Difference between pages "Windows Registry" and "Volatility Framework"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
m (Commercial)
 
 
Line 1: Line 1:
==Bibliography==
+
{{Infobox_Software |
* Recovering Deleted Data From the Windows Registry. Timothy Morgan, DFRWS 2008 [http://www.dfrws.org/2008/proceedings/p33-morgan.pdf [paper]] [http://www.dfrws.org/2008/proceedings/p33-morgan_pres.pdf [slides]]
+
  name = Volatility |
* [http://www.pkdavies.co.uk/documents/Computer_Forensics/registry_examination.pdf
+
  maintainer = [[AAron Walters]] |
 +
  os = {{Cross-platform}} |
 +
  genre = {{Memory analysis}}, {{Memory imaging}} |
 +
  license = {{GPL}} |
 +
  website = [https://www.volatilesystems.com/default/volatility https://www.volatilesystems.com/] |
 +
}}
  
* [http://dfrws.org/2008/proceedings/p26-dolan-gavitt.pdf Forensic Analysis of the Windows Registry in Memory], Brendan Dolan-Gavitt, DFRWS 2008  [http://dfrws.org/2008/proceedings/p26-dolan-gavitt_pres.pdf [slides]]
+
The '''Volatility Framework''' is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. The extraction techniques are performed completely independent of the system being investigated but offer unprecedented visibility into the runtime state of the system. The framework is intended to introduce people to the techniques and complexities associated with extracting digital artifacts from volatile memory samples and provide a platform for further work into this exciting area of research.  
* [http://www.pkdavies.co.uk/documents/Computer_Forensics/registry_examination.pdf Forensic Analysis of the Windows Registry], Peter Davies, Computer Forensics: Coursework 2 (student paper)
+
* [http://eptuners.com/forensics/A%20Windows%20Registry%20Quick%20Reference.pdf A Windows Registry Quick-Reference], Derrick Farmer, Burlington, VT.
+
  
* [http://www.sciencedirect.com/science?_ob=ArticleURL&_udi=B7CW4-4GX1J3B-1&_user=3326500&_rdoc=1&_fmt=&_orig=search&_sort=d&view=c&_acct=C000060280&_version=1&_urlVersion=0&_userid=3326500&md5=ab887593e7be6d5257696707886978f1 The Windows Registry as a forensic resource], Digital Investigation, Volume 2, Issue 3, September 2005, Pages 201--205.
+
The project was originally developed by and is now headed up by [[AAron Walters]] of [[Volatile Systems]].
  
* [http://www.forensicfocus.com/downloads/forensic-analysis-windows-registry.pdf Forensic Analysis of the Windows Registry], Lih Wern Wong , School of Computer and Information Science, Edith Cowan University
+
== Plugins ==
 +
See: [[List of Volatility Plugins]]
  
==Tools==
+
== Memory acquisition drivers ==
===Open Source===
+
* [http://sourceforge.net/projects/regviewer/ regviewer] -- a tool for looking at the registry.
+
* [http://www.regripper.net/ RegRipper] --- "the fastest, easiest, and best tool for registry analysis in forensics examinations."
+
===Commercial===
+
* [http://www.abexo.com/free-registry-cleaner.htm Abexo Free Regisry Cleaner]
+
* [http://www.auslogics.com/registry-defrag Auslogics Registry Defrag]
+
* [http://lastbit.com/arv/ Alien Registry Viewer]
+
* [http://www.larshederer.homepage.t-online.de/erunt/index.htm NT Registry Optimizer]
+
* [http://www.registry-clean.net/free-registry-defrag.htm iExpert Software-Free Registry Defrag]
+
* [http://paullee.ru/regundel Registry Undelete (russian)]
+
  
==See Also==
+
In 2012 [[Michael Cohen]] contributed both a Linux and a Windows Open Source memory (acquisition) driver to the Volatility project as part of the Technology Preview (TP) version, aka scudette branch.
* [http://windowsir.blogspot.com/search/label/Registry Windows Incident Response Articles on Registry]
+
Since the scudette branch of Volatility has moved on as a separate project, the drivers can now be found as part of the [[rekall]] project.
* [http://www.answers.com/topic/win-registry Windows Registry Information]
+
 
* [http://en.wikipedia.org/wiki/Windows_Registry Wikipedia Article on Windows Registry]
+
== See Also ==
[[Category:Bibliographies]]
+
* [[List of Volatility Plugins]]
* [http://moyix.blogspot.com/search/label/registry Push the Red Button] - Articles on Registry
+
 
 +
== External Links ==
 +
* [https://www.volatilesystems.com/default/volatility Official web site]
 +
* [http://code.google.com/p/volatility/ Code repository], direct link to [http://code.google.com/p/volatility/source/browse/ source]
 +
* [http://code.google.com/p/volatility/w/list Volatility Documentation]

Revision as of 13:51, 12 January 2014

Volatility
Maintainer: AAron Walters
OS: Cross-platform
Genre: Memory Analysis,Memory Imaging
License: GPL
Website: https://www.volatilesystems.com/

The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. The extraction techniques are performed completely independent of the system being investigated but offer unprecedented visibility into the runtime state of the system. The framework is intended to introduce people to the techniques and complexities associated with extracting digital artifacts from volatile memory samples and provide a platform for further work into this exciting area of research.

The project was originally developed by and is now headed up by AAron Walters of Volatile Systems.

Contents

Plugins

See: List of Volatility Plugins

Memory acquisition drivers

In 2012 Michael Cohen contributed both a Linux and a Windows Open Source memory (acquisition) driver to the Volatility project as part of the Technology Preview (TP) version, aka scudette branch. Since the scudette branch of Volatility has moved on as a separate project, the drivers can now be found as part of the rekall project.

See Also

External Links