volatility-wnf: Browse and dump Windows Notification Facilities
This Volatility plugin is based on work of Alex Ionescu and Gabrielle Viala. https://blog.quarkslab.com/playing-with-the-win…
Extracting Activity History from PowerShell Process Dumps
Lee Holmes has posted about how to extract activity history from PowerShell process dumps. Such dumps may be gold mines, esp…
Comae Stardust – New Features
Matt Suiche has recorded a presentation on the new features of Comae Stardust, such as process memory dump support, YARA sca…
Extract forensic timeline from memory dumps with AutoTimeliner
Andrea Fortuna created the AutoTimeliner, a tool that “automagically extract forensic timeline from volatile memory du…
Results from the 2018 Volatility Contests
Results from the 2018 Volatility Contests have been published. We congratulate Aliz Hammond and Team Decepticon with the fir…
Acquire Volatile Memory from FreeBSD with FreeBmAM
Free-B-sd m-emory A-cquisition M-odule Tool/Kernel Module allows acquisition of volatile memory from FreeBSD. You can learn …
Memtriage v0.2-alpha Released
0.2-alpha version of memtriage has been released. This tool allows you to quickly query a Windows machine for RAM artifacts.…
winmem_decompress: Extract Сompressed Memory Pages from Page-Aligned Data
Maxim Suhanov presented winmem_decompress – a program that tries to extract compressed memory pages from page-aligned …
Memory forensics and the Windows Subsystem for Linux
The Windows Subsystem for Linux (WSL) was first included in the Anniversary Update of Microsoft’s Windows 10 operating…
Taking Memory Forensics To The Next Level
Here is a talk on memory forensics by Jamie Levy from Lockdown 2018: …
