[Forensics-changes] [volatility] 02/02: Imported Debian patch 2.6-1
Joao Eriberto Mota Filho
eriberto at moszumanska.debian.org
Sun Jan 8 19:57:39 UTC 2017
This is an automated email from the git hooks/post-receive script.
eriberto pushed a commit to branch debian
in repository volatility.
commit 46c80f3518e2697ddbdea8bdfb728f2ddb8a4ba1
Merge: 727f8fa 20b72c2
Author: Joao Eriberto Mota Filho <eriberto at debian.org>
Date: Sun Jan 1 18:52:44 2017 -0200
Imported Debian patch 2.6-1
AUTHORS.txt | 11 +++++
CREDITS.txt | 14 +++++++
debian/changelog | 9 +++++
debian/control | 78 +++++++++++++++++++++---------------
debian/copyright | 5 +--
debian/manpage/create-man.sh | 4 +-
debian/manpage/volatility.1 | 93 ++++++++++++++++++++++++++++---------------
debian/manpage/volatility.txt | 76 ++++++++++++++++++++---------------
8 files changed, 189 insertions(+), 101 deletions(-)
diff --cc debian/changelog
index 772fcfb,0000000..313a379
mode 100644,000000..100644
--- a/debian/changelog
+++ b/debian/changelog
@@@ -1,258 -1,0 +1,267 @@@
++volatility (2.6-1) unstable; urgency=medium
++
++ * New upstream release.
++ * debian/control: updated the description.
++ * debian/copyright: updated the copyright packaging years.
++ * debian/manpage/: updated all files to generate an updated 2.6 manpage.
++
++ -- Joao Eriberto Mota Filho <eriberto at debian.org> Sun, 01 Jan 2017 18:52:44 -0200
++
+volatility (2.5+git20161224.736bc3a-1) unstable; urgency=medium
+
+ * New upstream release.
+ * debian/rules: added a rm command in override_dh_auto_install target to
+ remove the doxygen directory.
+ * debian/source/lintian-overrides: removed. The upstream no longer uses the
+ d3.js file directly.
+ * debian/watch: updated.
+
+ -- Joao Eriberto Mota Filho <eriberto at debian.org> Sun, 25 Dec 2016 22:35:44 -0200
+
+volatility (2.5+git20161121.ecd8a54-1) unstable; urgency=medium
+
+ * New upstream release.
+ * debian/watch: updated.
+
+ -- Joao Eriberto Mota Filho <eriberto at debian.org> Sat, 10 Dec 2016 00:02:28 -0200
+
+volatility (2.5+git20161026.75fb034-1) unstable; urgency=medium
+
+ * New upstream release.
+ * debian/patches/10_python-macos-interpreter.patch: removed. The upstream
+ fixed the source code. Thanks.
+
+ -- Joao Eriberto Mota Filho <eriberto at debian.org> Sun, 30 Oct 2016 11:58:56 -0200
+
+volatility (2.5+git20161021.19d1211-1) unstable; urgency=medium
+
+ * New upstream release. This release fixes partially an issue with Kernel
+ Linux 4.7. (see #839754)
+ * Bumped DH level to 10.
+ * Using GitHub project page as official upstream homepage.
+ * debian/control: updated the long description for volatility.
+ * debian/copyright: updated some upstream copyright dates.
+ * debian/manpages:
+ - Changed from genallman.sh to create-man.sh.
+ - Updated manpage as '2.6-pre' version.
+ * debian/patches/10_python-macos-interpreter.patch: added to provides an
+ interpreter for python in MacOs.
+ * debian/rules:
+ - Removed the --parallel option from dh.
+ - Removed the override_dh_auto_build target.
+ * debian/source/lintian-overrides: added to override a lintian mistake.
+ * debian/volatility-tools.README.Debian: updated.
+ * debian/watch: added a dversionmangle to ignore the current Git version.
+
+ -- Joao Eriberto Mota Filho <eriberto at debian.org> Sat, 22 Oct 2016 13:02:46 -0200
+
+volatility (2.5-2) unstable; urgency=medium
+
+ * debian/control:
+ - Bumped Standards-Version to 3.9.8.
+ - Fixed the name "openSUSE" in long description.
+ - Updated the Vcs-* fields to use https instead of http and git.
+ * debian/copyright: updated the packaging copyright years.
+ * debian/manpage/: updated the manpage. (Closes: #824438)
+ * debian/watch: bumped to version 4.
+
+ -- Joao Eriberto Mota Filho <eriberto at debian.org> Sun, 07 Aug 2016 18:54:34 -0300
+
+volatility (2.5-1) unstable; urgency=medium
+
+ * New upstream release.
+ * debian/clean: not needed. Removed.
+ * debian/control: updated the long description.
+ * debian/copyright:
+ - The upstream's README.txt says GPL-2+. So, updated the
+ license in debian/copyright.
+ - Relicensed the packaging to be compliant with upstream.
+ - Updated all information.
+ * debian/gbp.conf: not used by me... Removed.
+ * debian/manpage/:
+ - Updated the manpage.
+ - Updated the genallman.sh to v0.3.
+ * debian/source/options: not needed. Removed.
+ * debian/volatility.docs: added AUTHORS.txt and CREDITS.txt.
+
+ -- Joao Eriberto Mota Filho <eriberto at debian.org> Sat, 21 Nov 2015 12:01:43 -0200
+
+volatility (2.4.1-2) unstable; urgency=medium
+
+ * Upload to unstable. Welcome Jessie Stable.
+ * debian/control: fixed the extra spaces between lines. Thanks to
+ Davide Prina <davide.prina at gmail.com> (Closes: #768775)
+
+ -- Joao Eriberto Mota Filho <eriberto at debian.org> Wed, 29 Apr 2015 12:57:04 -0300
+
+volatility (2.4.1-1) experimental; urgency=medium
+
+ * New upstream release.
+ * debian/copyright:
+ - Removed the block 'Files: tools/linux/pmem/pmem.c'. The pmem no longer
+ exists in Volatility.
+ - Removed not used 'Apache-2.0' licence text.
+ - Updated the packaging copyright years.
+ * debian/man/:
+ - Little adjustments in manpage.
+ - Renamed to debian/manpage/.
+ * debian/rules: added the override_auto_clean target to remove some files
+ forgotten by upstream.
+
+ -- Joao Eriberto Mota Filho <eriberto at debian.org> Mon, 23 Feb 2015 14:02:52 -0300
+
+volatility (2.4-4) unstable; urgency=medium
+
+ * Upload to unstable.
+ * debian/control: removed the Recommends field because volatility-profiles
+ no longer exists in unstable/testing (see #766895).
+
+ -- Joao Eriberto Mota Filho <eriberto at debian.org> Thu, 27 Nov 2014 23:17:36 -0200
+
+volatility (2.4-3) experimental; urgency=medium
+
+ * debian/copyright: added a new upstream site. See below.
+ * debian/watch: The Volatility Project replied me a recent email
+ message and the development site (GitHub) now uses tags.
+ Thanks a lot to Jamie Levy (gleeda).
+
+ -- Joao Eriberto Mota Filho <eriberto at debian.org> Thu, 20 Nov 2014 19:09:46 -0200
+
+volatility (2.4-2) experimental; urgency=medium
+
+ * debian/watch: added a fake site to explain about the current
+ status of the original upstream homepage.
+
+ -- Joao Eriberto Mota Filho <eriberto at debian.org> Tue, 18 Nov 2014 08:45:16 -0200
+
+volatility (2.4-1) unstable; urgency=medium
+
+ * New upstream release.
+ * debian/clean: added to remove some files generated by upstream when
+ building.
+ * debian/control:
+ - Added dh-python as build dependency.
+ - Added python-distorm3 and python-tz as install dependencies
+ to volatility binary.
+ - Fixed the name 'lime-forensics-dkms' in Suggests field.
+ - Following the upstream README, changed X-Python-Version from
+ >= 2.7 to 2.7.
+ - Improved the long description.
+ - Removed the volatility-profiles, a recommended package, from
+ volatility binary. This package is dead and will be removed
+ from Debian.
+ - Updated the Standards-Version from 3.9.5 to 3.9.6.
+ * debian/copyright:
+ - Updated the Source field.
+ - Updated the upstream names and copyright years.
+ * debian/man/:
+ - Changed the generator script from genman.sh to genallman.sh.
+ - Removed (now) useless file 'notes'.
+ - Updated the manpage.
+ * debian/volatility-tools.README.Debian: improved.
+ * debian/watch: deactivated because the new upstream site is using
+ resources that can't be monitored.
+
+ -- Joao Eriberto Mota Filho <eriberto at debian.org> Sat, 25 Oct 2014 17:15:53 -0300
+
+volatility (2.3.1-10) unstable; urgency=medium
+
+ * New maintainer email address.
+ * debian/control: updated the Vcs-Browser field.
+ * debian/man/:
+ - Added genman.sh to automate the manpage creation.
+ - Renamed volatility.1.header to header.txt.
+ * debian/volatility-tools.dirs: removed because the
+ volatility-tools.install file already creates the
+ directory.
+
+ -- Joao Eriberto Mota Filho <eriberto at debian.org> Fri, 08 Aug 2014 13:45:27 -0300
+
+volatility (2.3.1-9) unstable; urgency=medium
+
+ * debian/volatility-tools.README.Debian: updated the information about
+ the new profile folder.
+
+ -- Joao Eriberto Mota Filho <eriberto at eriberto.pro.br> Mon, 31 Mar 2014 20:30:41 -0300
+
+volatility (2.3.1-8) unstable; urgency=medium
+
+ * debian/control: fixed the Vcs-Git field. Thanks to
+ Mario Lang <mlang at debian.org> for report.
+ * debian/watch: improved.
+
+ -- Joao Eriberto Mota Filho <eriberto at eriberto.pro.br> Fri, 21 Feb 2014 08:29:47 -0300
+
+volatility (2.3.1-7) unstable; urgency=medium
+
+ * debian/control: moved python from Depends to Suggests field in
+ volatility-tools binary, to avoid unnecessary installs when
+ making a Linux profile only. It is a special case.
+
+ -- Joao Eriberto Mota Filho <eriberto at eriberto.pro.br> Fri, 31 Jan 2014 07:40:07 -0200
+
+volatility (2.3.1-6) unstable; urgency=medium
+
+ * debian/control: removed minimum python version from volatility-tools,
+ to allow the profile creation on old versions of the distributions.
+ * debian/volatility.lintian-overrides: useless; removed.
+
+ -- Joao Eriberto Mota Filho <eriberto at eriberto.pro.br> Thu, 30 Jan 2014 22:34:47 -0200
+
+volatility (2.3.1-5) unstable; urgency=medium
+
+ * debian/control:
+ - Added python as dependency in volatility-tools binary.
+ - Changed the minimum python version from 2.6 to 2.7 in
+ X-Python-Version field.
+ * debian/*.install: added to create the volatility and volatility-tools
+ packages.
+ * debian/rules:
+ - Changed in python setup line from --root=debian/volatility to
+ --root=debian/tmp.
+ - Removed the lines used to create the volatility-tool package.
+ This is made by debian/*.install files now.
+ - Removed the DESTDIR* lines.
+
+ -- Joao Eriberto Mota Filho <eriberto at eriberto.pro.br> Thu, 30 Jan 2014 14:12:34 -0200
+
+volatility (2.3.1-4) unstable; urgency=high
+
+ * debian/control: changed yara to python-yara as volatility dependency.
+
+ -- Joao Eriberto Mota Filho <eriberto at eriberto.pro.br> Sun, 26 Jan 2014 16:42:27 -0200
+
+volatility (2.3.1-3) unstable; urgency=medium
+
+ * Updated to unstable.
+ * debian/control: updated the long description.
+
+ -- Joao Eriberto Mota Filho <eriberto at eriberto.pro.br> Fri, 17 Jan 2014 08:11:48 -0200
+
+volatility (2.3.1-2) experimental; urgency=medium
+
+ * New binary:
+ - Created volatility-tools to provide, separately, the code used to
+ generate profiles to Volatility.
+ - Added the volatility-tools.dirs file to provides
+ /usr/src/volatility-tools.
+ - Added a README.Debian to talk about the profiles creation process.
+ - Renamed debian/docs to debian/volatility.docs; debian/links to
+ volatility.links; manpages to volatility.manpages.
+ - Updated the debian/rules file.
+ * debian/control:
+ - Added volatility-tools and yara as volatility dependency.
+ - Added volatility-profiles as volatility recommendation.
+ - Bumped Standards-Version from 3.9.4 to 3.9.5.
+ * debian/copyright:
+ - Added Michael Prokop to maintainers.
+ - Updated the packaging years.
+ * debian/watch: improved.
+
+ -- Joao Eriberto Mota Filho <eriberto at eriberto.pro.br> Tue, 07 Jan 2014 15:36:52 -0200
+
+volatility (2.3.1-1) unstable; urgency=low
+
+ * Initial release (Closes: #728251)
+
+ -- Joao Eriberto Mota Filho <eriberto at eriberto.pro.br> Sat, 02 Nov 2013 01:10:33 -0200
diff --cc debian/control
index 16cee8a,0000000..1963a89
mode 100644,000000..100644
--- a/debian/control
+++ b/debian/control
@@@ -1,103 -1,0 +1,115 @@@
+Source: volatility
+Section: utils
+Priority: optional
+Maintainer: Debian Forensics <forensics-devel at lists.alioth.debian.org>
+Uploaders: Joao Eriberto Mota Filho <eriberto at debian.org>,
+ Michael Prokop <mika at debian.org>
- Build-Depends: debhelper (>= 10), python, dh-python
++Build-Depends: debhelper (>= 10), dh-python, python
+X-Python-Version: 2.7
+Standards-Version: 3.9.8
+Homepage: https://github.com/volatilityfoundation/volatility
+Vcs-Git: https://anonscm.debian.org/git/forensics/volatility.git
+Vcs-Browser: https://anonscm.debian.org/git/forensics/volatility.git
+
+Package: volatility
+Architecture: all
- Suggests: lime-forensics-dkms, libraw1394-11
- Depends: ${misc:Depends},
- ${python:Depends},
- python-crypto,
++Suggests: libraw1394-11, lime-forensics-dkms
++Depends: python-crypto,
+ python-distorm3,
+ python-imaging,
+ python-openpyxl,
+ python-tz,
+ python-yara,
- volatility-tools (>= 2.4.1-1)
++ volatility-tools (>= 2.4.1-1),
++ ${misc:Depends},
++ ${python:Depends}
+Description: advanced memory forensics framework
+ The Volatility Framework is a completely open collection of tools for
+ the extraction of digital artifacts from volatile memory (RAM) samples.
+ It is useful in forensics analysis. The extraction techniques are
+ performed completely independent of the system being investigated but
+ offer unprecedented visibility into the runtime state of the system.
+ .
+ Volatility supports memory dumps from all major 32- and 64-bit Windows
+ versions and service packs. Whether your memory dump is in raw format,
+ a Microsoft crash dump, hibernation file, or virtual machine snapshot,
+ Volatility is able to work with it.
+ .
+ Linux memory dumps in raw or LiME format are supported too. There are
+ several plugins for analyzing memory dumps from 32- and 64-bit Linux
+ kernels and relevant distributions such as Debian, Ubuntu, openSUSE,
+ RedHat, Fedora, CentOS, Mandriva, etc.
+ .
+ Volatility also support several versions of Mac OSX memory dumps, both
+ 32- and 64-bit. Android phones with ARM processors are also supported.
+ .
+ These are some of the data that can be extracted from a memory image:
+ - Image information (date, time, CPU count);
+ - Running processes;
+ - Open network sockets and connections;
+ - OS kernel modules loaded;
+ - Memory maps for each process;
+ - Executables samples;
+ - Command history;
+ - Suspicious process mappings (i.e. injected code);
+ - Passwords, as LM/NTLM hashes and LSA secrets;
+ - Cached Truecrypt passphrases;
+ - Others.
+ .
- Current version (2.5) supports investigations of the memory images from
- these operational systems:
- - 32- and 64-bit Windows Server 2012
- - 64-bit Windows 2012 R2
- - 32- and 64-bit Windows 10
- - 32- and 64-bit Windows 8, 8.1, and 8.1 Update 1
- - 32- and 64-bit Windows 7 (all service packs)
- - 32- and 64-bit Windows Server 2008 (all service packs)
- - 64-bit Windows Server 2008 R2 (all service packs)
- - 32- and 64-bit Windows Vista (all service packs)
- - 32- and 64-bit Windows Server 2003 (all service packs)
- - 32- and 64-bit Windows XP (SP2 and SP3)
- - 32- and 64-bit Linux kernels from 2.6.11 to 4.2.3
- - 32-bit 10.5.x Leopard (the only 64-bit 10.5 is Server, which
- isn't supported)
- - 32- and 64-bit 10.6.x Snow Leopard
- - 32- and 64-bit 10.7.x Lion
++ Current version (2.6) supports investigations of the memory images from
++ the following operational systems:
++ - 32-bit Windows XP Service Pack 2 and 3
++ - 32-bit Windows 2003 Server Service Pack 0, 1, 2
++ - 32-bit Windows Vista Service Pack 0, 1, 2
++ - 32-bit Windows 2008 Server Service Pack 1, 2 (there is no SP0)
++ - 32-bit Windows 7 Service Pack 0, 1
++ - 32-bit Windows 8, 8.1, and 8.1 Update 1
++ - 32-bit Windows 10 (initial support)
++ - 64-bit Windows XP Service Pack 1 and 2 (there is no SP0)
++ - 64-bit Windows 2003 Server Service Pack 1 and 2 (there is no SP0)
++ - 64-bit Windows Vista Service Pack 0, 1, 2
++ - 64-bit Windows 2008 Server Service Pack 1 and 2 (there is no SP0)
++ - 64-bit Windows 2008 R2 Server Service Pack 0 and 1
++ - 64-bit Windows 7 Service Pack 0 and 1
++ - 64-bit Windows 8, 8.1, and 8.1 Update 1
++ - 64-bit Windows Server 2012 and 2012 R2
++ - 64-bit Windows 10 (including at least 10.0.14393)
++ - 64-bit Windows Server 2016 (including at least 10.0.14393.0)
++ - 32-bit Linux kernels 2.6.11 to 4.2.3
++ - 64-bit Linux kernels 2.6.11 to 4.2.3
++ - 32-bit 10.5.x Leopard (the only 64-bit 10.5 is Server, which isn't
++ supported)
++ - 32-bit 10.6.x Snow Leopard
++ - 64-bit 10.6.x Snow Leopard
++ - 32-bit 10.7.x Lion
++ - 64-bit 10.7.x Lion
+ - 64-bit 10.8.x Mountain Lion (there is no 32-bit version)
+ - 64-bit 10.9.x Mavericks (there is no 32-bit version)
+ - 64-bit 10.10.x Yosemite (there is no 32-bit version)
+ - 64-bit 10.11.x El Capitan (there is no 32-bit version)
++ - 64-bit 10.12.x Sierra (there is no 32-bit version)
+ .
+ Volatility supports a variety of sample file formats:
- - Raw/Padded Physical Memory;
- - Firewire (IEEE 1394);
- - Expert Witness (EWF);
- - 32- and 64-bit Windows Crash Dump;
- - 32- and 64-bit Windows Hibernation;
- - 32- and 64-bit MachO files;
- - Virtualbox Core Dumps;
- - VMware Saved State (.vmss) and Snapshot (.vmsn);
- - HPAK Format (FastDump);
- - QEMU memory dumps.
++ - Raw linear sample (dd)
++ - Hibernation file (from Windows 7 and earlier)
++ - Crash dump file
++ - VirtualBox ELF64 core dump
++ - VMware saved state and snapshot files
++ - EWF format (E01)
++ - LiME format
++ - Mach-O file format
++ - QEMU virtual machine dumps
++ - Firewire
++ - HPAK (FDPro)
+
+Package: volatility-tools
+Architecture: all
+Depends: ${misc:Depends}, dwarfdump
+Suggests: gcc, linux-headers, make, python, zip
+Description: generate profiles to Volatility Framework
+ The Volatility Framework is a completely open collection of tools for the
+ extraction of digital artifacts from volatile memory (RAM) samples. It is
+ useful in forensics analysis.
+ .
+ This package provides the code used to generate Linux and MAC profiles to
+ Volatility.
diff --cc debian/copyright
index 50f8216,0000000..03b0ab7
mode 100644,000000..100644
--- a/debian/copyright
+++ b/debian/copyright
@@@ -1,106 -1,0 +1,105 @@@
+Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: volatility
+Upstream-Contact: Volatility Foundation <info at volatilityfoundation.org>
+Source: https://github.com/volatilityfoundation/volatility
+
+Files: *
- Copyright:
- ? Joe Sylve - joe.sylve at gmail.com
++Copyright: ? Joe Sylve - joe.sylve at gmail.com
+ ? Matthieu (Matt) Suiche
+ ? Philippe Teuwen <phil at teuwen.org>
+ ? Santiago Vicente
+ 2004 Commonwealth of Australia <{scudette,daveco}@users.sf.net>
+ 2004-2007 4tphi Research <{npetroni,awalters}@4tphi.net>
+ 2004-2007 Nick L. Petroni <npetroni at 4tphi.net>
+ 2004-2013 AAron Walters <awalters at 4tphi.net>
+ 2007-2014 Brendan Dolan-Gavitt <bdolangavitt at wesleyan.edu>
+ 2007-2014 Michael Cohen <scudette at gmail.com>
+ 2007-2014 Mike Auty <mike.auty at gmail.com>
+ 2007-2014 Timothy D. Morgan
+ 2007-2016 Andrew Case <atcuno at gmail.com>
+ 2007-2016 Volatility Foundation <info at volatilityfoundation.org>
+ 2009 Andreas Schuster <a.schuster at forensikblog.de>
+ 2010 Bradley Schatz <bradley at schatzforensic.com.au>
+ 2010-2012 Michael Hale Ligh <michael.ligh at mnin.org, michael.hale at gmail.com>
+ 2011-2013 Jamie Levy (Gleeda) <jamie.levy at gmail.com>
+ 2012 Nir Izraeli <nirizr at gmail.com>
+ 2012-2013 Cem Gurkok <cemgurkok at gmail.com>
+ 2014 CrowdStrike, Inc
+License: GPL-2+
+
+Files: volatility/plugins/addrspaces/crashbmp.py
+ volatility/plugins/drivermodule.py
+ volatility/plugins/dumpfiles.py
+ volatility/plugins/linux/bash_hash.py
+ volatility/plugins/linux/check_fops.py
+ volatility/plugins/linux/check_inline_kernel.py
+ volatility/plugins/linux/check_modules.py
+ volatility/plugins/linux/check_syscall.py
+ volatility/plugins/linux/find_file.py
+ volatility/plugins/linux/hidden_modules.py
+ volatility/plugins/linux/iomem.py
+ volatility/plugins/linux/kernel_opened_files.py
+ volatility/plugins/linux/keyboard_notifiers.py
+ volatility/plugins/linux/ld_env.py
+ volatility/plugins/linux/ldrmodules.py
+ volatility/plugins/linux/libc_env.py
+ volatility/plugins/linux/librarydump.py
+ volatility/plugins/linux/lime.py
+ volatility/plugins/linux/list_raw.py
+ volatility/plugins/linux/lsmod.py
+ volatility/plugins/linux/malfind.py
+ volatility/plugins/linux/netfilter.py
+ volatility/plugins/linux/procdump.py
+ volatility/plugins/linux/process_hollow.py
+ volatility/plugins/linux/proc_maps_rb.py
+ volatility/plugins/linux/psenv.py
+ volatility/plugins/linux/psxview.py
+ volatility/plugins/linux/recover_filesystem.py
+ volatility/plugins/linux/route_cache.py
+ volatility/plugins/mac/bash_env.py
+ volatility/plugins/mac/bash_hash.py
+ volatility/plugins/mac/compressed_swap.py
+ volatility/plugins/mac/dump_map.py
+ volatility/plugins/mac/ldrmodules.py
+ volatility/plugins/mac/list_raw.py
+ volatility/plugins/mac/malfind.py
+ volatility/plugins/mac/recover_filesystem.py
+ volatility/plugins/mac/threads.py
+ volatility/plugins/overlays/linux/linux.py
+ volatility/plugins/overlays/windows/crash_vtypes.py
+ volatility/plugins/overlays/windows/hibernate_vtypes.py
+ volatility/plugins/overlays/windows/pe_vtypes.py
+ volatility/plugins/overlays/windows/ssdt_vtypes.py
+ volatility/plugins/overlays/windows/vad_vtypes.py
+ volatility/plugins/overlays/windows/win10.py
+ volatility/plugins/overlays/windows/win8_kdbg.py
+ volatility/plugins/overlays/windows/win8.py
+ volatility/plugins/tcaudit.py
+ volatility/poolscan.py
+Copyright: 2007-2015 Volatility Foundation <info at volatilityfoundation.org>
+ 2010 Brendan Dolan-Gavitt <bdolangavitt at wesleyan.edu>
+ 2010-2014 Michael Ligh <michael.ligh at mnin.org>
+ 2011 Michael Cohen <scudette at gmail.com>
+License: GPL-2
+
+Files: debian/*
+Copyright: 2013 Michael Prokop <mika at debian.org>
- 2013-2016 Joao Eriberto Mota Filho <eriberto at debian.org>
++ 2013-2017 Joao Eriberto Mota Filho <eriberto at debian.org>
+License: GPL-2+
+
+License: GPL-2 or GPL-2+
+ This package is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+ .
+ This package is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+ .
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>
+ .
+ On Debian systems, the complete text of the GNU General
+ Public License version 2 can be found in "/usr/share/common-licenses/GPL-2".
diff --cc debian/manpage/create-man.sh
index d5a078c,0000000..7da13ea
mode 100755,000000..100755
--- a/debian/manpage/create-man.sh
+++ b/debian/manpage/create-man.sh
@@@ -1,13 -1,0 +1,13 @@@
+#!/bin/bash
+
+# by Eriberto
+# Create the manpage using txt2man command.
+
- T2M_DATE="23 Oct 2016"
++T2M_DATE="01 Jan 2017"
+T2M_NAME=volatility
- T2M_VERSION=2.6-pre
++T2M_VERSION=2.6
+T2M_LEVEL=1
+T2M_DESC="advanced memory forensics framework"
+
+# Don't change the following line
+txt2man -d "$T2M_DATE" -t $T2M_NAME -r $T2M_NAME-$T2M_VERSION -s $T2M_LEVEL -v "$T2M_DESC" $T2M_NAME.txt > $T2M_NAME.$T2M_LEVEL
diff --cc debian/manpage/volatility.1
index f047dbf,0000000..6cf6fdd
mode 100644,000000..100644
--- a/debian/manpage/volatility.1
+++ b/debian/manpage/volatility.1
@@@ -1,491 -1,0 +1,520 @@@
+.\" Text automatically generated by txt2man
- .TH volatility 1 "23 Oct 2016" "volatility-2.6-pre" "advanced memory forensics framework"
++.TH volatility 1 "01 Jan 2017" "volatility-2.6" "advanced memory forensics framework"
+.SH NAME
+\fBvolatility \fP- advanced memory forensics framework
+\fB
+.SH SYNOPSIS
+.nf
+.fam C
+\fBvolatility\fP [\fIoption\fP]
+\fBvolatility\fP \fB-f\fP [\fIimage\fP] \fB--profile\fP=[profile] [\fIplugin\fP]
+
+.fam T
+.fi
+.fam T
+.fi
+.SH DESCRIPTION
+The Volatility Framework is a completely open collection of tools for the
+extraction of digital artifacts from volatile memory (RAM) samples. It is
+useful in forensics analysis. The extraction techniques are performed
+completely independent of the system being investigated but offer
+unprecedented visibility into the runtime state of the system.
+.PP
- Currently, Volatility (version 2.6-pre) supports several versions of the
++Currently, Volatility (version 2.6) supports several versions of the
+MS Windows, Linux and MAC OSX:
+.RS
+.IP \(bu 3
- 32- and 64-bit Windows 10
++32-bit Windows XP Service Pack 2 and 3
+.IP \(bu 3
- 64-bit Windows Server 2012 and 2012 R2
++32-bit Windows 2003 Server Service Pack 0, 1, 2
++.IP \(bu 3
++32-bit Windows Vista Service Pack 0, 1, 2
++.IP \(bu 3
++32-bit Windows 2008 Server Service Pack 1, 2 (there is no SP0)
++.IP \(bu 3
++32-bit Windows 7 Service Pack 0, 1
++.IP \(bu 3
++32-bit Windows 8, 8.1, and 8.1 Update 1
+.IP \(bu 3
- 32- and 64-bit Windows 8 and 8.1
++32-bit Windows 10 (initial support)
+.IP \(bu 3
- 32- and 64-bit Windows 7 (all service packs)
++64-bit Windows XP Service Pack 1 and 2 (there is no SP0)
+.IP \(bu 3
- 32- and 64-bit Windows Server 2008 (all service packs)
++64-bit Windows 2003 Server Service Pack 1 and 2 (there is no SP0)
+.IP \(bu 3
- 64-bit Windows Server 2008 R2 (all service packs)
++64-bit Windows Vista Service Pack 0, 1, 2
+.IP \(bu 3
- 32- and 64-bit Windows Server 2008 (all service packs)
++64-bit Windows 2008 Server Service Pack 1 and 2 (there is no SP0)
+.IP \(bu 3
- 32- and 64-bit Windows Vista (all service packs)
++64-bit Windows 2008 R2 Server Service Pack 0 and 1
++.IP \(bu 3
++64-bit Windows 7 Service Pack 0 and 1
++.IP \(bu 3
++64-bit Windows 8, 8.1, and 8.1 Update 1
++.IP \(bu 3
++64-bit Windows Server 2012 and 2012 R2
+.IP \(bu 3
- 32- and 64-bit Windows Server 2003 (all service packs)
++64-bit Windows 10 (including at least 10.0.14393)
+.IP \(bu 3
- 32- and 64-bit Windows XP (SP2 and SP3)
++64-bit Windows Server 2016 (including at least 10.0.14393.0)
+.IP \(bu 3
- 32- and 64-bit Linux kernels from 2.6.11 to 3.16
++32-bit Linux kernels 2.6.11 to 4.2.3
++.IP \(bu 3
++64-bit Linux kernels 2.6.11 to 4.2.3
+.IP \(bu 3
+32-bit 10.5.x Leopard (the only 64-bit 10.5 is Server, which isn't supported)
+.IP \(bu 3
- 32- and 64-bit 10.6.x Snow Leopard
++32-bit 10.6.x Snow Leopard
++.IP \(bu 3
++64-bit 10.6.x Snow Leopard
+.IP \(bu 3
- 32- and 64-bit 10.7.x Lion
++32-bit 10.7.x Lion
++.IP \(bu 3
++64-bit 10.7.x Lion
+.IP \(bu 3
+64-bit 10.8.x Mountain Lion (there is no 32-bit version)
+.IP \(bu 3
+64-bit 10.9.x Mavericks (there is no 32-bit version)
++.IP \(bu 3
++64-bit 10.10.x Yosemite (there is no 32-bit version)
++.IP \(bu 3
++64-bit 10.11.x El Capitan (there is no 32-bit version)
++.IP \(bu 3
++64-bit 10.12.x Sierra (there is no 32-bit version)
+.RE
+.PP
+The memory formats supported are:
+.RS
+.IP \(bu 3
- Raw/Padded Physical Memory
++Raw linear sample (dd)
+.IP \(bu 3
- Firewire (IEEE 1394)
++Hibernation file (from Windows 7 and earlier)
+.IP \(bu 3
- Expert Witness (EWF)
++Crash dump file
+.IP \(bu 3
- 32- and 64-bit Windows Crash Dump
++VirtualBox ELF64 core dump
+.IP \(bu 3
- 32- and 64-bit Windows Hibernation
++VMware saved state and snapshot files
+.IP \(bu 3
- 32- and 64-bit MachO files
++EWF format (E01)
+.IP \(bu 3
- Virtualbox Core Dumps
++LiME format
+.IP \(bu 3
- VMware Saved State (.vmss) and Snapshot (.vmsn)
++Mach-O file format
+.IP \(bu 3
- HPAK Format (FastDump)
++QEMU virtual machine dumps
+.IP \(bu 3
- QEMU memory dumps
++Firewire
++.IP \(bu 3
++HPAK (FDPro)
+.RE
+.PP
+The supported address spaces (RAM types) are:
+.RS
+.IP \(bu 3
+AMD64PagedMemory - Standard AMD 64-bit address space.
+.IP \(bu 3
- ArmAddressSpace - No docs.
++ArmAddressSpace - Address space for ARM processors.
+.IP \(bu 3
+FileAddressSpace - This is a direct file AS.
+.IP \(bu 3
+HPAKAddressSpace - This AS supports the HPAK format.
+.IP \(bu 3
+IA32PagedMemory - Standard IA-32 paging address space.
+.IP \(bu 3
+IA32PagedMemoryPae - This class implements the IA-32 PAE paging address space. It is responsible.
+.IP \(bu 3
+LimeAddressSpace - Address space for Lime.
+.IP \(bu 3
++LinuxAMD64PagedMemory - Linux-specific AMD 64-bit address space.
++.IP \(bu 3
+MachOAddressSpace - Address space for mach-o files to support atc-ny memory reader.
+.IP \(bu 3
+OSXPmemELF - This AS supports VirtualBox ELF64 coredump format.
+.IP \(bu 3
+QemuCoreDumpElf - This AS supports Qemu ELF32 and ELF64 coredump format.
+.IP \(bu 3
+VMWareAddressSpace - This AS supports VMware snapshot (VMSS) and saved state (VMSS) files.
+.IP \(bu 3
+VMWareMetaAddressSpace - This AS supports the VMEM format with VMSN/VMSS metadata.
+.IP \(bu 3
+VirtualBoxCoreDumpElf64 - This AS supports VirtualBox ELF64 coredump format.
+.IP \(bu 3
+Win10AMD64PagedMemory - Windows 10-specific AMD 64-bit address space.
+.IP \(bu 3
+WindowsAMD64PagedMemory - Windows-specific AMD 64-bit address space.
+.IP \(bu 3
- WindowsCrashDumpSpace32 - This AS supports Windows Crash Dump format.
++WindowsCrashDumpSpace32 - This AS supports windows Crash Dump format.
+.IP \(bu 3
- WindowsCrashDumpSpace64 - This AS supports Windows Crash Dump format.
++WindowsCrashDumpSpace64 - This AS supports windows Crash Dump format.
+.IP \(bu 3
+WindowsCrashDumpSpace64BitMap - This AS supports Windows BitMap Crash Dump format.
+.IP \(bu 3
- WindowsHiberFileSpace32 - This is a hibernate address space for Windows hibernation files.
++WindowsHiberFileSpace32 - This is a hibernate address space for windows hibernation files.
+.RE
+.PP
- There are RAM images for tests at https://code.google.com/p/\fBvolatility\fP/wiki/SampleMemoryImages
- or at https://github.com/volatilityfoundation/\fBvolatility\fP/wiki/Memory-Samples.
++There are RAM images for tests at https://github.com/volatilityfoundation/\fBvolatility\fP/wiki/Memory-Samples.
+.SH OPTIONS
+.TP
+.B
+\fB-h\fP, \fB--help\fP
+List all available options and their default values.
+Default values may be set in the configuration file (/etc/volatilityrc).
+.TP
+.B
+\fB--conf-file\fP=/root/.volatilityrc
+User based configuration file.
+.TP
+.B
+\fB-d\fP, \fB--debug\fP
+Debug Volatility.
+.TP
+.B
+\fB--plugins\fP=PLUGINS
+Additional \fIplugin\fP directories to use (colon separated).
+.TP
+.B
+\fB--info\fP
+Print information about all registered objects.
+.TP
+.B
+\fB--cache-directory\fP=/root/.cache/\fBvolatility\fP
+Directory where cache files are stored.
+.TP
+.B
+\fB--cache\fP
+Use caching.
+.TP
+.B
+\fB--tz\fP=TZ
+Sets the timezone for displaying timestamps.
+.TP
+.B
+\fB-f\fP FILENAME, \fB--filename\fP=FILENAME
+Filename to use when opening an \fIimage\fP.
+.TP
+.B
+\fB--profile\fP=WinXPSP2x86
+Name of the profile to load.
+.TP
+.B
+\fB-l\fP LOCATION, \fB--location\fP=LOCATION
+An URN location from which to load an address space.
+.TP
+.B
+\fB-w\fP, \fB--write\fP
+Enable write support.
+.TP
+.B
+\fB--dtb\fP=DTB
+DTB Address.
+.TP
+.B
+\fB--shift\fP=SHIFT
+Mac KASLR shift address.
+.TP
+.B
+\fB--output\fP=text
+Output in this format (format support is module specific).
+.TP
+.B
+\fB--output-file\fP=OUTPUT_FILE
+Write output in this file.
+.TP
+.B
+\fB-v\fP, \fB--verbose\fP
+Verbose information.
+.TP
+.B
+\fB-g\fP KDBG, \fB--kdbg\fP=KDBG
+Specify a specific KDBG virtual address.
+.TP
+.B
+\fB-k\fP KPCR, \fB--kpcr\fP=KPCR
+Specify a specific KPCR address.
+.TP
+.B
+\fB--force\fP
+Force utilization of suspect profile.
+.TP
+.B
+\fB--cookie\fP=COOKIE
+Specify the address of nt!ObHeaderCookie (valid for
+Windows 10 only).
+.SH PLUGINS AND PROFILES
+The supported \fIplugin\fP commands and profiles can be viewed if using the command '$ \fBvolatility\fP \fB--info\fP'.
+Note that Linux and MAC OSX allowed plugins will have the 'linux_' and 'mac_' prefixes. Plugins without
+these prefixes were designed for MS Windows.
+.PP
+Profiles are maps used by Volatility to understand the operational systems. The allowed MS Windows
+profiles are provided by the Volatility.
+.PP
+You must create your own profiles for Linux and MAC OSX. For this, on Debian systems,
+read the README.Debian file provided by \fBvolatility\fP-tools package.
+.PP
+On MS Windows, to determine the OS type, you can use:
+.PP
+.nf
+.fam C
+ $ volatility \-f <image> imageinfo
+
+ or
+
+ $ volatility \-f <image> kdbgscan
+
+.fam T
+.fi
+.SH ENVIRONMENT VARIABLES
+On a GNU/Linux or OS X system, these variables can be set:
+.RS
+.IP \(bu 3
+VOLATILITY_PROFILE - Specifies a profile to be used as default, making unnecessary a '\fB--profile\fP' \fIoption\fP.
+.IP \(bu 3
+VOLATILITY_LOCATION - Specifies the path of an \fIimage\fP. So, the Volatility command will not need a file name via '\fB-f\fP' \fIoption\fP.
+.IP \(bu 3
+VOLATILITY_KDBG - Specifies a KDBG address. See EXTRA PROCEDURES to more details.
+.RE
+.PP
+Other \fIplugin\fP flags may be utilized in this way, for example KPCR, DTB or PLUGINS. When exporting
+variables, simply prefix VOLATILITY_ before the flag name (e.g. VOLATILITY_KPCR). Otherwise, the
+flag name remains the same when adding it to the configuration file.
+.PP
+If you have a path with a space or more in the name, spaces should be replaced with %20 instead
+(e.g. LOCATION=file:///tmp/my%20image.img).
+.PP
+Example:
+.PP
+.nf
+.fam C
+ $ export VOLATILITY_PROFILE=Win7SP0x86
+ $ export VOLATILITY_LOCATION=file:///tmp/myimage.img
+ $ export VOLATILITY_KDBG=0x82944c28
+
+.fam T
+.fi
+.SH CONFIGURATION FILES
+Configuration files are typically 'volatilityrc' in the current directory or '~/.volatilityrc' in
+user's home directory, or at user specified path, using the \fB--conf-file\fP \fIoption\fP. An example of the
+file contents is shown below:
+.PP
+.nf
+.fam C
+ [DEFAULT]
+ PROFILE=Win7SP0x86
+ LOCATION=file:///tmp/myimage.img
+ KDBG=0x82944c28
+
+.fam T
+.fi
+Other \fIplugin\fP flags may be utilized in this way, for example KPCR, DTB or PLUGINS. When exporting
+variables, simply prefix VOLATILITY_ before the flag name (e.g. VOLATILITY_KPCR). Otherwise, the
+flag name remains the same when adding it to the configuration file.
+.PP
+If you have a path with a space or more in the name, spaces should be replaced with %20 instead
+(e.g. LOCATION=file:///tmp/my%20image.img).
+.SH EXTRA PROCEDURES
+Setting a timezone
+.PP
+.nf
+.fam C
+ Timestamps extracted from memory can either be in system-local time, or in Universal Time
+ Coordinates (UTC). If they're in UTC, Volatility can be instructed to display them in a time zone
+ of the analyst's choosing. To choose a timezone, use one of the standard timezone names
+ (such as America/Sao_Paulo, Europe/London, US/Eastern or most Olson timezones) with the \-\-tz=TIMEZONE flag.
+
+ Volatility attempts to use pytz if installed, otherwise it uses tzset.
+
+ Please note that specifying a timezone will not affect how system-local times are displayed. If you identify
+ a time that you know is UTC-based, please file it as an issue in the issue tracker. By default the _EPROCESS
+ CreateTime and ExitTime timestamps are in UTC.
+
+.fam T
+.fi
+Setting the DTB
+.PP
+.nf
+.fam C
+ The DTB (Directory Table Base) is what Volatility uses to translate virtual addresses to physical addresses.
+ By default, a kernel DTB is used (from the Idle/System process). If you want to use a different process's DTB
+ when accessing data, supply the address to \-\-dtb=ADDRESS.
+
+.fam T
+.fi
+Setting the KDBG address (this is a Windows-only \fIoption\fP)
+.PP
+.nf
+.fam C
+ Volatility scans for the '_KDDEBUGGER_DATA64' structure using hard-coded signatures "KDBG" and a series of sanity
+ checks. These signatures are not critical for the operating system to function properly, thus malware can overwrite
+ them in attempt to throw off tools that do rely on the signature. Additionally, in some cases there may be more
+ than one '_KDDEBUGGER_DATA64' (for example if you apply a major OS update and don't reboot), which can cause confusion
+ and lead to incorrect process and module listings, among other problems. If you know the address
+ add '_KDDEBUGGER_DATA64', you can specify it with \-\-kdbg=ADDRESS and this override the automated scans. For more
+ information, see the kdbgscan plugin.
+
+.fam T
+.fi
+Setting the KPCR address (this is a Windows-only \fIoption\fP)
+.PP
+.nf
+.fam C
+ There is one KPCR (Kernel Processor Control Region) for each CPU on a system. Some Volatility plugins display
+ per-processor information. Thus if you want to display data for a specific CPU, for example CPU 3 instead of
+ CPU 1, you can pass the address of that CPU's KPCR with \-\-kpcr=ADDRESS. To locate the KPCRs for all CPUs, see
+ the kpcrscan plugin. Also note that starting in Volatility 2.2, many of the plugins such as idt and gdt
+ automatically iterate through the list of KPCRs.
+
+.fam T
+.fi
+Enabling write support
+.PP
+.nf
+.fam C
+ Write support in Volatility should be used with caution. Therefore, to actually enable it, you must not only type
+ \-\-write on command-line but you must type a 'password' in response to a question that you'll be prompted with.
+ In most cases you will not want to use write support since it can lead to corruption or modification of data in
+ your memory dump. However, special cases exist that make this feature really interesting. For example, you could
+ cleanse a live system of certain malware by writing to RAM over firewire, or you could break into a locked workstation
+ by patching bytes in the winlogon DLLs.
+
+.fam T
+.fi
+Specifying additional \fIplugin\fP directories
+.PP
+.nf
+.fam C
+ Volatility's plugin architecture can load plugin files from multiple directories at once. In the Volatility source
+ code, most plugins are located in volatility/plugins. However, there is another directory (volatility/contrib)
+ which is reserved for contributions from third party developers, or weakly supported plugins that simply aren't
+ enabled by default. To access these plugins you just type \-\-plugins=contrib/plugins on command-line. It also enables
+ you to create a separate directory of your own plugins that you can manage without having to add/remove/modify files
+ in the core Volatility directories.
+
+.fam T
+.fi
+Notes:
+.PP
+.nf
+.fam C
+ On Debian systems, the contrib/plugins directory is at /usr/share/volatility/contrib/plugins.
+
+ Subdirectories will also be traversed as long as there is an __init__.py file (which can be empty) within them.
+
+ The parameter to \-\-plugins can also be a zip file containing the plugins such as \-\-plugins=myplugins.zip.
+ Due to the way plugins are loaded, the external plugins directory or zip file must be specified before any
+ plugin-specific arguments (including the name of the plugin). Example:
+
+.nf
+.fam C
+ $ volatility \-\-plugins=contrib/plugins \-f XPSP3x86.vmem example
+
+.fam T
+.fi
+Choosing an output format
+.PP
+.nf
+.fam C
+ By default, plugins use text renderers to standard output. If you want to redirect to a file, you can of course
+ use the console's redirection (i.e. > out.txt) or you could use \-\-output-file=out.txt. The reason you can also
+ choose \-\-output=FORMAT is for allowing plugins to also render output as HTML, JSON, SQL, or whatever you choose.
+ However, there are no plugins with those alternate output formats pre-configured for use, so you'll need to add
+ a function named render_html, render_json, render_sql, respectively to each plugin before using \-\-output=HTML.
+
+.fam T
+.fi
+Plugin specific options
+.PP
+.nf
+.fam C
+ Many plugins accept arguments of their own, which are independent of the global options. To see the list of
+ available options, type both the plugin name and \-h/--help on command-line.
+
+.nf
+.fam C
+ $ volatility dlllist \-h
+
+.fam T
+.fi
+Debug mode
+.PP
+.nf
+.fam C
+ If something isn't happening in Volatility the expected way, try to run the command with \-d/\-\-debug.
+ This will enable the printing of debug messages to standard error. To more debug levels, as in using
+ pdb debugger), add \-d \-d \-d to command.
+
+.fam T
+.fi
+Using Volatility as a library
+.PP
+.nf
+.fam C
+ Although its possible to use Volatility as a library, (there are plans to support it better in the future).
+ Currently, to import Volatility from a python script, the following example code can be used:
+
+.nf
+.fam C
+ $ python
+ >>> import volatility.conf as conf
+ >>> import volatility.registry as registry
+ >>> registry.PluginImporter()
+ <volatility.registry.PluginImporter object at 0x7f9608f3ac10>
+ >>> config = conf.ConfObject()
+ >>> import volatility.commands as commands
+ >>> import volatility.addrspace as addrspace
+ >>> registry.register_global_options(config, commands.Command)
+ >>> registry.register_global_options(config, addrspace.BaseAddressSpace)
+ >>> config.parse_options()
+ >>> config.PROFILE="WinXPSP2x86"
+ >>> config.LOCATION = "file:///media/memory/private/image.dmp"
+ >>> import volatility.plugins.taskmods as taskmods
+ >>> p = taskmods.PSList(config)
+ >>> for process in p.calculate():
+ \.\.\. print process
+
+.fam T
+.fi
+.SH EXAMPLES
+To see all available plugins, profiles, scanner checks and address spaces:
+.PP
+.nf
+.fam C
+ $ volatility \-\-info
+
+.fam T
+.fi
+To list all active processes found in a MS Windows 8 SP0 \fIimage\fP:
+.PP
+.nf
+.fam C
+ $ volatility \-f win8.raw \-\-profile=Win8SP0x86 pslist
+
+.fam T
+.fi
+To list all active processes found in a MS Windows 8 SP0 \fIimage\fP, using a timezone:
+.PP
+.nf
+.fam C
+ $ volatility \-f win8.raw \-\-profile=Win8SP0x86 pslist \-\-tz=America/Sao_Paulo
+
+.fam T
+.fi
- To show the kernel bnuffer from a Linux 3.2.63 \fIimage\fP:
++To show the kernel buffer from a Linux 3.2.63 \fIimage\fP:
+.PP
+.nf
+.fam C
+ $ volatility \-f mem.dd \-\-profile=Linux_3_2_63_x64 linux_dmesg
+
+.fam T
+.fi
+.SH NOTES
+This manpage was based in some tests and several official documents about Volatility.
+For other information and tutorials, see:
+.IP \(bu 3
+http://www.volatilityfoundation.org
+.IP \(bu 3
+https://github.com/volatilityfoundation/\fBvolatility\fP/wiki
+.SH AUTHOR
+Volatility was written by Volatility Foundation and several contributors. For contact, use the email <info at volatilityfoundation.org>.
+.PP
+This manual page was written by Joao Eriberto Mota Filho <eriberto at debian.org> for the Debian project (but may be used by others).
diff --cc debian/manpage/volatility.txt
index 9405f02,0000000..5441fd2
mode 100644,000000..100644
--- a/debian/manpage/volatility.txt
+++ b/debian/manpage/volatility.txt
@@@ -1,293 -1,0 +1,307 @@@
+NAME
+ volatility - advanced memory forensics framework
+
+SYNOPSIS
+ volatility [option]
+ volatility -f [image] --profile=[profile] [plugin]
+
+DESCRIPTION
+ The Volatility Framework is a completely open collection of tools for the
+ extraction of digital artifacts from volatile memory (RAM) samples. It is
+ useful in forensics analysis. The extraction techniques are performed
+ completely independent of the system being investigated but offer
+ unprecedented visibility into the runtime state of the system.
+
- Currently, Volatility (version 2.6-pre) supports several versions of the
++ Currently, Volatility (version 2.6) supports several versions of the
+ MS Windows, Linux and MAC OSX:
+
- * 32- and 64-bit Windows 10
- * 64-bit Windows Server 2012 and 2012 R2
- * 32- and 64-bit Windows 8 and 8.1
- * 32- and 64-bit Windows 7 (all service packs)
- * 32- and 64-bit Windows Server 2008 (all service packs)
- * 64-bit Windows Server 2008 R2 (all service packs)
- * 32- and 64-bit Windows Server 2008 (all service packs)
- * 32- and 64-bit Windows Vista (all service packs)
- * 32- and 64-bit Windows Server 2003 (all service packs)
- * 32- and 64-bit Windows XP (SP2 and SP3)
- * 32- and 64-bit Linux kernels from 2.6.11 to 3.16
++ * 32-bit Windows XP Service Pack 2 and 3
++ * 32-bit Windows 2003 Server Service Pack 0, 1, 2
++ * 32-bit Windows Vista Service Pack 0, 1, 2
++ * 32-bit Windows 2008 Server Service Pack 1, 2 (there is no SP0)
++ * 32-bit Windows 7 Service Pack 0, 1
++ * 32-bit Windows 8, 8.1, and 8.1 Update 1
++ * 32-bit Windows 10 (initial support)
++ * 64-bit Windows XP Service Pack 1 and 2 (there is no SP0)
++ * 64-bit Windows 2003 Server Service Pack 1 and 2 (there is no SP0)
++ * 64-bit Windows Vista Service Pack 0, 1, 2
++ * 64-bit Windows 2008 Server Service Pack 1 and 2 (there is no SP0)
++ * 64-bit Windows 2008 R2 Server Service Pack 0 and 1
++ * 64-bit Windows 7 Service Pack 0 and 1
++ * 64-bit Windows 8, 8.1, and 8.1 Update 1
++ * 64-bit Windows Server 2012 and 2012 R2
++ * 64-bit Windows 10 (including at least 10.0.14393)
++ * 64-bit Windows Server 2016 (including at least 10.0.14393.0)
++ * 32-bit Linux kernels 2.6.11 to 4.2.3
++ * 64-bit Linux kernels 2.6.11 to 4.2.3
+ * 32-bit 10.5.x Leopard (the only 64-bit 10.5 is Server, which isn't supported)
- * 32- and 64-bit 10.6.x Snow Leopard
- * 32- and 64-bit 10.7.x Lion
++ * 32-bit 10.6.x Snow Leopard
++ * 64-bit 10.6.x Snow Leopard
++ * 32-bit 10.7.x Lion
++ * 64-bit 10.7.x Lion
+ * 64-bit 10.8.x Mountain Lion (there is no 32-bit version)
+ * 64-bit 10.9.x Mavericks (there is no 32-bit version)
++ * 64-bit 10.10.x Yosemite (there is no 32-bit version)
++ * 64-bit 10.11.x El Capitan (there is no 32-bit version)
++ * 64-bit 10.12.x Sierra (there is no 32-bit version)
+
+ The memory formats supported are:
+
- * Raw/Padded Physical Memory
- * Firewire (IEEE 1394)
- * Expert Witness (EWF)
- * 32- and 64-bit Windows Crash Dump
- * 32- and 64-bit Windows Hibernation
- * 32- and 64-bit MachO files
- * Virtualbox Core Dumps
- * VMware Saved State (.vmss) and Snapshot (.vmsn)
- * HPAK Format (FastDump)
- * QEMU memory dumps
++ * Raw linear sample (dd)
++ * Hibernation file (from Windows 7 and earlier)
++ * Crash dump file
++ * VirtualBox ELF64 core dump
++ * VMware saved state and snapshot files
++ * EWF format (E01)
++ * LiME format
++ * Mach-O file format
++ * QEMU virtual machine dumps
++ * Firewire
++ * HPAK (FDPro)
+
+ The supported address spaces (RAM types) are:
+
+ * AMD64PagedMemory - Standard AMD 64-bit address space.
- * ArmAddressSpace - No docs.
++ * ArmAddressSpace - Address space for ARM processors.
+ * FileAddressSpace - This is a direct file AS.
+ * HPAKAddressSpace - This AS supports the HPAK format.
+ * IA32PagedMemory - Standard IA-32 paging address space.
+ * IA32PagedMemoryPae - This class implements the IA-32 PAE paging address space. It is responsible.
+ * LimeAddressSpace - Address space for Lime.
++ * LinuxAMD64PagedMemory - Linux-specific AMD 64-bit address space.
+ * MachOAddressSpace - Address space for mach-o files to support atc-ny memory reader.
+ * OSXPmemELF - This AS supports VirtualBox ELF64 coredump format.
+ * QemuCoreDumpElf - This AS supports Qemu ELF32 and ELF64 coredump format.
+ * VMWareAddressSpace - This AS supports VMware snapshot (VMSS) and saved state (VMSS) files.
+ * VMWareMetaAddressSpace - This AS supports the VMEM format with VMSN/VMSS metadata.
+ * VirtualBoxCoreDumpElf64 - This AS supports VirtualBox ELF64 coredump format.
+ * Win10AMD64PagedMemory - Windows 10-specific AMD 64-bit address space.
+ * WindowsAMD64PagedMemory - Windows-specific AMD 64-bit address space.
- * WindowsCrashDumpSpace32 - This AS supports Windows Crash Dump format.
- * WindowsCrashDumpSpace64 - This AS supports Windows Crash Dump format.
++ * WindowsCrashDumpSpace32 - This AS supports windows Crash Dump format.
++ * WindowsCrashDumpSpace64 - This AS supports windows Crash Dump format.
+ * WindowsCrashDumpSpace64BitMap - This AS supports Windows BitMap Crash Dump format.
- * WindowsHiberFileSpace32 - This is a hibernate address space for Windows hibernation files.
++ * WindowsHiberFileSpace32 - This is a hibernate address space for windows hibernation files.
+
- There are RAM images for tests at https://code.google.com/p/volatility/wiki/SampleMemoryImages
- or at https://github.com/volatilityfoundation/volatility/wiki/Memory-Samples.
++ There are RAM images for tests at https://github.com/volatilityfoundation/volatility/wiki/Memory-Samples.
+
+OPTIONS
+ -h, --help List all available options and their default values.
+ Default values may be set in the configuration file (/etc/volatilityrc).
+ --conf-file=/root/.volatilityrc User based configuration file.
+ -d, --debug Debug Volatility.
+ --plugins=PLUGINS Additional plugin directories to use (colon separated).
+ --info Print information about all registered objects.
+ --cache-directory=/root/.cache/volatility Directory where cache files are stored.
+ --cache Use caching.
+ --tz=TZ Sets the timezone for displaying timestamps.
+ -f FILENAME, --filename=FILENAME Filename to use when opening an image.
+ --profile=WinXPSP2x86 Name of the profile to load.
+ -l LOCATION, --location=LOCATION An URN location from which to load an address space.
+ -w, --write Enable write support.
+ --dtb=DTB DTB Address.
+ --shift=SHIFT Mac KASLR shift address.
+ --output=text Output in this format (format support is module specific).
+ --output-file=OUTPUT_FILE Write output in this file.
+ -v, --verbose Verbose information.
+ -g KDBG, --kdbg=KDBG Specify a specific KDBG virtual address.
+ -k KPCR, --kpcr=KPCR Specify a specific KPCR address.
+ --force Force utilization of suspect profile.
+ --cookie=COOKIE Specify the address of nt!ObHeaderCookie (valid for
+ Windows 10 only).
+
+PLUGINS AND PROFILES
+ The supported plugin commands and profiles can be viewed if using the command '$ volatility --info'.
+ Note that Linux and MAC OSX allowed plugins will have the 'linux_' and 'mac_' prefixes. Plugins without
+ these prefixes were designed for MS Windows.
+
+ Profiles are maps used by Volatility to understand the operational systems. The allowed MS Windows
+ profiles are provided by the Volatility.
+
+ You must create your own profiles for Linux and MAC OSX. For this, on Debian systems,
+ read the README.Debian file provided by volatility-tools package.
+
+ On MS Windows, to determine the OS type, you can use:
+
+ $ volatility \-f <image> imageinfo
+
+ or
+
+ $ volatility \-f <image> kdbgscan
+
+ENVIRONMENT VARIABLES
+ On a GNU/Linux or OS X system, these variables can be set:
+
+ * VOLATILITY_PROFILE - Specifies a profile to be used as default, making unnecessary a '--profile' option.
+ * VOLATILITY_LOCATION - Specifies the path of an image. So, the Volatility command will not need a file name via '-f' option.
+ * VOLATILITY_KDBG - Specifies a KDBG address. See EXTRA PROCEDURES to more details.
+
+ Other plugin flags may be utilized in this way, for example KPCR, DTB or PLUGINS. When exporting
+ variables, simply prefix VOLATILITY_ before the flag name (e.g. VOLATILITY_KPCR). Otherwise, the
+ flag name remains the same when adding it to the configuration file.
+
+ If you have a path with a space or more in the name, spaces should be replaced with %20 instead
+ (e.g. LOCATION=file:///tmp/my%20image.img).
+
+ Example:
+
+ $ export VOLATILITY_PROFILE=Win7SP0x86
+ $ export VOLATILITY_LOCATION=file:///tmp/myimage.img
+ $ export VOLATILITY_KDBG=0x82944c28
+
+CONFIGURATION FILES
+ Configuration files are typically 'volatilityrc' in the current directory or '~/.volatilityrc' in
+ user's home directory, or at user specified path, using the --conf-file option. An example of the
+ file contents is shown below:
+
+ [DEFAULT]
+ PROFILE=Win7SP0x86
+ LOCATION=file:///tmp/myimage.img
+ KDBG=0x82944c28
+
+ Other plugin flags may be utilized in this way, for example KPCR, DTB or PLUGINS. When exporting
+ variables, simply prefix VOLATILITY_ before the flag name (e.g. VOLATILITY_KPCR). Otherwise, the
+ flag name remains the same when adding it to the configuration file.
+
+ If you have a path with a space or more in the name, spaces should be replaced with %20 instead
+ (e.g. LOCATION=file:///tmp/my%20image.img).
+
+EXTRA PROCEDURES
+ Setting a timezone
+
+ Timestamps extracted from memory can either be in system-local time, or in Universal Time
+ Coordinates (UTC). If they're in UTC, Volatility can be instructed to display them in a time zone
+ of the analyst's choosing. To choose a timezone, use one of the standard timezone names
+ (such as America/Sao_Paulo, Europe/London, US/Eastern or most Olson timezones) with the \-\-tz=TIMEZONE flag.
+
+ Volatility attempts to use pytz if installed, otherwise it uses tzset.
+
+ Please note that specifying a timezone will not affect how system-local times are displayed. If you identify
+ a time that you know is UTC-based, please file it as an issue in the issue tracker. By default the _EPROCESS
+ CreateTime and ExitTime timestamps are in UTC.
+
+ Setting the DTB
+
+ The DTB (Directory Table Base) is what Volatility uses to translate virtual addresses to physical addresses.
+ By default, a kernel DTB is used (from the Idle/System process). If you want to use a different process's DTB
+ when accessing data, supply the address to \-\-dtb=ADDRESS.
+
+ Setting the KDBG address (this is a Windows-only option)
+
+ Volatility scans for the '_KDDEBUGGER_DATA64' structure using hard-coded signatures "KDBG" and a series of sanity
+ checks. These signatures are not critical for the operating system to function properly, thus malware can overwrite
+ them in attempt to throw off tools that do rely on the signature. Additionally, in some cases there may be more
+ than one '_KDDEBUGGER_DATA64' (for example if you apply a major OS update and don't reboot), which can cause confusion
+ and lead to incorrect process and module listings, among other problems. If you know the address
+ add '_KDDEBUGGER_DATA64', you can specify it with \-\-kdbg=ADDRESS and this override the automated scans. For more
+ information, see the kdbgscan plugin.
+
+ Setting the KPCR address (this is a Windows-only option)
+
+ There is one KPCR (Kernel Processor Control Region) for each CPU on a system. Some Volatility plugins display
+ per-processor information. Thus if you want to display data for a specific CPU, for example CPU 3 instead of
+ CPU 1, you can pass the address of that CPU's KPCR with \-\-kpcr=ADDRESS. To locate the KPCRs for all CPUs, see
+ the kpcrscan plugin. Also note that starting in Volatility 2.2, many of the plugins such as idt and gdt
+ automatically iterate through the list of KPCRs.
+
+ Enabling write support
+
+ Write support in Volatility should be used with caution. Therefore, to actually enable it, you must not only type
+ \-\-write on command-line but you must type a 'password' in response to a question that you'll be prompted with.
+ In most cases you will not want to use write support since it can lead to corruption or modification of data in
+ your memory dump. However, special cases exist that make this feature really interesting. For example, you could
+ cleanse a live system of certain malware by writing to RAM over firewire, or you could break into a locked workstation
+ by patching bytes in the winlogon DLLs.
+
+ Specifying additional plugin directories
+
+ Volatility's plugin architecture can load plugin files from multiple directories at once. In the Volatility source
+ code, most plugins are located in volatility/plugins. However, there is another directory (volatility/contrib)
+ which is reserved for contributions from third party developers, or weakly supported plugins that simply aren't
+ enabled by default. To access these plugins you just type \-\-plugins=contrib/plugins on command-line. It also enables
+ you to create a separate directory of your own plugins that you can manage without having to add/remove/modify files
+ in the core Volatility directories.
+
+ Notes:
+
+ On Debian systems, the contrib/plugins directory is at /usr/share/volatility/contrib/plugins.
+
+ Subdirectories will also be traversed as long as there is an __init__.py file (which can be empty) within them.
+
+ The parameter to \-\-plugins can also be a zip file containing the plugins such as \-\-plugins=myplugins.zip.
+ Due to the way plugins are loaded, the external plugins directory or zip file must be specified before any
+ plugin-specific arguments (including the name of the plugin). Example:
+
+ $ volatility \-\-plugins=contrib/plugins \-f XPSP3x86.vmem example
+
+ Choosing an output format
+
+ By default, plugins use text renderers to standard output. If you want to redirect to a file, you can of course
+ use the console's redirection (i.e. > out.txt) or you could use \-\-output-file=out.txt. The reason you can also
+ choose \-\-output=FORMAT is for allowing plugins to also render output as HTML, JSON, SQL, or whatever you choose.
+ However, there are no plugins with those alternate output formats pre-configured for use, so you'll need to add
+ a function named render_html, render_json, render_sql, respectively to each plugin before using \-\-output=HTML.
+
+ Plugin specific options
+
+ Many plugins accept arguments of their own, which are independent of the global options. To see the list of
+ available options, type both the plugin name and \-h/--help on command-line.
+
+ $ volatility dlllist \-h
+
+ Debug mode
+
+ If something isn't happening in Volatility the expected way, try to run the command with \-d/\-\-debug.
+ This will enable the printing of debug messages to standard error. To more debug levels, as in using
+ pdb debugger), add \-d \-d \-d to command.
+
+ Using Volatility as a library
+
+ Although its possible to use Volatility as a library, (there are plans to support it better in the future).
+ Currently, to import Volatility from a python script, the following example code can be used:
+
+ $ python
+ >>> import volatility.conf as conf
+ >>> import volatility.registry as registry
+ >>> registry.PluginImporter()
+ <volatility.registry.PluginImporter object at 0x7f9608f3ac10>
+ >>> config = conf.ConfObject()
+ >>> import volatility.commands as commands
+ >>> import volatility.addrspace as addrspace
+ >>> registry.register_global_options(config, commands.Command)
+ >>> registry.register_global_options(config, addrspace.BaseAddressSpace)
+ >>> config.parse_options()
+ >>> config.PROFILE="WinXPSP2x86"
+ >>> config.LOCATION = "file:///media/memory/private/image.dmp"
+ >>> import volatility.plugins.taskmods as taskmods
+ >>> p = taskmods.PSList(config)
+ >>> for process in p.calculate():
+ ... print process
+
+EXAMPLES
+ To see all available plugins, profiles, scanner checks and address spaces:
+
+ $ volatility \-\-info
+
+ To list all active processes found in a MS Windows 8 SP0 image:
+
+ $ volatility \-f win8.raw \-\-profile=Win8SP0x86 pslist
+
+ To list all active processes found in a MS Windows 8 SP0 image, using a timezone:
+
+ $ volatility \-f win8.raw \-\-profile=Win8SP0x86 pslist \-\-tz=America/Sao_Paulo
+
- To show the kernel bnuffer from a Linux 3.2.63 image:
++ To show the kernel buffer from a Linux 3.2.63 image:
+
+ $ volatility \-f mem.dd \-\-profile=Linux_3_2_63_x64 linux_dmesg
+
+NOTES
+ This manpage was based in some tests and several official documents about Volatility.
+ For other information and tutorials, see:
+
+ * http://www.volatilityfoundation.org
+ * https://github.com/volatilityfoundation/volatility/wiki
+
+AUTHOR
+ Volatility was written by Volatility Foundation and several contributors. For contact, use the email <info at volatilityfoundation.org>.
+
+ This manual page was written by Joao Eriberto Mota Filho <eriberto at debian.org> for the Debian project (but may be used by others).
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/forensics/volatility.git
More information about the forensics-changes
mailing list