugins are:
+.PP
+.nf
+.fam C
+ Windows
+ Image Identification
+ imageinfo - Identify information for the image
+ kdbgscan - Search for and dump potential KDBG values
+ kpcrscan - Search for and dump potential _KPCR values
+ Process and DLLs
+ pslist - Print active processes by following the _EPROCESS list
+ pstree - Print process list as a tree
+ psscan - Scan Physical memory for _EPROCESS pool allocations
+ psdispscan - Scan Physical memory for _EPROCESS objects based on Dispatch Headers (Windows XP x86 only)
+ dlllist - Print list of loaded DLLs for each process
+ dlldump - Dump DLLs from a process address space
+ handles - Print list of open handles for each process
+ getsids - Print the SIDs owning each process
+ verinfo - Print a PE file's version information
+ enumfunc - Enumerate a PE file's imports and exports
+ envars - Display process environment variables
+ cmdscan - Extract command history by scanning for _COMMAND_HISTORY
+ consoles - Extract command history by scanning for _CONSOLE_INFORMATION
+ privs - Identify the present and/or enabled windows privileges for each process
+ Process Memory
+ memmap - Print the memory map
+ memdump - Dump the addressable memory for a process
+ procexedump - Dump a process to an executable file
+ procmemdump - Dump a process to an executable memory sample
+ vadwalk - Walk the VAD tree
+ vadtree - Walk the VAD tree and display in tree format
+ vadinfo - Dump the VAD info
+ vaddump - Dumps out the vad sections to a file
+ evtlogs - Parse XP and 2003 event logs from memory
+ iehistory - Extract and parse Internet Explorer history and URL cache
+ Kernel Memory and Objects
+ modules - Print list of loaded modules
+ modscan - Scan Physical memory for _LDR_DATA_TABLE_ENTRY objects
+ moddump - Extract a kernel driver to disk
+ ssdt - Print the Native and GDI System Service Descriptor Tables
+ driverscan - Scan physical memory for _DRIVER_OBJECT objects
+ filescan - Scan physical memory for _FILE_OBJECT objects
+ mutantscan - Scan physical memory for _KMUTANT objects
+ symlinkscan - Scans for symbolic link objects
+ thrdscan - Scan physical memory for _ETHREAD objects
+ dumpfiles - Reconstruct files from the windows cache manager and shared section objects
+ unloadedmodules - Show recently unloaded kernel modules (which indirectly tells you which ones recently loaded)
+ Win32k / GUI Memory
+ sessions - List details on _MM_SESSION_SPACE (user logon sessions)
+ wndscan - Pool scanner for tagWINDOWSTATION (window stations)
+ deskscan - Poolscaner for tagDESKTOP (desktops)
+ atomscan - Pool scanner for _RTL_ATOM_TABLE
+ atoms - Print session and window station atom tables
+ clipboard - Extract the contents of the windows clipboard
+ eventhooks - Print details on windows event hooks
+ gathi - Dump the USER handle type information
+ messagehooks - List desktop and thread window message hooks
+ screenshot - Save a pseudo-screenshot based on GDI windows
+ userhandles - Dump the USER handle tables
+ windows - Print Desktop Windows (verbose details)
+ wintree - Print Z-Order Desktop Windows Tree
+ gditimers - Analyze GDI timer objects and their callbacks
+ Networking
+ connections - Print open connections (XP and 2003 only)
+ connscan - Scan Physical memory for _TCPT_OBJECT objects (XP and 2003 only)
+ sockets - Print open sockets (XP and 2003 only)
+ sockscan - Scan Physical memory for _ADDRESS_OBJECT (XP and 2003 only)
+ netscan - Scan physical memory for network objects (Vista, 2008, and 7)
+ Registry
+ hivescan - Scan Physical memory for _CMHIVE objects
+ hivelist - Print list of registry hives
+ printkey - Print a registry key, and its subkeys and values
+ hivedump - Recursively prints all keys and timestamps in a given hive
+ hashdump - Dumps passwords hashes (LM/NTLM) from memory (x86 only)
+ lsadump - Dump (decrypted) LSA secrets from the registry (XP and 2003 x86 only)
+ userassist - Parses and output User Assist keys from the registry
+ shimcache - Parses the Application Compatibility Shim Cache registry key
+ getservicesids - Calculate SIDs for windows services in the registry
+ shellbags - This plugin parses and prints Shellbag information obtained from the registry
+ File Formats
+ crashinfo - Dump crash-dump information
+ hibinfo - Dump hibernation file information
+ imagecopy - Copies a physical address space out as a raw DD image
+ raw2dmp - Converts a physical memory sample to a windbg crash dump
+ vboxinfo - Display header and memory runs information from VirtualBox core dumps
+ vmwareinfo - Display header and memory runs information from VMware vmss or vmsn files
+ hpakinfo - Display header and memory runs information from .hpak files
+ hpakextract - Extract (and decompress if necessary) the raw physical memory dump from an .hpak file
+ Malware
+ malfind - Find hidden and injected code
+ svcscan - Scan for Windows services
+ ldrmodules - Detect unlinked DLLs
+ impscan - Scan for calls to imported functions
+ apihooks - Detect API hooks in process and kernel memory (x86 only)
+ idt - Dumps the Interrupt Descriptor Table (x86 only)
+ gdt - Dumps the Global Descriptor Table (x86 only)
+ threads - Investigate _ETHREAD and _KTHREADs
+ callbacks - Print system-wide notification routines (x86 only)
+ driverirp - Driver IRP hook detection
+ devicetree - Show device tree
+ psxview - Find hidden processes with various process listings
+ timers - Print kernel timers and associated module DPCs (x86 only)
+ File System
+ mbrparser - Scans for and parses potential Master Boot Records (MBRs)
+ mftparser - Scans for and parses potential MFT entries
+ Miscellaneous
+ strings - Match physical offsets to virtual addresses
+ volshell - Shell to interactively explore a memory image
+ bioskbd - Reads the keyboard buffer from Real Mode memory
+ patcher - Patches memory based on page scans
+ timeliner - Produce timelines in body file format, excel 2007 spreadsheets, or text
+ dumpcerts - Extract SSL private and public keys/certs
+ Linux/Android
+ Processes
+ linux_pslist - Gather active tasks by walking the task_struct->task list
+ linux_psaux - Gathers processes along with full command line and start time
+ linux_pstree - Shows the parent/child relationship between processes
+ linux_pslist_cache - Gather tasks from the kmem_cache
+ linux_pidhashtable - Enumerates processes through the PID hash table
+ linux_psxview - Find hidden processes with various process listings
+ linux_lsof - Lists open files
+ Process Memory
+ linux_memmap - Dumps the memory map for linux tasks
+ linux_proc_maps - Gathers process maps for linux
+ linux_dump_map - Writes selected process memory mappings to disk
+ linux_bash - Recover bash history from bash process memory
+ Kernel Memory and Objects
+ linux_lsmod - Gather loaded kernel modules
+ linux_tmpfs - Recovers tmpfs filesystems from memory
+ linux_moddump - Extract an LKM from memory to disk (.text segment only)
+ Networking
+ linux_arp - Print the ARP table
+ linux_ifconfig - Gathers active interfaces
+ linux_netstat - Lists open sockets
+ linux_route_cache - Recovers the routing cache from memory
+ linux_pkt_queues - Writes per-process packet queues out to disk
+ linux_sk_buff_cache - Recovers packets from the sk_buff kmem_cache
+ Malware/Rootkits
+ linux_check_afinfo - Verifies the operation function pointers of network protocols
+ linux_check_creds - Checks if any processes are sharing credential structures
+ linux_check_fop - Check file operation structures for rootkit modifications
+ linux_check_idt - Checks if the IDT has been altered
+ linux_check_modules - Compares module list to sysfs info, if available
+ linux_check_syscall - Checks if the system call table has been altered
+ linux_check_syscall_arm - Checks if the system call table has been altered (ARM)
+ linux_check_tty - Check TTY devices for rootkit hooks
+ linux_check_evt_arm - Check ARM exception vector table for hooks
+ System Information
+ linux_cpuinfo - Prints info about each active processor
+ linux_dmesg - Gather dmesg buffer
+ linux_iomem - Provides output similar to /proc/iomem
+ linux_mount - Gather mounted fs/devices
+ linux_mount_cache - Gather mounted fs/devices from kmem_cache
+ linux_slabinfo - Mimics /proc/slabinfo on a running machine
+ linux_dentry_cache - Gather files from the dentry cache
+ linux_find_file - Extract cached file contents from memory via inodes
+ linux_vma_cache - Gather VMAs from the vm_area_struct cache
+ linux_keyboard_notifier - Parses the keyboard notifier call chain
+ Miscellaneous
+ linux_volshell - Shell to interactively explore Linux/Android memory captures
+ linux_yarascan - Scan process and kernel memory with yara signatures
+ Mac OSX
+ Processes
+ mac_pslist - List running processes
+ mac_tasks - List active tasks
+ mac_pstree - Show parent/child relationship of processes
+ mac_lsof - Lists per-process open files
+ mac_pgrp_hash_table - Walks the process group hash table
+ mac_pid_hash_table - Walks the pid hash table
+ mac_dead_procs - List dead/terminated processes
+ mac_psaux - Prints processes with their command-line arguments (argv)
+ Process Memory
+ mac_proc_maps - Print information on allocated process memory ranges
+ mac_dump_maps - Dumps memory ranges of processes
+ Kernel Memory and Objects
+ mac_list_sessions - Enumerates sessions
+ mac_list_zones - Enumerates zones (allocated/freed object counts)
+ mac_lsmod - Lists loaded kernel modules
+ mac_mount - Prints mounted device information
+ Networking
+ mac_arp - Prints the arp table
+ mac_ifconfig - Lists network interface information for all devices
+ mac_netstat - Lists active per-process network connections
+ mac_route - Prints the routing table
+ Malware/Rootkits
+ mac_check_sysctl - Check for unknown sysctl handlers
+ mac_check_syscalls - Check for hooked syscall table entries
+ mac_check_trap_table - Checks to see if mach trap table entries are hooked
+ mac_ip_filters - Reports any hooked IP filters
+ mac_notifiers - Detects rootkits that add hooks into I/O Kit (e.g. LogKext)
+ mac_trustedbsd - List malicious trustedbsd policies
+ System Information
+ mac_dmesg - Prints the kernel debug buffers
+ mac_find_aslr_shift - Find the ASLR shift value for 10.8+ images
+ mac_machine_info - Prints machine information about the sample
+ mac_version - Prints the Mac version
+ mac_print_boot_cmdline - Prints the mac boot command line
+ Miscellaneous
+ mac_volshell - Shell to interactively explore mac memory captures
+ machoinfo - Display header and memory runs for Mach-O memory dumps
+ mac_yarascan - Scan for Yara signatures in process or kernel memory
+.fam T
+.fi
+.SH PROFILES
+Profiles are maps used by \fBvolatility\fP to understand the operational systems. The profiles provided by the \fBvolatility\fP are:
+.TP
+.B
+VistaSP0x64
+- A Profile for Windows Vista SP0 x64
+.TP
+.B
+VistaSP0x86
+- A Profile for Windows Vista SP0 x86
+.TP
+.B
+VistaSP1x64
+- A Profile for Windows Vista SP1 x64
+.TP
+.B
+VistaSP1x86
+- A Profile for Windows Vista SP1 x86
+.TP
+.B
+VistaSP2x64
+- A Profile for Windows Vista SP2 x64
+.TP
+.B
+VistaSP2x86
+- A Profile for Windows Vista SP2 x86
+.TP
+.B
+Win2003SP0x86
+- A Profile for Windows 2003 SP0 x86
+.TP
+.B
+Win2003SP1x64
+- A Profile for Windows 2003 SP1 x64
+.TP
+.B
+Win2003SP1x86
+- A Profile for Windows 2003 SP1 x86
+.TP
+.B
+Win2003SP2x64
+- A Profile for Windows 2003 SP2 x64
+.TP
+.B
+Win2003SP2x86
+- A Profile for Windows 2003 SP2 x86
+Win2008R2SP0x64 - A Profile for Windows 2008 R2 SP0 x64
+Win2008R2SP1x64 - A Profile for Windows 2008 R2 SP1 x64
+.TP
+.B
+Win2008SP1x64
+- A Profile for Windows 2008 SP1 x64
+.TP
+.B
+Win2008SP1x86
+- A Profile for Windows 2008 SP1 x86
+.TP
+.B
+Win2008SP2x64
+- A Profile for Windows 2008 SP2 x64
+.TP
+.B
+Win2008SP2x86
+- A Profile for Windows 2008 SP2 x86
+.TP
+.B
+Win7SP0x64
+- A Profile for Windows 7 SP0 x64
+.TP
+.B
+Win7SP0x86
+- A Profile for Windows 7 SP0 x86
+.TP
+.B
+Win7SP1x64
+- A Profile for Windows 7 SP1 x64
+.TP
+.B
+Win7SP1x86
+- A Profile for Windows 7 SP1 x86
+.TP
+.B
+WinXPSP1x64
+- A Profile for Windows XP SP1 x64
+.TP
+.B
+WinXPSP2x64
+- A Profile for Windows XP SP2 x64
+.TP
+.B
+WinXPSP2x86
+- A Profile for Windows XP SP2 x86
+.TP
+.B
+WinXPSP3x86
+- A Profile for Windows XP SP3 x86
+.PP
+To determine the OS type, you can use:
+.PP
+# \fBvolatility\fP \fB-f\fP <\fIimage\fP> imageinfo
+.PP
+You must create your own profiles for Linux and MAC. For this, please, see:
+.PP
+Linux: https://code.google.com/p/\fBvolatility\fP/wiki/LinuxMemoryForensics#Creating_a_profile
+MAC: https://code.google.com/p/\fBvolatility\fP/wiki/MacMemoryForensics#Building_a_Profile
+.SH NOTES
+This manpage was based in several official documents about \fBvolatility\fP.
+For other information and tutorials, see:
+.PP
+https://code.google.com/p/\fBvolatility\fP/wiki/VolatilityUsage23
+.SH AUTHOR
+\fBvolatility\fP was written by several contributors. For contact, use the mail <\fBvolatility\fP at volatilityfoundation.org>.
+.PP
+This manual page was written by Joao Eriberto Mota Filho <eriberto at eriberto.pro.br> for the Debian project (but may be used by others).
diff --git a/debian/man/volatility.1.header b/debian/man/volatility.1.header
new file mode 100644
index 0000000..ddb7269
--- /dev/null
+++ b/debian/man/volatility.1.header
@@ -0,0 +1 @@
+.TH VOLATILITY "1" "Oct 2013" "VOLATILITY 2.3" "advanced memory forensics framework"
diff --git a/debian/man/volatility.txt b/debian/man/volatility.txt
new file mode 100644
index 0000000..4488dd1
--- /dev/null
+++ b/debian/man/volatility.txt
@@ -0,0 +1,336 @@
+ volatility - advanced memory forensics framework
+SYNOPSIS
+ volatility [option]
+ volatility [plugin] -f [image] --profile=[profile]
+DESCRIPTION
+ The Volatility Framework is a completely open collection of tools for the
+ extraction of digital artifacts from volatile memory (RAM) samples. It is
+ useful in forensics analysis. The extraction techniques are performed
+ completely independent of the system being investigated but offer
+ unprecedented visibilty into the runtime state of the system.
+
+ Currently, volatility supports several versions of the MS Windows, Linux
+ and MAC OS:
+
+ Windows
+ 32-bit Windows XP Service Pack 2 and 3
+ 32-bit Windows 2003 Server Service Pack 0, 1, 2
+ 32-bit Windows Vista Service Pack 0, 1, 2
+ 32-bit Windows 2008 Server Service Pack 1, 2
+ 32-bit Windows 7 Service Pack 0, 1
+ 64-bit Windows XP Service Pack 1 and 2
+ 64-bit Windows 2003 Server Service Pack 1 and 2
+ 64-bit Windows Vista Service Pack 0, 1, 2
+ 64-bit Windows 2008 Server Service Pack 1 and 2
+ 64-bit Windows 2008 R2 Server Service Pack 0 and 1
+ 64-bit Windows 7 Service Pack 0 and 1
+ Linux
+ 32-bit Linux kernels 2.6.11 to 3.5
+ 64-bit Linux kernels 2.6.11 to 3.5
+ OpenSuSE, Ubuntu, Debian, CentOS, Fedora, Mandriva, etc
+ Mac OSX
+ 32-bit 10.5.x Leopard (the only 64-bit 10.5 is Server, which isn't supported)
+ 32-bit 10.6.x Snow Leopard
+ 64-bit 10.6.x Snow Leopard
+ 32-bit 10.7.x Lion
+ 64-bit 10.7.x Lion
+ 64-bit 10.8.x Mountain Lion (there is no 32-bit version)
+
+ The supported address spaces (RAM types) are:
+
+ FileAddressSpace - This is a direct file AS
+ Standard Intel x86 address spaces
+ IA32PagedMemoryPae
+ IA32PagedMemory
+ AMD64PagedMemory - This AS supports AMD 64-bit address spaces
+ WindowsCrashDumpSpace32 - This AS supports windows Crash Dump format (x86)
+ WindowsCrashDumpSpace64 - This AS supports windows Crash Dump format (x64)
+ WindowsHiberFileSpace32 - This AS supports windows hibernation files (x86 and x64)
+ EWFAddressSpace - This AS supports expert witness (EWF) files
+ FirewireAddressSpace - This AS supports direct memory access over firewire
+ LimeAddressSpace - This AS supports LiME (Linux Memory Extractor)
+ MachOAddressSpace - This AS supports 32- and 64-bit Mac OSX memory dumps
+ ArmAddressSpace - This AS supports memory dumps from 32-bit ARM (there is no 64-bit ARM yet)
+ VirtualBoxCoreDumpElf64 - This AS supports memory dumps from VirtualBox virtual machines
+ VMware Snapshot - This AS supports VMware saved state (.vmss) and VMware snapshot (.vmsn) files. Note: these are not raw memory dumps like the typical .vmem files.
+ HPAKAddressSpace - This AS supports ".hpak" files produced by H.B. Gary's FDPro tool.
+
+ You can get RAM images for tests at https://code.google.com/p/volatility/wiki/SampleMemoryImages.
+OPTIONS
+ -h, --help list all available options and their default values.
+ Default values may be set in the configuration file (/etc/volatilityrc)
+
+ --conf-file=/root/.volatilityrc
+ User based configuration file
+ -d, --debug Debug volatility
+ --plugins=PLUGINS Additional plugin directories to use (colon separated)
+ --info Print information about all registered objects
+ --cache-directory=/root/.cache/volatility
+ Directory where cache files are stored
+ --cache Use caching
+ --tz=TZ Sets the timezone for displaying timestamps
+ -f FILENAME, --filename=FILENAME
+ Filename to use when opening an image
+ --profile=WinXPSP2x86
+ Name of the profile to load
+ -l LOCATION, --location=LOCATION
+ A URN location from which to load an address space
+ -w, --write Enable write support
+ --dtb=DTB DTB Address
+ --cache-dtb Cache virtual to physical mappings
+ --output=text Output in this format (format support is module
+ specific)
+ --output-file=OUTPUT_FILE
+ write output in this file
+ -v, --verbose Verbose information
+ --shift=SHIFT Mac KASLR shift address
+ -g KDBG, --kdbg=KDBG Specify a specific KDBG virtual address
+ -k KPCR, --kpcr=KPCR Specify a specific KPCR address
+PLUGINS
+ The supported plugins are:
+
+ Windows
+ Image Identification
+ imageinfo - Identify information for the image
+ kdbgscan - Search for and dump potential KDBG values
+ kpcrscan - Search for and dump potential _KPCR values
+ Process and DLLs
+ pslist - Print active processes by following the _EPROCESS list
+ pstree - Print process list as a tree
+ psscan - Scan Physical memory for _EPROCESS pool allocations
+ psdispscan - Scan Physical memory for _EPROCESS objects based on Dispatch Headers (Windows XP x86 only)
+ dlllist - Print list of loaded DLLs for each process
+ dlldump - Dump DLLs from a process address space
+ handles - Print list of open handles for each process
+ getsids - Print the SIDs owning each process
+ verinfo - Print a PE file's version information
+ enumfunc - Enumerate a PE file's imports and exports
+ envars - Display process environment variables
+ cmdscan - Extract command history by scanning for _COMMAND_HISTORY
+ consoles - Extract command history by scanning for _CONSOLE_INFORMATION
+ privs - Identify the present and/or enabled windows privileges for each process
+ Process Memory
+ memmap - Print the memory map
+ memdump - Dump the addressable memory for a process
+ procexedump - Dump a process to an executable file
+ procmemdump - Dump a process to an executable memory sample
+ vadwalk - Walk the VAD tree
+ vadtree - Walk the VAD tree and display in tree format
+ vadinfo - Dump the VAD info
+ vaddump - Dumps out the vad sections to a file
+ evtlogs - Parse XP and 2003 event logs from memory
+ iehistory - Extract and parse Internet Explorer history and URL cache
+ Kernel Memory and Objects
+ modules - Print list of loaded modules
+ modscan - Scan Physical memory for _LDR_DATA_TABLE_ENTRY objects
+ moddump - Extract a kernel driver to disk
+ ssdt - Print the Native and GDI System Service Descriptor Tables
+ driverscan - Scan physical memory for _DRIVER_OBJECT objects
+ filescan - Scan physical memory for _FILE_OBJECT objects
+ mutantscan - Scan physical memory for _KMUTANT objects
+ symlinkscan - Scans for symbolic link objects
+ thrdscan - Scan physical memory for _ETHREAD objects
+ dumpfiles - Reconstruct files from the windows cache manager and shared section objects
+ unloadedmodules - Show recently unloaded kernel modules (which indirectly tells you which ones recently loaded)
+ Win32k / GUI Memory
+ sessions - List details on _MM_SESSION_SPACE (user logon sessions)
+ wndscan - Pool scanner for tagWINDOWSTATION (window stations)
+ deskscan - Poolscaner for tagDESKTOP (desktops)
+ atomscan - Pool scanner for _RTL_ATOM_TABLE
+ atoms - Print session and window station atom tables
+ clipboard - Extract the contents of the windows clipboard
+ eventhooks - Print details on windows event hooks
+ gathi - Dump the USER handle type information
+ messagehooks - List desktop and thread window message hooks
+ screenshot - Save a pseudo-screenshot based on GDI windows
+ userhandles - Dump the USER handle tables
+ windows - Print Desktop Windows (verbose details)
+ wintree - Print Z-Order Desktop Windows Tree
+ gditimers - Analyze GDI timer objects and their callbacks
+ Networking
+ connections - Print open connections (XP and 2003 only)
+ connscan - Scan Physical memory for _TCPT_OBJECT objects (XP and 2003 only)
+ sockets - Print open sockets (XP and 2003 only)
+ sockscan - Scan Physical memory for _ADDRESS_OBJECT (XP and 2003 only)
+ netscan - Scan physical memory for network objects (Vista, 2008, and 7)
+ Registry
+ hivescan - Scan Physical memory for _CMHIVE objects
+ hivelist - Print list of registry hives
+ printkey - Print a registry key, and its subkeys and values
+ hivedump - Recursively prints all keys and timestamps in a given hive
+ hashdump - Dumps passwords hashes (LM/NTLM) from memory (x86 only)
+ lsadump - Dump (decrypted) LSA secrets from the registry (XP and 2003 x86 only)
+ userassist - Parses and output User Assist keys from the registry
+ shimcache - Parses the Application Compatibility Shim Cache registry key
+ getservicesids - Calculate SIDs for windows services in the registry
+ shellbags - This plugin parses and prints Shellbag information obtained from the registry
+ File Formats
+ crashinfo - Dump crash-dump information
+ hibinfo - Dump hibernation file information
+ imagecopy - Copies a physical address space out as a raw DD image
+ raw2dmp - Converts a physical memory sample to a windbg crash dump
+ vboxinfo - Display header and memory runs information from VirtualBox core dumps
+ vmwareinfo - Display header and memory runs information from VMware vmss or vmsn files
+ hpakinfo - Display header and memory runs information from .hpak files
+ hpakextract - Extract (and decompress if necessary) the raw physical memory dump from an .hpak file
+ Malware
+ malfind - Find hidden and injected code
+ svcscan - Scan for Windows services
+ ldrmodules - Detect unlinked DLLs
+ impscan - Scan for calls to imported functions
+ apihooks - Detect API hooks in process and kernel memory (x86 only)
+ idt - Dumps the Interrupt Descriptor Table (x86 only)
+ gdt - Dumps the Global Descriptor Table (x86 only)
+ threads - Investigate _ETHREAD and _KTHREADs
+ callbacks - Print system-wide notification routines (x86 only)
+ driverirp - Driver IRP hook detection
+ devicetree - Show device tree
+ psxview - Find hidden processes with various process listings
+ timers - Print kernel timers and associated module DPCs (x86 only)
+ File System
+ mbrparser - Scans for and parses potential Master Boot Records (MBRs)
+ mftparser - Scans for and parses potential MFT entries
+ Miscellaneous
+ strings - Match physical offsets to virtual addresses
+ volshell - Shell to interactively explore a memory image
+ bioskbd - Reads the keyboard buffer from Real Mode memory
+ patcher - Patches memory based on page scans
+ timeliner - Produce timelines in body file format, excel 2007 spreadsheets, or text
+ dumpcerts - Extract SSL private and public keys/certs
+ Linux/Android
+ Processes
+ linux_pslist - Gather active tasks by walking the task_struct->task list
+ linux_psaux - Gathers processes along with full command line and start time
+ linux_pstree - Shows the parent/child relationship between processes
+ linux_pslist_cache - Gather tasks from the kmem_cache
+ linux_pidhashtable - Enumerates processes through the PID hash table
+ linux_psxview - Find hidden processes with various process listings
+ linux_lsof - Lists open files
+ Process Memory
+ linux_memmap - Dumps the memory map for linux tasks
+ linux_proc_maps - Gathers process maps for linux
+ linux_dump_map - Writes selected process memory mappings to disk
+ linux_bash - Recover bash history from bash process memory
+ Kernel Memory and Objects
+ linux_lsmod - Gather loaded kernel modules
+ linux_tmpfs - Recovers tmpfs filesystems from memory
+ linux_moddump - Extract an LKM from memory to disk (.text segment only)
+ Networking
+ linux_arp - Print the ARP table
+ linux_ifconfig - Gathers active interfaces
+ linux_netstat - Lists open sockets
+ linux_route_cache - Recovers the routing cache from memory
+ linux_pkt_queues - Writes per-process packet queues out to disk
+ linux_sk_buff_cache - Recovers packets from the sk_buff kmem_cache
+ Malware/Rootkits
+ linux_check_afinfo - Verifies the operation function pointers of network protocols
+ linux_check_creds - Checks if any processes are sharing credential structures
+ linux_check_fop - Check file operation structures for rootkit modifications
+ linux_check_idt - Checks if the IDT has been altered
+ linux_check_modules - Compares module list to sysfs info, if available
+ linux_check_syscall - Checks if the system call table has been altered
+ linux_check_syscall_arm - Checks if the system call table has been altered (ARM)
+ linux_check_tty - Check TTY devices for rootkit hooks
+ linux_check_evt_arm - Check ARM exception vector table for hooks
+ System Information
+ linux_cpuinfo - Prints info about each active processor
+ linux_dmesg - Gather dmesg buffer
+ linux_iomem - Provides output similar to /proc/iomem
+ linux_mount - Gather mounted fs/devices
+ linux_mount_cache - Gather mounted fs/devices from kmem_cache
+ linux_slabinfo - Mimics /proc/slabinfo on a running machine
+ linux_dentry_cache - Gather files from the dentry cache
+ linux_find_file - Extract cached file contents from memory via inodes
+ linux_vma_cache - Gather VMAs from the vm_area_struct cache
+ linux_keyboard_notifier - Parses the keyboard notifier call chain
+ Miscellaneous
+ linux_volshell - Shell to interactively explore Linux/Android memory captures
+ linux_yarascan - Scan process and kernel memory with yara signatures
+ Mac OSX
+ Processes
+ mac_pslist - List running processes
+ mac_tasks - List active tasks
+ mac_pstree - Show parent/child relationship of processes
+ mac_lsof - Lists per-process open files
+ mac_pgrp_hash_table - Walks the process group hash table
+ mac_pid_hash_table - Walks the pid hash table
+ mac_dead_procs - List dead/terminated processes
+ mac_psaux - Prints processes with their command-line arguments (argv)
+ Process Memory
+ mac_proc_maps - Print information on allocated process memory ranges
+ mac_dump_maps - Dumps memory ranges of processes
+ Kernel Memory and Objects
+ mac_list_sessions - Enumerates sessions
+ mac_list_zones - Enumerates zones (allocated/freed object counts)
+ mac_lsmod - Lists loaded kernel modules
+ mac_mount - Prints mounted device information
+ Networking
+ mac_arp - Prints the arp table
+ mac_ifconfig - Lists network interface information for all devices
+ mac_netstat - Lists active per-process network connections
+ mac_route - Prints the routing table
+ Malware/Rootkits
+ mac_check_sysctl - Check for unknown sysctl handlers
+ mac_check_syscalls - Check for hooked syscall table entries
+ mac_check_trap_table - Checks to see if mach trap table entries are hooked
+ mac_ip_filters - Reports any hooked IP filters
+ mac_notifiers - Detects rootkits that add hooks into I/O Kit (e.g. LogKext)
+ mac_trustedbsd - List malicious trustedbsd policies
+ System Information
+ mac_dmesg - Prints the kernel debug buffers
+ mac_find_aslr_shift - Find the ASLR shift value for 10.8+ images
+ mac_machine_info - Prints machine information about the sample
+ mac_version - Prints the Mac version
+ mac_print_boot_cmdline - Prints the mac boot command line
+ Miscellaneous
+ mac_volshell - Shell to interactively explore mac memory captures
+ machoinfo - Display header and memory runs for Mach-O memory dumps
+ mac_yarascan - Scan for Yara signatures in process or kernel memory
+PROFILES
+ Profiles are maps used by volatility to understand the operational systems. The profiles provided by the volatility are:
+
+ VistaSP0x64 - A Profile for Windows Vista SP0 x64
+ VistaSP0x86 - A Profile for Windows Vista SP0 x86
+ VistaSP1x64 - A Profile for Windows Vista SP1 x64
+ VistaSP1x86 - A Profile for Windows Vista SP1 x86
+ VistaSP2x64 - A Profile for Windows Vista SP2 x64
+ VistaSP2x86 - A Profile for Windows Vista SP2 x86
+ Win2003SP0x86 - A Profile for Windows 2003 SP0 x86
+ Win2003SP1x64 - A Profile for Windows 2003 SP1 x64
+ Win2003SP1x86 - A Profile for Windows 2003 SP1 x86
+ Win2003SP2x64 - A Profile for Windows 2003 SP2 x64
+ Win2003SP2x86 - A Profile for Windows 2003 SP2 x86
+ Win2008R2SP0x64 - A Profile for Windows 2008 R2 SP0 x64
+ Win2008R2SP1x64 - A Profile for Windows 2008 R2 SP1 x64
+ Win2008SP1x64 - A Profile for Windows 2008 SP1 x64
+ Win2008SP1x86 - A Profile for Windows 2008 SP1 x86
+ Win2008SP2x64 - A Profile for Windows 2008 SP2 x64
+ Win2008SP2x86 - A Profile for Windows 2008 SP2 x86
+ Win7SP0x64 - A Profile for Windows 7 SP0 x64
+ Win7SP0x86 - A Profile for Windows 7 SP0 x86
+ Win7SP1x64 - A Profile for Windows 7 SP1 x64
+ Win7SP1x86 - A Profile for Windows 7 SP1 x86
+ WinXPSP1x64 - A Profile for Windows XP SP1 x64
+ WinXPSP2x64 - A Profile for Windows XP SP2 x64
+ WinXPSP2x86 - A Profile for Windows XP SP2 x86
+ WinXPSP3x86 - A Profile for Windows XP SP3 x86
+
+ To determine the OS type, you can use:
+
+ # volatility -f <image> imageinfo
+
+ You must create your own profiles for Linux and MAC. For this, please, see:
+
+ Linux: https://code.google.com/p/volatility/wiki/LinuxMemoryForensics#Creating_a_profile
+ MAC: https://code.google.com/p/volatility/wiki/MacMemoryForensics#Building_a_Profile
+
+NOTES
+ This manpage was based in several official documents about volatility.
+ For other information and tutorials, see:
+
+ https://code.google.com/p/volatility/wiki/VolatilityUsage23
+
+AUTHOR
+ volatility was written by several contributors. For contact, use the mail <volatility at volatilityfoundation.org>.
+
+ This manual page was written by Joao Eriberto Mota Filho <eriberto at eriberto.pro.br> for the Debian project (but may be used by others).
diff --git a/debian/manpages b/debian/manpages
new file mode 100644
index 0000000..f68ef9e
--- /dev/null
+++ b/debian/manpages
@@ -0,0 +1 @@
+debian/man/volatility.1
diff --git a/debian/rules b/debian/rules
new file mode 100755
index 0000000..d17c334
--- /dev/null
+++ b/debian/rules
@@ -0,0 +1,13 @@
+#!/usr/bin/make -f
+#export DH_VERBOSE=1
+
+DESTDIR=$(CURDIR)/debian/volatility
+
+%:
+ dh $@ --parallel --with python2
+
+override_dh_auto_install:
+ python setup.py install --root=debian/volatility --install-layout=deb --install-scripts=/usr/share/volatility --install-data=/usr/share/volatility
+
+# Recommended line:
+override_dh_auto_build:
diff --git a/debian/source/format b/debian/source/format
new file mode 100644
index 0000000..163aaf8
--- /dev/null
+++ b/debian/source/format
@@ -0,0 +1 @@
+3.0 (quilt)
diff --git a/debian/source/options b/debian/source/options
new file mode 100644
index 0000000..78a5b20
--- /dev/null
+++ b/debian/source/options
@@ -0,0 +1,2 @@
+# Don't store changes on volatility.egg-info/SOURCES.txt
+extend-diff-ignore = "/SOURCES\.txt$"
diff --git a/debian/watch b/debian/watch
new file mode 100644
index 0000000..9756c60
--- /dev/null
+++ b/debian/watch
@@ -0,0 +1,2 @@
+version=3
+https://code.google.com/p/volatility/downloads/list .*name=volatility-(\d.*)\.tar\.gz.*
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/forensics/volatility.git
More information about the forensics-changes
mailing list