Volatility Workbench is a graphical user interface (GUI) for the Volatility tool. Volatility is a command line
memory analysis and forensics tool for extracting artifacts from memory dumps. Volatility
Workbench is free, open source and runs in Windows. It provides a number of advantages over the
command line version including,
- No need to install Python script interpreter.
- No need of remembering command line parameters.
- Storage of the platform and process list with the memory dump, in a
.CFG file. When a memory image is re-loaded, this saves a lot of time and eliminates the
need to get process list each time.
- Automatic platform detection with .CFG files
- Simpler copy & paste.
- Simpler printing of paper copies (via right click).
- Simpler saving of the dumped information to a file on disk.
- A drop down list of available commands and a short description of what
the command does.
- Time stamping of the commands executed.
- Auto-loading the first dump file found in the current folder.
- Support for analysing Mac and Linux memory dumps.
- Up to 20% increase in speed compared to interpreted version.
The current version of Volatility Workbench is v3.0.1009
This build is based on Volatility 3 Framework v2.8.0. The source code for Volatility 3 Framework
was downloaded from github on October 28, 2024 and compiled using Pyinstaller
Click to download the Volatility
Workbench V3.0.1009 (17.3 MB)
Older Versions
Sample Memory Dumps
Download the Zip file above. Unzip it, then double click on the Volatility Workbench executable
file (VolatilityWorkbench.exe). For convience a copy of the Volatility command line tool is also
included.
If you need a tool to collect a memory dump from a live machine, consider using OSForensics, as it writes a
configuration file (CFG) along with the dump file, speeding up the analysis process in
Volatility.
Source code is included with the zip download above.
Volatility Workbench v3.0
Symbol tables zip files must be placed, as named, into the symbols folder. Windows symbols that cannot
be found will be queried, downloaded, generated and cached. Sample Mac and Linux symbol tables symbols are linked below.
If symbols are not compatible with your memory dump, then for must be manually produced by a tool such as dwarf2json.
Symbol table packs for v3.0
Symbol table packs for various operating systems can be downloaded from Volatility Foundation Website
Volatility Workbench v2.1
For instuctions on how to analyse Mac/Linux dumps that are not present in the Volatilty Workbench
GUI dropdown menu, view the "profile-list.txt" file in the profiles folder.
Collection of Additional Profiles for v2.1
A set of supported Mac and Linux platform versions to
choose from:
Profiles (143MB)
Note: Select and add only the profiles you
need into the "profiles" folder (Included in the Volatility Workbench download). An overload of
profiles could slow down the analysis process.
Windows 11, Windows 10, or Windows 7
The command line version of Volatility is slow and single threaded, while memory dumps are large.
Hence, a fast CPU and SSD can help.
Volatility Workbench reads and writes a configuration file (.CFG) which contains meta data about
the memory dump file.
Specifications for the Volatility dump configuration file can be found here.
Volatility Workbench is released under the same license as Volatility itself.
For information regarding the known issues in the current version of Volatility, please see
this page.
Expand all ![]()
Collapse all ![]()
v3.0.1009, 28 October 2024
- Updated the tool to work with Volatility 3 Framework 2.8.0
- Added support for new Volatility commands, including:
- linux.netfilter
- windows.hollowprocesses
- windows.kpcrs
- windows.pedump
- windows.processghosting
- windows.psxview
- windows.registry.getcellroutine
- windows.shimcachemem
- windows.suspicious_threads
- windows.svcdiff
- windows.svclist
- windows.threads
- windows.timers
- windows.unloadedmodules
- Fixed issue where file name is cleared when browsing for memory dump is cancelled
v3.0.1008, 3 July 2024
- Fixed issue where vol.exe process list output from Mac memory dump was not properly parsed. Note: Mac Memory Dumps require downloading additional symbols (linked above)
- Fixed memory possible leaks in Volatility Workbench
v3.0.1007, 6 June 2024
- Updated the tool to work with Volatility 3 Framework 2.7.0
- Added support for new Volatility commands, including:
- windows.iat
- windows.mftscan.ads
- windows.truecrypt
- linux.library_list
- mac.dmesg
v3.0.1006, 14 November 2023
- Updated the tool to work with Volatility 3 Framework 2.5.0
- Added support for new Volatility commands, including:
- linux.capabilities
v3.0.1005, 31 August 2023
- Updated the tool to work with Volatility 3 Framework 2.4.1
- Added support for new Volatility commands, including:
- linux.sockstat
- linux.iomem
- linux.psscan
- linux.envars
- windows.drivermodule
- windows.vadwalk
v3.0.1004, 10 March 2023
- Updated the tool to work with Volatility 3 Framework 2.4.0
- Added support for new Volatility commands, including:
- linux.mountinfo
- linux.psaux
- windows.devicetree
- windows.joblinks
- windows.ldrmodules
- windows.mbrscan
- windows.mftscan
- windows.sessions
v3.0.1003, 18 July 2022
- Updated the tool to work with Volatility 3 2.0.1
- Added support for Windows 11
- Added support for new Volatility commands, including:
- windows.getservicesids
- windows.getsids
- windows.privileges
- windows.skeleton_key_check
- linux.check_creds
- linux.check_modules
- linux.tty_check
v3.0.1002, 1 October 2020
- Added a scripting feature that allows a series of commands to be executed in a sequence.
Script files are text files that you can create with a text editor (e.g. notepad).
The script file name must end with the extension ‘.vws’.
The Volatility Workbench searches for .vws files in working directory and lists them
in the command drop down list under User Scripts.
Each script command must appear on its own line in the .vws file and the entire
command must appear on a single line. (i.e. a single command cannot be split across
multiple lines).
The Volatility Workbench replaces %IMG and %PID in the script file with the image
file name and process ID selected in the user interface.
Here is an example of a User Script:
-f %IMG windows.verinfo.VerInfo
-f %IMG windows.dlllist.DllList --pid %PID
v3.0.1001-beta.1, 7 August 2020
- Updated the tool to work with the Volatility 3.1.0-beta1. Major changes in the
Volatility Workbench 3 are listed below:
- Fixed a crash where the download URL for symbols were big leading to buffer
overflow and crash.
- Fixed a bug where the threads for standard and error streams were writing
simultaneously into one buffer.
- Fixed the application logo.
- Some minor changes to user interface.
v3.0-beta.1, 10 February 2020
- Updated the tool to work with the Volatility 3.0. Major changes in the Volatility 3 are
listed below:
- Entire framework was completely rewritten and redesigned in Python 3.
- Automatic detection of profile.
- Proper evaluation of 32-bit code on 64-bit systems.
- Automated evaluation of in-memory code to avoid as much manual reverse engineering
on part of the analyst as possible.
v2.1, 16 July 2019
- Updated volatility binary executable to 2.6.1 to support new profiles for Win 10 build
17763 and 17134
v2.0, 21 June 2018
- Support for analysing Mac and Linux memory dumps.
- Capability for the end user to include additional profiles.
