In Issue 5 of Digital Forensics Magazine, Ron Tasker discussed the subject of Volatile RAM Analysis and the use of Volatility. This prompted a letter from Marc Remmert published in Issue 6 raising concerns about the limitations of Volatility and Windows XP.
Whilst Ron responded to these concerns (his comments can be found in 360 of issue 6) DFM approached AAron Walters who is the founder of Volatile Systems, LLC and the lead developer for the Volatility Project, for his comments on the article, the comments made by Marc and Ron’s response. Unfortunately they were not received in time to be included in Issue 6. In the interests of balance we agreed to include his comments in a blog.
“Let me begin by thanking Ron for the excellent article. I think he did a very good job explaining the importance of memory analysis and the associated challenges and base that modern digital investigators face.
It is imperative for digital investigators to realize that we are facing an adaptive human adversary and thus we can’t afford to simply rely on the rules we once learned. Not doing the right thing because it is complicated or new, is never a justification for complacency. It seems hard to defend the antiquated statement that “powering off the system is good” when, comparatively, it destroys more artifacts within the perspective of entire digital crime scene (RAM, disk, etc) than running a tool that samples the state of physical memory.
In Ron’s response to the comment about his article he also raises some interesting points about Open Source forensics tools. The comment’s author states that Volatility 1.3 only supports Windows XP 32-bit memory samples and contends that this a big obstacle. While the comment’s author is correct with respect to 1.3, it seems interesting that they contend their only option is to buy expensive tools or hope Volatility is updated. As the leader of the Volatility Project, I always find these statements disheartening. I’m not sure why people feel the need to complain from the sidelines as opposed to actually getting involved and contributing to the community. It is only then that they would come to appreciate the unique flexibility and modularity of The Volatility Framework, which has allowed it to support a variety of operating systems and hardware architectures (Windows, Linux, etc).
As Ron mentioned in his reference to Dr. Schatz’s work, there are many groups out there using Volatility to support other operating systems including Windows 7. I’m even aware of groups using Volatility to analyze cell phones. Thus, the “tool-users” can sit back and wait till 1.4 (http://code.google.com/p/volatility/) is released or they take the initiative to contribute. Regardless, if that contribution is writing an article (i.e. Ron Tasker) or helping test a new operating system (i.e. Dr. Schatz), all contributions help to move the community forward.”
Founder, Volatile Systems, LLC
Lead Developer, The Volatility Project
You too can have your say by adding your comments here or writing directly to DFM via 360.