[Forensics-changes] [volatility] 01/01: Imported Debian patch 2.5-2
Joao Eriberto Mota Filho
eriberto at moszumanska.debian.org
Mon Aug 8 22:13:09 UTC 2016
This is an automated email from the git hooks/post-receive script.
eriberto pushed a commit to branch debian
in repository volatility.
commit fe4316d2ca726fd260d1509a362f56432b5380ab
Author: Joao Eriberto Mota Filho <eriberto at debian.org>
Date: Sun Aug 7 18:54:34 2016 -0300
Imported Debian patch 2.5-2
---
debian/changelog | 12 ++
debian/control | 8 +-
debian/copyright | 2 +-
debian/manpage/volatility.1 | 288 +++++++++++++------------------
debian/manpage/volatility.txt | 392 +++++++++++++++++++-----------------------
debian/watch | 2 +-
6 files changed, 314 insertions(+), 390 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index 125c5d8..f7f3c1e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,15 @@
+volatility (2.5-2) unstable; urgency=medium
+
+ * debian/control:
+ - Bumped Standards-Version to 3.9.8.
+ - Fixed the name "openSUSE" in long description.
+ - Updated the Vcs-* fields to use https instead of http and git.
+ * debian/copyright: updated the packaging copyright years.
+ * debian/manpage/: updated the manpage. (Closes: #824438)
+ * debian/watch: bumped to version 4.
+
+ -- Joao Eriberto Mota Filho <eriberto at debian.org> Sun, 07 Aug 2016 18:54:34 -0300
+
volatility (2.5-1) unstable; urgency=medium
* New upstream release.
diff --git a/debian/control b/debian/control
index 8a30d28..c54ad2d 100644
--- a/debian/control
+++ b/debian/control
@@ -6,10 +6,10 @@ Uploaders: Joao Eriberto Mota Filho <eriberto at debian.org>,
Michael Prokop <mika at debian.org>
Build-Depends: debhelper (>= 9), python, dh-python
X-Python-Version: 2.7
-Standards-Version: 3.9.6
+Standards-Version: 3.9.8
Homepage: http://www.volatilityfoundation.org
-Vcs-Git: git://anonscm.debian.org/forensics/volatility.git
-Vcs-Browser: http://anonscm.debian.org/cgit/forensics/volatility.git
+Vcs-Git: https://anonscm.debian.org/git/forensics/volatility.git
+Vcs-Browser: https://anonscm.debian.org/git/forensics/volatility.git
Package: volatility
Architecture: all
@@ -37,7 +37,7 @@ Description: advanced memory forensics framework
.
Linux memory dumps in raw or LiME format are supported too. There are
several plugins for analyzing memory dumps from 32- and 64-bit Linux
- kernels and relevant distributions such as Debian, Ubuntu, OpenSuSE,
+ kernels and relevant distributions such as Debian, Ubuntu, openSUSE,
RedHat, Fedora, CentOS, Mandriva, etc.
.
Volatility also support several versions of Mac OSX memory dumps, both
diff --git a/debian/copyright b/debian/copyright
index fc2ac83..6e20b60 100644
--- a/debian/copyright
+++ b/debian/copyright
@@ -86,7 +86,7 @@ License: GPL-2
Files: debian/*
Copyright: 2013 Michael Prokop <mika at debian.org>
- 2013-2015 Joao Eriberto Mota Filho <eriberto at debian.org>
+ 2013-2016 Joao Eriberto Mota Filho <eriberto at debian.org>
License: GPL-2+
License: GPL-2 or GPL-2+
diff --git a/debian/manpage/volatility.1 b/debian/manpage/volatility.1
index 86e6ebc..bab49cf 100644
--- a/debian/manpage/volatility.1
+++ b/debian/manpage/volatility.1
@@ -6,8 +6,8 @@
.SH SYNOPSIS
.nf
.fam C
- \fBvolatility\fP [\fIoption\fP]
- \fBvolatility\fP \fB-f\fP [\fIimage\fP] \fB--profile\fP=[profile] [\fIplugin\fP]
+\fBvolatility\fP [\fIoption\fP]
+\fBvolatility\fP \fB-f\fP [\fIimage\fP] \fB--profile\fP=[profile] [\fIplugin\fP]
.fam T
.fi
@@ -20,142 +20,103 @@ useful in forensics analysis. The extraction techniques are performed
completely independent of the system being investigated but offer
unprecedented visibility into the runtime state of the system.
.PP
-Volatility supports several versions of the MS Windows, Linux and MAC OSX:
-.PP
-MS Windows:
+Currently, Volatility (version 2.4) supports several versions of the
+MS Windows, Linux and MAC OSX:
.RS
.IP \(bu 3
-32-bit Windows XP Service Pack 2 and 3
-.IP \(bu 3
-32-bit Windows 2003 Server Service Pack 0, 1, 2
-.IP \(bu 3
-32-bit Windows Vista Service Pack 0, 1, 2
-.IP \(bu 3
-32-bit Windows 2008 Server Service Pack 1, 2 (there is no SP0)
-.IP \(bu 3
-32-bit Windows 7 Service Pack 0, 1
-.IP \(bu 3
-32-bit Windows 8, 8.1, and 8.1 Update 1
-.IP \(bu 3
-32-bit Windows 10 (initial support)
-.IP \(bu 3
-64-bit Windows XP Service Pack 1 and 2 (there is no SP0)
-.IP \(bu 3
-64-bit Windows 2003 Server Service Pack 1 and 2 (there is no SP0)
-.IP \(bu 3
-64-bit Windows Vista Service Pack 0, 1, 2
+64-bit Windows Server 2012 and 2012 R2
.IP \(bu 3
-64-bit Windows 2008 Server Service Pack 1 and 2 (there is no SP0)
+32- and 64-bit Windows 8 and 8.1
.IP \(bu 3
-64-bit Windows 2008 R2 Server Service Pack 0 and 1
+32- and 64-bit Windows 7 (all service packs)
.IP \(bu 3
-64-bit Windows 7 Service Pack 0 and 1
+32- and 64-bit Windows Server 2008 (all service packs)
.IP \(bu 3
-64-bit Windows 8, 8.1, and 8.1 Update 1
+64-bit Windows Server 2008 R2 (all service packs)
.IP \(bu 3
-64-bit Windows Server 2012 and 2012 R2
+32- and 64-bit Windows Vista (all service packs)
.IP \(bu 3
-64-bit Windows 10 (initial support)
-.RE
-.PP
-Linux:
-.RS
+32- and 64-bit Windows Server 2003 (all service packs)
.IP \(bu 3
-32-bit Linux kernels 2.6.11 to 4.2.3
+32- and 64-bit Windows XP (SP2 and SP3)
.IP \(bu 3
-64-bit Linux kernels 2.6.11 to 4.2.3
-.IP \(bu 3
-OpenSuSE, Ubuntu, Debian, CentOS, Fedora, Mandriva, etc
-.RE
-.PP
-Mac OSX:
-.RS
+32- and 64-bit Linux kernels from 2.6.11 to 3.16
.IP \(bu 3
32-bit 10.5.x Leopard (the only 64-bit 10.5 is Server, which isn't supported)
.IP \(bu 3
-32-bit 10.6.x Snow Leopard
+32- and 64-bit 10.6.x Snow Leopard
.IP \(bu 3
-64-bit 10.6.x Snow Leopard
-.IP \(bu 3
-32-bit 10.7.x Lion
-.IP \(bu 3
-64-bit 10.7.x Lion
+32- and 64-bit 10.7.x Lion
.IP \(bu 3
64-bit 10.8.x Mountain Lion (there is no 32-bit version)
.IP \(bu 3
64-bit 10.9.x Mavericks (there is no 32-bit version)
-.IP \(bu 3
-64-bit 10.10.x Yosemite (there is no 32-bit version)
-.IP \(bu 3
-64-bit 10.11.x El Capitan (there is no 32-bit version)
.RE
.PP
The memory formats supported are:
.RS
.IP \(bu 3
-Raw linear sample (dd)
-.IP \(bu 3
-Hibernation file
+Raw/Padded Physical Memory
.IP \(bu 3
-Crash dump file
+Firewire (IEEE 1394)
.IP \(bu 3
-VirtualBox ELF64 core dump
+Expert Witness (EWF)
.IP \(bu 3
-VMware saved state and snapshot files
+32- and 64-bit Windows Crash Dump
.IP \(bu 3
-EWF format (E01)
+32- and 64-bit Windows Hibernation
.IP \(bu 3
-LiME (Linux Memory Extractor) format
+32- and 64-bit MachO files
.IP \(bu 3
-Mach-o file format
+Virtualbox Core Dumps
.IP \(bu 3
-QEMU virtual machine dumps
+VMware Saved State (.vmss) and Snapshot (.vmsn)
.IP \(bu 3
-Firewire
+HPAK Format (FastDump)
.IP \(bu 3
-HPAK (FDPro)
+QEMU memory dumps
.RE
.PP
The supported address spaces (RAM types) are:
.RS
.IP \(bu 3
-AMD64PagedMemory - Standard AMD 64-bit address space
+AMD64PagedMemory - Standard AMD 64-bit address space.
.IP \(bu 3
-ArmAddressSpace - Address space for ARM processors
+ArmAddressSpace - No docs.
.IP \(bu 3
-FileAddressSpace - This is a direct file AS
+FileAddressSpace - This is a direct file AS.
.IP \(bu 3
-HPAKAddressSpace - This AS supports the HPAK format
+HPAKAddressSpace - This AS supports the HPAK format.
.IP \(bu 3
-IA32PagedMemoryPae - This class implements the IA-32 PAE paging address space. It is responsible
+IA32PagedMemory - Standard IA-32 paging address space.
.IP \(bu 3
-IA32PagedMemory - Standard IA-32 paging address space
+IA32PagedMemoryPae - This class implements the IA-32 PAE paging address space. It is responsible.
.IP \(bu 3
-LimeAddressSpace - Address space for Lime
+LimeAddressSpace - Address space for Lime.
.IP \(bu 3
-MachOAddressSpace - Address space for mach-o files to support atc-ny memory reader
+MachOAddressSpace - Address space for mach-o files to support atc-ny memory reader.
.IP \(bu 3
-OSXPmemELF - This AS supports VirtualBox ELF64 coredump format
+OSXPmemELF - This AS supports VirtualBox ELF64 coredump format.
.IP \(bu 3
-QemuCoreDumpElf - This AS supports Qemu ELF32 and ELF64 coredump format
+QemuCoreDumpElf - This AS supports Qemu ELF32 and ELF64 coredump format.
.IP \(bu 3
-VirtualBoxCoreDumpElf64 - This AS supports VirtualBox ELF64 coredump format
+VMWareAddressSpace - This AS supports VMware snapshot (VMSS) and saved state (VMSS) files.
.IP \(bu 3
-VMWareAddressSpace - This AS supports VMware snapshot (VMSS) and saved state (VMSS) files
+VMWareMetaAddressSpace - This AS supports the VMEM format with VMSN/VMSS metadata.
.IP \(bu 3
-VMWareMetaAddressSpace - This AS supports the VMEM format with VMSN/VMSS metadata
+VirtualBoxCoreDumpElf64 - This AS supports VirtualBox ELF64 coredump format.
.IP \(bu 3
-WindowsCrashDumpSpace32 - This AS supports windows Crash Dump format
+WindowsCrashDumpSpace32 - This AS supports Windows Crash Dump format.
.IP \(bu 3
-WindowsCrashDumpSpace64BitMap - This AS supports Windows BitMap Crash Dump format
+WindowsCrashDumpSpace64 - This AS supports Windows Crash Dump format.
.IP \(bu 3
-WindowsCrashDumpSpace64 - This AS supports windows Crash Dump format
+WindowsCrashDumpSpace64BitMap - This AS supports Windows BitMap Crash Dump format.
.IP \(bu 3
-WindowsHiberFileSpace32 - This is a hibernate address space for windows hibernation files
+WindowsHiberFileSpace32 - This is a hibernate address space for Windows hibernation files.
.RE
.PP
-There are exemplar memory images for tests at
-https://github.com/volatilityfoundation/\fBvolatility\fP/wiki/Memory-Samples.
+There are RAM images for tests at https://code.google.com/p/\fBvolatility\fP/wiki/SampleMemoryImages
+or at https://github.com/volatilityfoundation/\fBvolatility\fP/wiki/Memory-Samples.
.SH OPTIONS
.TP
.B
@@ -189,8 +150,7 @@ Use caching.
.TP
.B
\fB--tz\fP=TZ
-Set the timezone for displaying timestamps using pytz (if installed)
-or tzset
+Sets the timezone for displaying timestamps.
.TP
.B
\fB-f\fP FILENAME, \fB--filename\fP=FILENAME
@@ -198,12 +158,11 @@ Filename to use when opening an \fIimage\fP.
.TP
.B
\fB--profile\fP=WinXPSP2x86
-Name of the profile to load (use \fB--info\fP to see a list of supported
-profiles).
+Name of the profile to load.
.TP
.B
\fB-l\fP LOCATION, \fB--location\fP=LOCATION
-A URN location from which to load an address space.
+An URN location from which to load an address space.
.TP
.B
\fB-w\fP, \fB--write\fP
@@ -219,7 +178,7 @@ Mac KASLR shift address.
.TP
.B
\fB--output\fP=text
-Output in this format.
+Output in this format (format support is module specific).
.TP
.B
\fB--output-file\fP=OUTPUT_FILE
@@ -231,24 +190,15 @@ Verbose information.
.TP
.B
\fB-g\fP KDBG, \fB--kdbg\fP=KDBG
-Specify a specific KDBG virtual address. For 64-bit Windows 8 and
-above this is the address of KdCopyDataBlock.
-.TP
-.B
-\fB--force\fP
-Force utilization of suspect profile.
+Specify a specific KDBG virtual address.
.TP
.B
\fB-k\fP KPCR, \fB--kpcr\fP=KPCR
Specify a specific KPCR address.
-.TP
-.B
-\fB--cookie\fP=COOKIE
-Specify the address of nt!ObHeaderCookie (valid for Windows 10 only).
.SH PLUGINS AND PROFILES
The supported \fIplugin\fP commands and profiles can be viewed if using the command '$ \fBvolatility\fP \fB--info\fP'.
-Note that Linux and MAC OSX allowed plugins will have the 'linux_' and 'mac_' prefixes. Plugins
-without these prefixes were designed for MS Windows.
+Note that Linux and MAC OSX allowed plugins will have the 'linux_' and 'mac_' prefixes. Plugins without
+these prefixes were designed for MS Windows.
.PP
Profiles are maps used by Volatility to understand the operational systems. The allowed MS Windows
profiles are provided by the Volatility.
@@ -272,11 +222,9 @@ On MS Windows, to determine the OS type, you can use:
On a GNU/Linux or OS X system, these variables can be set:
.RS
.IP \(bu 3
-VOLATILITY_PROFILE - Specifies a profile to be used as default, making unnecessary a '\fB--profile\fP'
-\fIoption\fP.
+VOLATILITY_PROFILE - Specifies a profile to be used as default, making unnecessary a '\fB--profile\fP' \fIoption\fP.
.IP \(bu 3
-VOLATILITY_LOCATION - Specifies the path of an \fIimage\fP. So, the Volatility command will not need
-a file name via '\fB-f\fP' \fIoption\fP.
+VOLATILITY_LOCATION - Specifies the path of an \fIimage\fP. So, the Volatility command will not need a file name via '\fB-f\fP' \fIoption\fP.
.IP \(bu 3
VOLATILITY_KDBG - Specifies a KDBG address. See EXTRA PROCEDURES to more details.
.RE
@@ -323,17 +271,16 @@ Setting a timezone
.PP
.nf
.fam C
- Timestamps extracted from memory can either be in system-local time, or in Universal Time
- Coordinates (UTC). If they're in UTC, Volatility can be instructed to display them in a time
- zone of the analyst's choosing. To choose a timezone, use one of the standard timezone
- names (such as America/Sao_Paulo, Europe/London, US/Eastern or most Olson timezones) with
- the \-\-tz=TIMEZONE flag.
+ Timestamps extracted from memory can either be in system-local time, or in Universal Time
+ Coordinates (UTC). If they're in UTC, Volatility can be instructed to display them in a time zone
+ of the analyst's choosing. To choose a timezone, use one of the standard timezone names
+ (such as America/Sao_Paulo, Europe/London, US/Eastern or most Olson timezones) with the \-\-tz=TIMEZONE flag.
- Volatility attempts to use pytz if installed, otherwise it uses tzset.
+ Volatility attempts to use pytz if installed, otherwise it uses tzset.
- Please note that specifying a timezone will not affect how system-local times are displayed. If
- you identify a time that you know is UTC-based, please file it as an issue in the issue tracker.
- By default the _EPROCESS CreateTime and ExitTime timestamps are in UTC.
+ Please note that specifying a timezone will not affect how system-local times are displayed. If you identify
+ a time that you know is UTC-based, please file it as an issue in the issue tracker. By default the _EPROCESS
+ CreateTime and ExitTime timestamps are in UTC.
.fam T
.fi
@@ -341,9 +288,9 @@ Setting the DTB
.PP
.nf
.fam C
- The DTB (Directory Table Base) is what Volatility uses to translate virtual addresses to physical
- addresses. By default, a kernel DTB is used (from the Idle/System process). If you want to use a
- different process's DTB when accessing data, supply the address to \-\-dtb=ADDRESS.
+ The DTB (Directory Table Base) is what Volatility uses to translate virtual addresses to physical addresses.
+ By default, a kernel DTB is used (from the Idle/System process). If you want to use a different process's DTB
+ when accessing data, supply the address to \-\-dtb=ADDRESS.
.fam T
.fi
@@ -351,14 +298,13 @@ Setting the KDBG address (this is a Windows-only \fIoption\fP)
.PP
.nf
.fam C
- Volatility scans for the '_KDDEBUGGER_DATA64' structure using hard-coded signatures "KDBG" and
- a series of sanity checks. These signatures are not critical for the operating system to function
- properly, thus malware can overwrite them in attempt to throw off tools that do rely on the
- signature. Additionally, in some cases there may be more than one '_KDDEBUGGER_DATA64' (for
- example if you apply a major OS update and don't reboot), which can cause confusion and lead to
- incorrect process and module listings, among other problems. If you know the address
- add '_KDDEBUGGER_DATA64', you can specify it with \-\-kdbg=ADDRESS and this override the automated
- scans. For more information, see the kdbgscan plugin.
+ Volatility scans for the '_KDDEBUGGER_DATA64' structure using hard-coded signatures "KDBG" and a series of sanity
+ checks. These signatures are not critical for the operating system to function properly, thus malware can overwrite
+ them in attempt to throw off tools that do rely on the signature. Additionally, in some cases there may be more
+ than one '_KDDEBUGGER_DATA64' (for example if you apply a major OS update and don't reboot), which can cause confusion
+ and lead to incorrect process and module listings, among other problems. If you know the address
+ add '_KDDEBUGGER_DATA64', you can specify it with \-\-kdbg=ADDRESS and this override the automated scans. For more
+ information, see the kdbgscan plugin.
.fam T
.fi
@@ -366,11 +312,11 @@ Setting the KPCR address (this is a Windows-only \fIoption\fP)
.PP
.nf
.fam C
- There is one KPCR (Kernel Processor Control Region) for each CPU on a system. Some Volatility
- plugins display per-processor information. Thus if you want to display data for a specific CPU, for
- example CPU 3 instead of CPU 1, you can pass the address of that CPU's KPCR with \-\-kpcr=ADDRESS.
- To locate the KPCRs for all CPUs, see the kpcrscan plugin. Also note that starting in Volatility 2.2,
- many of the plugins such as idt and gdt automatically iterate through the list of KPCRs.
+ There is one KPCR (Kernel Processor Control Region) for each CPU on a system. Some Volatility plugins display
+ per-processor information. Thus if you want to display data for a specific CPU, for example CPU 3 instead of
+ CPU 1, you can pass the address of that CPU's KPCR with \-\-kpcr=ADDRESS. To locate the KPCRs for all CPUs, see
+ the kpcrscan plugin. Also note that starting in Volatility 2.2, many of the plugins such as idt and gdt
+ automatically iterate through the list of KPCRs.
.fam T
.fi
@@ -378,13 +324,12 @@ Enabling write support
.PP
.nf
.fam C
- Write support in Volatility should be used with caution. Therefore, to actually enable it, you must
- not only type \-\-write on command-line but you must type a 'password' in response to a question that
- you'll be prompted with. In most cases you will not want to use write support since it can lead to
- corruption or modification of data in your memory dump. However, special cases exist that make this
- feature really interesting. For example, you could cleanse a live system of certain malware by
- writing to RAM over firewire, or you could break into a locked workstation by patching bytes in the
- winlogon DLLs.
+ Write support in Volatility should be used with caution. Therefore, to actually enable it, you must not only type
+ \-\-write on command-line but you must type a 'password' in response to a question that you'll be prompted with.
+ In most cases you will not want to use write support since it can lead to corruption or modification of data in
+ your memory dump. However, special cases exist that make this feature really interesting. For example, you could
+ cleanse a live system of certain malware by writing to RAM over firewire, or you could break into a locked workstation
+ by patching bytes in the winlogon DLLs.
.fam T
.fi
@@ -392,26 +337,29 @@ Specifying additional \fIplugin\fP directories
.PP
.nf
.fam C
- Volatility's plugin architecture can load plugin files from multiple directories at once. In the
- Volatility source code, most plugins are located in volatility/plugins. However, there is another
- directory (volatility/contrib) which is reserved for contributions from third party developers, or
- weakly supported plugins that simply are not enabled by default. To access these plugins you just
- type \-\-plugins=contrib/plugins on command-line. It also enables you to create a separate directory
- of your own plugins that you can manage without having to add/remove/modify files in the core
- Volatility directories.
-
- Notes:
+ Volatility's plugin architecture can load plugin files from multiple directories at once. In the Volatility source
+ code, most plugins are located in volatility/plugins. However, there is another directory (volatility/contrib)
+ which is reserved for contributions from third party developers, or weakly supported plugins that simply aren't
+ enabled by default. To access these plugins you just type \-\-plugins=contrib/plugins on command-line. It also enables
+ you to create a separate directory of your own plugins that you can manage without having to add/remove/modify files
+ in the core Volatility directories.
- * On Debian systems, the contrib/plugins directory is at /usr/share/volatility/contrib/plugins.
+.fam T
+.fi
+Notes:
+.PP
+.nf
+.fam C
+ On Debian systems, the contrib/plugins directory is at /usr/share/volatility/contrib/plugins.
- * Subdirectories will also be traversed as long as there is an __init__.py file (which can be empty)
- within them.
+ Subdirectories will also be traversed as long as there is an __init__.py file (which can be empty) within them.
- * The parameter to \-\-plugins can also be a zip file containing the plugins such
- as \-\-plugins=myplugins.zip. Due to the way plugins are loaded, the external plugins directory
- or zip file must be specified before any plugin-specific arguments (including the name of the
- plugin). Example:
+ The parameter to \-\-plugins can also be a zip file containing the plugins such as \-\-plugins=myplugins.zip.
+ Due to the way plugins are loaded, the external plugins directory or zip file must be specified before any
+ plugin-specific arguments (including the name of the plugin). Example:
+.nf
+.fam C
$ volatility \-\-plugins=contrib/plugins \-f XPSP3x86.vmem example
.fam T
@@ -420,12 +368,11 @@ Choosing an output format
.PP
.nf
.fam C
- By default, plugins use text renderers to standard output. If you want to redirect to a file, you
- can of course use the console's redirection (i.e. > out.txt) or you could use \-\-output-file=out.txt.
- The reason you can also choose \-\-output=FORMAT is for allowing plugins to also render output as HTML,
- JSON, SQL, or whatever you choose. However, there are no plugins with those alternate output formats
- pre-configured for use, so you'll need to add a function named render_html, render_json, render_sql,
- respectively to each plugin before using \-\-output=HTML.
+ By default, plugins use text renderers to standard output. If you want to redirect to a file, you can of course
+ use the console's redirection (i.e. > out.txt) or you could use \-\-output-file=out.txt. The reason you can also
+ choose \-\-output=FORMAT is for allowing plugins to also render output as HTML, JSON, SQL, or whatever you choose.
+ However, there are no plugins with those alternate output formats pre-configured for use, so you'll need to add
+ a function named render_html, render_json, render_sql, respectively to each plugin before using \-\-output=HTML.
.fam T
.fi
@@ -433,8 +380,8 @@ Plugin specific options
.PP
.nf
.fam C
- Many plugins accept arguments of their own, which are independent of the global options. To see the
- list of available options, type both the plugin name and \-h/--help on command-line.
+ Many plugins accept arguments of their own, which are independent of the global options. To see the list of
+ available options, type both the plugin name and \-h/--help on command-line.
.nf
.fam C
@@ -446,9 +393,9 @@ Debug mode
.PP
.nf
.fam C
- If something isn't happening in Volatility the expected way, try to run the command with \-d/\-\-debug.
- This will enable the printing of debug messages to standard error. To more debug levels, as in using
- pdb debugger), add \-d \-d \-d to command.
+ If something isn't happening in Volatility the expected way, try to run the command with \-d/\-\-debug.
+ This will enable the printing of debug messages to standard error. To more debug levels, as in using
+ pdb debugger), add \-d \-d \-d to command.
.fam T
.fi
@@ -456,8 +403,8 @@ Using Volatility as a library
.PP
.nf
.fam C
- Although its possible to use Volatility as a library, (there are plans to support it better in the
- future). Currently, to import Volatility from a python script, the following example code can be used:
+ Although its possible to use Volatility as a library, (there are plans to support it better in the future).
+ Currently, to import Volatility from a python script, the following example code can be used:
.nf
.fam C
@@ -517,14 +464,13 @@ To show the kernel bnuffer from a Linux 3.2.63 \fIimage\fP:
.SH NOTES
This manpage was based in some tests and several official documents about Volatility.
For other information and tutorials, see:
-.RS
.IP \(bu 3
http://www.volatilityfoundation.org
.IP \(bu 3
+https://code.google.com/p/\fBvolatility\fP/wiki
+.IP \(bu 3
https://github.com/volatilityfoundation/\fBvolatility\fP/wiki
.SH AUTHOR
-Volatility was written by Volatility Foundation and several contributors. For contact,
-use the email <info at volatilityfoundation.org>.
+Volatility was written by Volatility Foundation and several contributors. For contact, use the email <info at volatilityfoundation.org>.
.PP
-This manual page was written by Joao Eriberto Mota Filho <eriberto at debian.org> for the
-Debian project (but may be used by others).
+This manual page was written by Joao Eriberto Mota Filho <eriberto at debian.org> for the Debian project (but may be used by others).
diff --git a/debian/manpage/volatility.txt b/debian/manpage/volatility.txt
index 8d3be1a..7aed609 100644
--- a/debian/manpage/volatility.txt
+++ b/debian/manpage/volatility.txt
@@ -1,129 +1,105 @@
NAME
- volatility - advanced memory forensics framework
+ volatility - advanced memory forensics framework
SYNOPSIS
- volatility [option]
- volatility -f [image] --profile=[profile] [plugin]
+ volatility [option]
+ volatility -f [image] --profile=[profile] [plugin]
DESCRIPTION
- The Volatility Framework is a completely open collection of tools for the
- extraction of digital artifacts from volatile memory (RAM) samples. It is
- useful in forensics analysis. The extraction techniques are performed
- completely independent of the system being investigated but offer
- unprecedented visibility into the runtime state of the system.
-
- Volatility supports several versions of the MS Windows, Linux and MAC OSX:
-
- MS Windows:
- * 32-bit Windows XP Service Pack 2 and 3
- * 32-bit Windows 2003 Server Service Pack 0, 1, 2
- * 32-bit Windows Vista Service Pack 0, 1, 2
- * 32-bit Windows 2008 Server Service Pack 1, 2 (there is no SP0)
- * 32-bit Windows 7 Service Pack 0, 1
- * 32-bit Windows 8, 8.1, and 8.1 Update 1
- * 32-bit Windows 10 (initial support)
- * 64-bit Windows XP Service Pack 1 and 2 (there is no SP0)
- * 64-bit Windows 2003 Server Service Pack 1 and 2 (there is no SP0)
- * 64-bit Windows Vista Service Pack 0, 1, 2
- * 64-bit Windows 2008 Server Service Pack 1 and 2 (there is no SP0)
- * 64-bit Windows 2008 R2 Server Service Pack 0 and 1
- * 64-bit Windows 7 Service Pack 0 and 1
- * 64-bit Windows 8, 8.1, and 8.1 Update 1
- * 64-bit Windows Server 2012 and 2012 R2
- * 64-bit Windows 10 (initial support)
-
- Linux:
- * 32-bit Linux kernels 2.6.11 to 4.2.3
- * 64-bit Linux kernels 2.6.11 to 4.2.3
- * OpenSuSE, Ubuntu, Debian, CentOS, Fedora, Mandriva, etc
-
- Mac OSX:
- * 32-bit 10.5.x Leopard (the only 64-bit 10.5 is Server, which isn't supported)
- * 32-bit 10.6.x Snow Leopard
- * 64-bit 10.6.x Snow Leopard
- * 32-bit 10.7.x Lion
- * 64-bit 10.7.x Lion
- * 64-bit 10.8.x Mountain Lion (there is no 32-bit version)
- * 64-bit 10.9.x Mavericks (there is no 32-bit version)
- * 64-bit 10.10.x Yosemite (there is no 32-bit version)
- * 64-bit 10.11.x El Capitan (there is no 32-bit version)
-
- The memory formats supported are:
-
- * Raw linear sample (dd)
- * Hibernation file
- * Crash dump file
- * VirtualBox ELF64 core dump
- * VMware saved state and snapshot files
- * EWF format (E01)
- * LiME (Linux Memory Extractor) format
- * Mach-o file format
- * QEMU virtual machine dumps
- * Firewire
- * HPAK (FDPro)
-
- The supported address spaces (RAM types) are:
-
- * AMD64PagedMemory - Standard AMD 64-bit address space
- * ArmAddressSpace - Address space for ARM processors
- * FileAddressSpace - This is a direct file AS
- * HPAKAddressSpace - This AS supports the HPAK format
- * IA32PagedMemoryPae - This class implements the IA-32 PAE paging address space. It is responsible
- * IA32PagedMemory - Standard IA-32 paging address space
- * LimeAddressSpace - Address space for Lime
- * MachOAddressSpace - Address space for mach-o files to support atc-ny memory reader
- * OSXPmemELF - This AS supports VirtualBox ELF64 coredump format
- * QemuCoreDumpElf - This AS supports Qemu ELF32 and ELF64 coredump format
- * VirtualBoxCoreDumpElf64 - This AS supports VirtualBox ELF64 coredump format
- * VMWareAddressSpace - This AS supports VMware snapshot (VMSS) and saved state (VMSS) files
- * VMWareMetaAddressSpace - This AS supports the VMEM format with VMSN/VMSS metadata
- * WindowsCrashDumpSpace32 - This AS supports windows Crash Dump format
- * WindowsCrashDumpSpace64BitMap - This AS supports Windows BitMap Crash Dump format
- * WindowsCrashDumpSpace64 - This AS supports windows Crash Dump format
- * WindowsHiberFileSpace32 - This is a hibernate address space for windows hibernation files
-
- There are exemplar memory images for tests at
- https://github.com/volatilityfoundation/volatility/wiki/Memory-Samples.
+ The Volatility Framework is a completely open collection of tools for the
+ extraction of digital artifacts from volatile memory (RAM) samples. It is
+ useful in forensics analysis. The extraction techniques are performed
+ completely independent of the system being investigated but offer
+ unprecedented visibility into the runtime state of the system.
+
+ Currently, Volatility (version 2.4) supports several versions of the
+ MS Windows, Linux and MAC OSX:
+
+ * 64-bit Windows Server 2012 and 2012 R2
+ * 32- and 64-bit Windows 8 and 8.1
+ * 32- and 64-bit Windows 7 (all service packs)
+ * 32- and 64-bit Windows Server 2008 (all service packs)
+ * 64-bit Windows Server 2008 R2 (all service packs)
+ * 32- and 64-bit Windows Vista (all service packs)
+ * 32- and 64-bit Windows Server 2003 (all service packs)
+ * 32- and 64-bit Windows XP (SP2 and SP3)
+ * 32- and 64-bit Linux kernels from 2.6.11 to 3.16
+ * 32-bit 10.5.x Leopard (the only 64-bit 10.5 is Server, which isn't supported)
+ * 32- and 64-bit 10.6.x Snow Leopard
+ * 32- and 64-bit 10.7.x Lion
+ * 64-bit 10.8.x Mountain Lion (there is no 32-bit version)
+ * 64-bit 10.9.x Mavericks (there is no 32-bit version)
+
+ The memory formats supported are:
+
+ * Raw/Padded Physical Memory
+ * Firewire (IEEE 1394)
+ * Expert Witness (EWF)
+ * 32- and 64-bit Windows Crash Dump
+ * 32- and 64-bit Windows Hibernation
+ * 32- and 64-bit MachO files
+ * Virtualbox Core Dumps
+ * VMware Saved State (.vmss) and Snapshot (.vmsn)
+ * HPAK Format (FastDump)
+ * QEMU memory dumps
+
+ The supported address spaces (RAM types) are:
+
+ * AMD64PagedMemory - Standard AMD 64-bit address space.
+ * ArmAddressSpace - No docs.
+ * FileAddressSpace - This is a direct file AS.
+ * HPAKAddressSpace - This AS supports the HPAK format.
+ * IA32PagedMemory - Standard IA-32 paging address space.
+ * IA32PagedMemoryPae - This class implements the IA-32 PAE paging address space. It is responsible.
+ * LimeAddressSpace - Address space for Lime.
+ * MachOAddressSpace - Address space for mach-o files to support atc-ny memory reader.
+ * OSXPmemELF - This AS supports VirtualBox ELF64 coredump format.
+ * QemuCoreDumpElf - This AS supports Qemu ELF32 and ELF64 coredump format.
+ * VMWareAddressSpace - This AS supports VMware snapshot (VMSS) and saved state (VMSS) files.
+ * VMWareMetaAddressSpace - This AS supports the VMEM format with VMSN/VMSS metadata.
+ * VirtualBoxCoreDumpElf64 - This AS supports VirtualBox ELF64 coredump format.
+ * WindowsCrashDumpSpace32 - This AS supports Windows Crash Dump format.
+ * WindowsCrashDumpSpace64 - This AS supports Windows Crash Dump format.
+ * WindowsCrashDumpSpace64BitMap - This AS supports Windows BitMap Crash Dump format.
+ * WindowsHiberFileSpace32 - This is a hibernate address space for Windows hibernation files.
+
+ There are RAM images for tests at https://code.google.com/p/volatility/wiki/SampleMemoryImages
+ or at https://github.com/volatilityfoundation/volatility/wiki/Memory-Samples.
OPTIONS
- -h, --help List all available options and their default values.
- Default values may be set in the configuration file (/etc/volatilityrc).
- --conf-file=/root/.volatilityrc User based configuration file.
- -d, --debug Debug Volatility.
- --plugins=PLUGINS Additional plugin directories to use (colon separated).
- --info Print information about all registered objects.
- --cache-directory=/root/.cache/volatility Directory where cache files are stored.
- --cache Use caching.
- --tz=TZ Set the timezone for displaying timestamps using pytz (if installed)
- or tzset
- -f FILENAME, --filename=FILENAME Filename to use when opening an image.
- --profile=WinXPSP2x86 Name of the profile to load (use --info to see a list of supported
- profiles).
- -l LOCATION, --location=LOCATION A URN location from which to load an address space.
- -w, --write Enable write support.
- --dtb=DTB DTB Address.
- --shift=SHIFT Mac KASLR shift address.
- --output=text Output in this format.
- --output-file=OUTPUT_FILE Write output in this file.
- -v, --verbose Verbose information.
- -g KDBG, --kdbg=KDBG Specify a specific KDBG virtual address. For 64-bit Windows 8 and
- above this is the address of KdCopyDataBlock.
- --force Force utilization of suspect profile.
- -k KPCR, --kpcr=KPCR Specify a specific KPCR address.
- --cookie=COOKIE Specify the address of nt!ObHeaderCookie (valid for Windows 10 only).
+ -h, --help List all available options and their default values.
+ Default values may be set in the configuration file (/etc/volatilityrc).
+ --conf-file=/root/.volatilityrc User based configuration file.
+ -d, --debug Debug Volatility.
+ --plugins=PLUGINS Additional plugin directories to use (colon separated).
+ --info Print information about all registered objects.
+ --cache-directory=/root/.cache/volatility Directory where cache files are stored.
+ --cache Use caching.
+ --tz=TZ Sets the timezone for displaying timestamps.
+ -f FILENAME, --filename=FILENAME Filename to use when opening an image.
+ --profile=WinXPSP2x86 Name of the profile to load.
+ -l LOCATION, --location=LOCATION An URN location from which to load an address space.
+ -w, --write Enable write support.
+ --dtb=DTB DTB Address.
+ --shift=SHIFT Mac KASLR shift address.
+ --output=text Output in this format (format support is module specific).
+ --output-file=OUTPUT_FILE Write output in this file.
+ -v, --verbose Verbose information.
+ -g KDBG, --kdbg=KDBG Specify a specific KDBG virtual address.
+ -k KPCR, --kpcr=KPCR Specify a specific KPCR address.
PLUGINS AND PROFILES
- The supported plugin commands and profiles can be viewed if using the command '$ volatility --info'.
- Note that Linux and MAC OSX allowed plugins will have the 'linux_' and 'mac_' prefixes. Plugins
- without these prefixes were designed for MS Windows.
+ The supported plugin commands and profiles can be viewed if using the command '$ volatility --info'.
+ Note that Linux and MAC OSX allowed plugins will have the 'linux_' and 'mac_' prefixes. Plugins without
+ these prefixes were designed for MS Windows.
- Profiles are maps used by Volatility to understand the operational systems. The allowed MS Windows
- profiles are provided by the Volatility.
+ Profiles are maps used by Volatility to understand the operational systems. The allowed MS Windows
+ profiles are provided by the Volatility.
- You must create your own profiles for Linux and MAC OSX. For this, on Debian systems,
- read the README.Debian file provided by volatility-tools package.
+ You must create your own profiles for Linux and MAC OSX. For this, on Debian systems,
+ read the README.Debian file provided by volatility-tools package.
- On MS Windows, to determine the OS type, you can use:
+ On MS Windows, to determine the OS type, you can use:
$ volatility \-f <image> imageinfo
@@ -132,144 +108,135 @@ PLUGINS AND PROFILES
$ volatility \-f <image> kdbgscan
ENVIRONMENT VARIABLES
- On a GNU/Linux or OS X system, these variables can be set:
+ On a GNU/Linux or OS X system, these variables can be set:
- * VOLATILITY_PROFILE - Specifies a profile to be used as default, making unnecessary a '--profile'
- option.
- * VOLATILITY_LOCATION - Specifies the path of an image. So, the Volatility command will not need
- a file name via '-f' option.
- * VOLATILITY_KDBG - Specifies a KDBG address. See EXTRA PROCEDURES to more details.
+ * VOLATILITY_PROFILE - Specifies a profile to be used as default, making unnecessary a '--profile' option.
+ * VOLATILITY_LOCATION - Specifies the path of an image. So, the Volatility command will not need a file name via '-f' option.
+ * VOLATILITY_KDBG - Specifies a KDBG address. See EXTRA PROCEDURES to more details.
- Other plugin flags may be utilized in this way, for example KPCR, DTB or PLUGINS. When exporting
- variables, simply prefix VOLATILITY_ before the flag name (e.g. VOLATILITY_KPCR). Otherwise, the
- flag name remains the same when adding it to the configuration file.
+ Other plugin flags may be utilized in this way, for example KPCR, DTB or PLUGINS. When exporting
+ variables, simply prefix VOLATILITY_ before the flag name (e.g. VOLATILITY_KPCR). Otherwise, the
+ flag name remains the same when adding it to the configuration file.
- If you have a path with a space or more in the name, spaces should be replaced with %20 instead
- (e.g. LOCATION=file:///tmp/my%20image.img).
+ If you have a path with a space or more in the name, spaces should be replaced with %20 instead
+ (e.g. LOCATION=file:///tmp/my%20image.img).
- Example:
+ Example:
$ export VOLATILITY_PROFILE=Win7SP0x86
$ export VOLATILITY_LOCATION=file:///tmp/myimage.img
$ export VOLATILITY_KDBG=0x82944c28
CONFIGURATION FILES
- Configuration files are typically 'volatilityrc' in the current directory or '~/.volatilityrc' in
- user's home directory, or at user specified path, using the --conf-file option. An example of the
- file contents is shown below:
+ Configuration files are typically 'volatilityrc' in the current directory or '~/.volatilityrc' in
+ user's home directory, or at user specified path, using the --conf-file option. An example of the
+ file contents is shown below:
[DEFAULT]
PROFILE=Win7SP0x86
LOCATION=file:///tmp/myimage.img
KDBG=0x82944c28
- Other plugin flags may be utilized in this way, for example KPCR, DTB or PLUGINS. When exporting
- variables, simply prefix VOLATILITY_ before the flag name (e.g. VOLATILITY_KPCR). Otherwise, the
- flag name remains the same when adding it to the configuration file.
+ Other plugin flags may be utilized in this way, for example KPCR, DTB or PLUGINS. When exporting
+ variables, simply prefix VOLATILITY_ before the flag name (e.g. VOLATILITY_KPCR). Otherwise, the
+ flag name remains the same when adding it to the configuration file.
- If you have a path with a space or more in the name, spaces should be replaced with %20 instead
- (e.g. LOCATION=file:///tmp/my%20image.img).
+ If you have a path with a space or more in the name, spaces should be replaced with %20 instead
+ (e.g. LOCATION=file:///tmp/my%20image.img).
EXTRA PROCEDURES
- Setting a timezone
+ Setting a timezone
- Timestamps extracted from memory can either be in system-local time, or in Universal Time
- Coordinates (UTC). If they're in UTC, Volatility can be instructed to display them in a time
- zone of the analyst's choosing. To choose a timezone, use one of the standard timezone
- names (such as America/Sao_Paulo, Europe/London, US/Eastern or most Olson timezones) with
- the \-\-tz=TIMEZONE flag.
+ Timestamps extracted from memory can either be in system-local time, or in Universal Time
+ Coordinates (UTC). If they're in UTC, Volatility can be instructed to display them in a time zone
+ of the analyst's choosing. To choose a timezone, use one of the standard timezone names
+ (such as America/Sao_Paulo, Europe/London, US/Eastern or most Olson timezones) with the \-\-tz=TIMEZONE flag.
- Volatility attempts to use pytz if installed, otherwise it uses tzset.
+ Volatility attempts to use pytz if installed, otherwise it uses tzset.
- Please note that specifying a timezone will not affect how system-local times are displayed. If
- you identify a time that you know is UTC-based, please file it as an issue in the issue tracker.
- By default the _EPROCESS CreateTime and ExitTime timestamps are in UTC.
+ Please note that specifying a timezone will not affect how system-local times are displayed. If you identify
+ a time that you know is UTC-based, please file it as an issue in the issue tracker. By default the _EPROCESS
+ CreateTime and ExitTime timestamps are in UTC.
- Setting the DTB
+ Setting the DTB
- The DTB (Directory Table Base) is what Volatility uses to translate virtual addresses to physical
- addresses. By default, a kernel DTB is used (from the Idle/System process). If you want to use a
- different process's DTB when accessing data, supply the address to \-\-dtb=ADDRESS.
+ The DTB (Directory Table Base) is what Volatility uses to translate virtual addresses to physical addresses.
+ By default, a kernel DTB is used (from the Idle/System process). If you want to use a different process's DTB
+ when accessing data, supply the address to \-\-dtb=ADDRESS.
- Setting the KDBG address (this is a Windows-only option)
+ Setting the KDBG address (this is a Windows-only option)
- Volatility scans for the '_KDDEBUGGER_DATA64' structure using hard-coded signatures "KDBG" and
- a series of sanity checks. These signatures are not critical for the operating system to function
- properly, thus malware can overwrite them in attempt to throw off tools that do rely on the
- signature. Additionally, in some cases there may be more than one '_KDDEBUGGER_DATA64' (for
- example if you apply a major OS update and don't reboot), which can cause confusion and lead to
- incorrect process and module listings, among other problems. If you know the address
- add '_KDDEBUGGER_DATA64', you can specify it with \-\-kdbg=ADDRESS and this override the automated
- scans. For more information, see the kdbgscan plugin.
+ Volatility scans for the '_KDDEBUGGER_DATA64' structure using hard-coded signatures "KDBG" and a series of sanity
+ checks. These signatures are not critical for the operating system to function properly, thus malware can overwrite
+ them in attempt to throw off tools that do rely on the signature. Additionally, in some cases there may be more
+ than one '_KDDEBUGGER_DATA64' (for example if you apply a major OS update and don't reboot), which can cause confusion
+ and lead to incorrect process and module listings, among other problems. If you know the address
+ add '_KDDEBUGGER_DATA64', you can specify it with \-\-kdbg=ADDRESS and this override the automated scans. For more
+ information, see the kdbgscan plugin.
- Setting the KPCR address (this is a Windows-only option)
+ Setting the KPCR address (this is a Windows-only option)
- There is one KPCR (Kernel Processor Control Region) for each CPU on a system. Some Volatility
- plugins display per-processor information. Thus if you want to display data for a specific CPU, for
- example CPU 3 instead of CPU 1, you can pass the address of that CPU's KPCR with \-\-kpcr=ADDRESS.
- To locate the KPCRs for all CPUs, see the kpcrscan plugin. Also note that starting in Volatility 2.2,
- many of the plugins such as idt and gdt automatically iterate through the list of KPCRs.
+ There is one KPCR (Kernel Processor Control Region) for each CPU on a system. Some Volatility plugins display
+ per-processor information. Thus if you want to display data for a specific CPU, for example CPU 3 instead of
+ CPU 1, you can pass the address of that CPU's KPCR with \-\-kpcr=ADDRESS. To locate the KPCRs for all CPUs, see
+ the kpcrscan plugin. Also note that starting in Volatility 2.2, many of the plugins such as idt and gdt
+ automatically iterate through the list of KPCRs.
- Enabling write support
+ Enabling write support
- Write support in Volatility should be used with caution. Therefore, to actually enable it, you must
- not only type \-\-write on command-line but you must type a 'password' in response to a question that
- you'll be prompted with. In most cases you will not want to use write support since it can lead to
- corruption or modification of data in your memory dump. However, special cases exist that make this
- feature really interesting. For example, you could cleanse a live system of certain malware by
- writing to RAM over firewire, or you could break into a locked workstation by patching bytes in the
- winlogon DLLs.
+ Write support in Volatility should be used with caution. Therefore, to actually enable it, you must not only type
+ \-\-write on command-line but you must type a 'password' in response to a question that you'll be prompted with.
+ In most cases you will not want to use write support since it can lead to corruption or modification of data in
+ your memory dump. However, special cases exist that make this feature really interesting. For example, you could
+ cleanse a live system of certain malware by writing to RAM over firewire, or you could break into a locked workstation
+ by patching bytes in the winlogon DLLs.
- Specifying additional plugin directories
+ Specifying additional plugin directories
- Volatility's plugin architecture can load plugin files from multiple directories at once. In the
- Volatility source code, most plugins are located in volatility/plugins. However, there is another
- directory (volatility/contrib) which is reserved for contributions from third party developers, or
- weakly supported plugins that simply are not enabled by default. To access these plugins you just
- type \-\-plugins=contrib/plugins on command-line. It also enables you to create a separate directory
- of your own plugins that you can manage without having to add/remove/modify files in the core
- Volatility directories.
+ Volatility's plugin architecture can load plugin files from multiple directories at once. In the Volatility source
+ code, most plugins are located in volatility/plugins. However, there is another directory (volatility/contrib)
+ which is reserved for contributions from third party developers, or weakly supported plugins that simply aren't
+ enabled by default. To access these plugins you just type \-\-plugins=contrib/plugins on command-line. It also enables
+ you to create a separate directory of your own plugins that you can manage without having to add/remove/modify files
+ in the core Volatility directories.
Notes:
- * On Debian systems, the contrib/plugins directory is at /usr/share/volatility/contrib/plugins.
+ On Debian systems, the contrib/plugins directory is at /usr/share/volatility/contrib/plugins.
- * Subdirectories will also be traversed as long as there is an __init__.py file (which can be empty)
- within them.
+ Subdirectories will also be traversed as long as there is an __init__.py file (which can be empty) within them.
- * The parameter to \-\-plugins can also be a zip file containing the plugins such
- as \-\-plugins=myplugins.zip. Due to the way plugins are loaded, the external plugins directory
- or zip file must be specified before any plugin-specific arguments (including the name of the
- plugin). Example:
+ The parameter to \-\-plugins can also be a zip file containing the plugins such as \-\-plugins=myplugins.zip.
+ Due to the way plugins are loaded, the external plugins directory or zip file must be specified before any
+ plugin-specific arguments (including the name of the plugin). Example:
$ volatility \-\-plugins=contrib/plugins \-f XPSP3x86.vmem example
- Choosing an output format
+ Choosing an output format
- By default, plugins use text renderers to standard output. If you want to redirect to a file, you
- can of course use the console's redirection (i.e. > out.txt) or you could use \-\-output-file=out.txt.
- The reason you can also choose \-\-output=FORMAT is for allowing plugins to also render output as HTML,
- JSON, SQL, or whatever you choose. However, there are no plugins with those alternate output formats
- pre-configured for use, so you'll need to add a function named render_html, render_json, render_sql,
- respectively to each plugin before using \-\-output=HTML.
+ By default, plugins use text renderers to standard output. If you want to redirect to a file, you can of course
+ use the console's redirection (i.e. > out.txt) or you could use \-\-output-file=out.txt. The reason you can also
+ choose \-\-output=FORMAT is for allowing plugins to also render output as HTML, JSON, SQL, or whatever you choose.
+ However, there are no plugins with those alternate output formats pre-configured for use, so you'll need to add
+ a function named render_html, render_json, render_sql, respectively to each plugin before using \-\-output=HTML.
- Plugin specific options
+ Plugin specific options
- Many plugins accept arguments of their own, which are independent of the global options. To see the
- list of available options, type both the plugin name and \-h/--help on command-line.
+ Many plugins accept arguments of their own, which are independent of the global options. To see the list of
+ available options, type both the plugin name and \-h/--help on command-line.
$ volatility dlllist \-h
- Debug mode
+ Debug mode
- If something isn't happening in Volatility the expected way, try to run the command with \-d/\-\-debug.
- This will enable the printing of debug messages to standard error. To more debug levels, as in using
- pdb debugger), add \-d \-d \-d to command.
+ If something isn't happening in Volatility the expected way, try to run the command with \-d/\-\-debug.
+ This will enable the printing of debug messages to standard error. To more debug levels, as in using
+ pdb debugger), add \-d \-d \-d to command.
- Using Volatility as a library
+ Using Volatility as a library
- Although its possible to use Volatility as a library, (there are plans to support it better in the
- future). Currently, to import Volatility from a python script, the following example code can be used:
+ Although its possible to use Volatility as a library, (there are plans to support it better in the future).
+ Currently, to import Volatility from a python script, the following example code can be used:
$ python
>>> import volatility.conf as conf
@@ -290,32 +257,31 @@ EXTRA PROCEDURES
... print process
EXAMPLES
- To see all available plugins, profiles, scanner checks and address spaces:
+ To see all available plugins, profiles, scanner checks and address spaces:
$ volatility \-\-info
- To list all active processes found in a MS Windows 8 SP0 image:
+ To list all active processes found in a MS Windows 8 SP0 image:
$ volatility \-f win8.raw \-\-profile=Win8SP0x86 pslist
- To list all active processes found in a MS Windows 8 SP0 image, using a timezone:
+ To list all active processes found in a MS Windows 8 SP0 image, using a timezone:
$ volatility \-f win8.raw \-\-profile=Win8SP0x86 pslist \-\-tz=America/Sao_Paulo
- To show the kernel bnuffer from a Linux 3.2.63 image:
+ To show the kernel bnuffer from a Linux 3.2.63 image:
$ volatility \-f mem.dd \-\-profile=Linux_3_2_63_x64 linux_dmesg
NOTES
- This manpage was based in some tests and several official documents about Volatility.
- For other information and tutorials, see:
+ This manpage was based in some tests and several official documents about Volatility.
+ For other information and tutorials, see:
* http://www.volatilityfoundation.org
+ * https://code.google.com/p/volatility/wiki
* https://github.com/volatilityfoundation/volatility/wiki
AUTHOR
- Volatility was written by Volatility Foundation and several contributors. For contact,
- use the email <info at volatilityfoundation.org>.
+ Volatility was written by Volatility Foundation and several contributors. For contact, use the email <info at volatilityfoundation.org>.
- This manual page was written by Joao Eriberto Mota Filho <eriberto at debian.org> for the
- Debian project (but may be used by others).
+ This manual page was written by Joao Eriberto Mota Filho <eriberto at debian.org> for the Debian project (but may be used by others).
diff --git a/debian/watch b/debian/watch
index 1e8a745..98533e2 100644
--- a/debian/watch
+++ b/debian/watch
@@ -1,2 +1,2 @@
-version=3
+version=4
https://github.com/volatilityfoundation/volatility/releases .*/archive/v?(\d\S+)\.tar\.(?:bz2|gz|xz)
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/forensics/volatility.git
More information about the forensics-changes
mailing list