Volatility Workbench is a free, open source utility designed for use with PassMark OSForensics™
Volatility Workbench is a graphical user interface (GUI) for the Volatility tool. Volatility is a command line memory analysis and forensics tool for extracting artifacts from memory dumps. Volatility Workbench is free, open source and runs in Windows. It provides a number of advantages over the command line version including,
- No need to remember command line parameters
- Storage of the operating system profile, KDBG address and process list with the memory dump, in a .CFG file. When a memory image is re-loaded, this saves a lot of time and avoids the frustration of not knowing the correct profile to select.
- Simpler copy & paste
- Simpler printing of paper copies (via right click)
- Simpler saving of the dumped information to a file on disk
- A drop down list of available commands and a short description of what the command does
- Time stamping of the commands executed
- Auto-loading the first dump file found in the current folder
The current version of Volatility Workbench is v1.0
Volatility Workbench (Zip file)
|Download Volatility Workbench|
Download the Zip file above. Unzip it, then double click on the Volatility Workbench executable file (VolatilityWorkbench.exe). For convience a copy of the Volatility command line tool is also included.
If you need a tool to collect a memory dump from a live machine, consider using OSForensics V5, as it writes a configuration file (CFG) along with the dump file, speeding up the analysis process in Volatility.
Source code is included with the download above
Windows 10, or Windows 7
The command line version of Volatility is slow and single threaded, while memory dumps are big. So a fast CPU and SSD can help.
Volatility Workbench is released under the same license as Volatility itself, which is GPL version 2.
Config file specification
Volatility Workbench reads and writes a configuration file (.CFG) which contains meta data about the memory dump file.
Specifications for the Volatility dump configuration file can be found here.
v1.0, 5 June 2017