Volatility 3 2.8.0

• New plugins:

  • vmscan
  • linux.netfilter
  • windows.hollowprocesses
  • windows.kpcrs
  • windows.pedump
  • windows.processghosting
  • windows.psxview
  • windows.registry.getcellroutine
  • windows.shimcachemem
  • windows.suspicious_threads
  • windows.svcdiff
  • windows.svclist
  • windows.threads
  • windows.timers
  • windows.unloadedmodules

• Improvements to:

  • userassist with timeliner support
  • bugfixes and additions to windows.modules and windows.modscan
  • windows.callbacks plugin to support more callbacks
  • Smear protection on windows
  • Clearing the cache
  • Intel layer
  • Clang no longer using long unsigned int for pointers
  • argcomplete support

  Volatility 3 now uses features that require a minimum version of python >= 3.7.3.

Volatility 3 2.7.0

• New plugins:
  • windows.iat
  • windows.truecrypt
  • linux.library_list
  • mac.dmesg
• Support for configuration files for common CLI options
• windows.driverirp: Report IRP entries that point inside a hidden module
• windows.thrdscan: Improvements
• linux.kmsg: Supports older kernels
• mac.maps: Add process dump support
• Support for Python 3.12

Volatility 3 v2.5.2

• New Layers:
  • Amazon S3 support
  • Google Cloud Storage support
• New plugins:
  • linux.vmayarascan
  • windows.mftscan.ads
• New features:
  • Dumping of Elf files added to the elfs plugin
• Improvements to ELF support
• Bugfixes to registry support
• Documentation improvements
• Better support for remote ISF directories

Volatility 3 2.5.0

• New plugins:
  • Linux capabilities plugin
• Linux process dumping
• Add support for Xen ELF file format
• Improved Linux subsystem support
• Added tutorials to the documentation
• Improved core API

Volatility 3 2.4.1

• New plugins:
  • linux.sockstat
  • linux.iomem
  • linux.psscan
  • linux.envars
  • windows.drivermodule
  • windows.vadwalk
• Pid filtering for Windows pstree plugin
• Minor fixes for Windows callbacks plugin
• Minimum Python version was increased to 3.7
• Python-snappy dependency was replaced with ctypes to ease installation
• Whole codebase was reformatted with black
• Faster release cycle (targetting every 4 months)

Volatility 3 2.4.0

For the 2.4.0 release, the major version has jumped a few numbers for compatibility, but this is the next release including the following:

• New plugins
  • linux.mountinfo
  • linux.psaux
  • windows.devicetree
  • windows.joblinks
  • windows.ldrmodules
  • windows.mbrscan
  • windows.mftscan
  • windows.sessions
• Introduced the concept of modules and module requirements
• Unified symbol handling and ISF file caching between OS versions
• Better QEVM support (fixed the QEMU PCI hole)
• Exposed an API for automatic PDB symbol table use
• Improved contributed documentation
• Various bug fixes and changes across the codebase

Volatility 3 2.0.1

A maintenance release to resolve a few issues affecting Windows detection and PDB support.

Volatility 3 2.0.0

Highlights for this release:

• New plugins such as:
  • Windows networking plugins
  • Windows crashinfo and skeleton_key_check
  • Linux kmsg plugin
• New layers: AVML and LeechCore
• QEMU layer performance optimization
• Improved access to Windows library symbols
• Better offline and remote support
• Improved documentation
• Improved working with python requirements
• Drop support for python 3.5

Volatility 3 1.0.1

Hotfix release to fix an issue with pypi and setup.py

v1.0.0

Volatility 3 1.0.0 official release

Highlights of this version are:

• Much faster operation over volatility 2 (this is largely down to caching of objects)
• Symbol support (symbols can be downloaded and converted for windows directly)
• Documentation (the documentation is generated from the code)
• Better APIs for developers

Windows binary versions will be added once a solution has been found to all pyinstaller packages being identified as malware.