Introduction

Volatility is an open source program for analysing RAM (Random Access Memory) in 32 bit/64 bit systems. It uses a command line interface.

It supports analysis for Linux, Windows, Mac, and Android systems. It is based on Python. It can analyze raw dumps, crash dumps, VMware dumps (.vmem), virtualbox dumps, and many others.

In this tutorial, you will be provided with the program, and a memory dump file. Using Volatility you will be guided through how to analyse the memory dump to discover something interesting...

File Download

Here is a zip file which contains the memory dump file:
memdump.zip

Here is a zip file which contains the Volatility program as a standalone executable which can be run through the Windows Command prompt:
volatility.zip

Alternatively, you may choose to download and install the program separately or you may already have it installed yourself.
A link is provided to the Volatility Foundation at the bottom of the page in the Further Learning section.

Installation Instructions

1) Download and unzip both files.

2) If possible, put both files in the root directory of your C: Drive as this will make it easier for typing in commands on the command line during the memory dump analysis.

Installation Instructions

1) Follow the instructions on the video.

2) Answer the questions below.

Questions

Demonstration Video