Zer0Byte

Geekiest Techno News

volatility 2.3 Released will help you dump cached files and SSL Private / Public Keys

volatility 2.3 released

The Volatility Foundation is thrilled to announce the official release of Volatility 2.3! While the main goal of this release was Mac OS X (x86, x64) and Android Arm support, They have also included a number of other exciting new capabilities! Highlights of this release include:

Mac OS X:
* New MachO address space for 32-bit and 64-bit Mac memory samples
* Over 30+ plugins for Mac memory forensics

Linux/Android
* New ARM address space to support memory dumps from Linux and Android devices on ARM hardware
* Plugins to scan Linux process and kernel memory with yara signatures, dump LKMs to disk, and check TTY devices for rootkit hooks
* Plugins to check the ARM system call and exception vector tables for hooks

Windows
* New plugins:
– Parse IE history/index.dat URLs
– Recover shellbags data
– Dump cached files (exe/pdf/doc/etc)
– Extract the MBR and MFT records
– Explore recently unloaded kernel modules
Dump SSL private and public keys/certs
        – Display details on process privileges
– Detect poison ivy infections
– Find and decrypt configurations in memory for poison ivy, zeus v1, zeus v2 and citadelscan 1.3.4.5

* Plugin Enhancements:
– Apihooks detects duqu style instruction modifications
– Crashinfo displays uptime, systemtime, and dump type
– Psxview plugin adds two new sources of process listings from the GUI APIs
– Screenshots plugin shows text for window titles
– Svcscan automatically queries the cached registry for service dlls
– Dlllist shows load count to distinguish between static and dynamic loaded dlls

New Address Spaces
* VirtualBox ELF64 core dumps
* VMware saved state (vmss)
* VMware snapshot (vmsn) files
* FDPro’s non-standard HPAK format
* New plugins: vboxinfo, vmwareinfo, hpakinfo, hpakextract

Download