Volatility Memory Forensic Tool.
Volatility helps identify malicious processes, networking, open connections, etc. in the compromised system. With the program you can take a dump of the RAM and analyze it.
The Volatility Foundation is an independent 501(c) (3) non-profit organization that maintains and promotes open source memory forensics with The Volatility Framework.
Volatility is written in Python and can be used for both 32/64 bit RAM analysis and supports analysis of Windows, Linux, Mac & Android systems. It is used to analyze memory crashes, raw dumps, VMware and VirtualBox dumps.
Latest version: Volatility3 - 2.4.1 released April, 2023.
Features / Support for:
- Raw / padded physical memory.
- Firewire (IEEE 1394).
- Expert Witness (EWF).
- 32 and 64-bit Windows krash dump.
- 32 and 64-bit Windows sleep mode.
- 32 and 64-bit MachO files.
- Virtualbox Core Dumpar.
- VMware Saved State (.vmss) and Snapshot (.vmsn).
- HPAK Format (FastDump).
- QEMU memory dump.
No longer in Debian11/12 repository.
You need to download and compile from source.