Getting ready

The Volatility Framework is an open source toolkit, so it's cross-platform, which means that you can use any operating system family you want - Windows, Linux, or mac OS. Of course, you can build these tools from source, but there are also so-called standalone executables for all the operating systems mentioned. As this cookbook is about forensic examination of Windows OS and the memory dump, what we are going to analyze is collected from Windows 10, and we are going to use the Windows Standalone Executable.

At the time of writing, the most recent version of Volatility is 2.6. With this version, support for Windows 10 (including 14393.447) improved, also support for Windows Server 2016, mac OS Sierra 10.12, and Linux with KASLR kernels was added.

To download the collection of tools, go to the Volatility Framework website and use the Releases tab to choose the most recent version, in our case 2.6. Now, all you need is to unzip volatility_2.6_win64_standalone.zip which you've just downloaded, and you are ready to go.