Volatility Workbench

Overview

 

Volatility Workbench is a graphical user interface (GUI) for the Volatility tool. Volatility is a command line memory analysis and forensics tool for extracting artifacts from memory dumps. Volatility Workbench is free, open source and runs in Windows. It provides a number of advantages over the command line version including,

 

  • No need to install Python script interpreter.
  • No need of remembering command line parameters.
  • Storage of the platform and process list with the memory dump, in a .CFG file. When a memory image is re-loaded, this saves a lot of time and eliminates the need to get process list each time.
  • Automatic platform detection with .CFG files
  • Simpler copy & paste.
  • Simpler printing of paper copies (via right click).
  • Simpler saving of the dumped information to a file on disk.
  • A drop down list of available commands and a short description of what the command does.
  • Time stamping of the commands executed.
  • Auto-loading the first dump file found in the current folder.
  • Support for analysing Mac and Linux memory dumps.
  • Up to 20% increase in speed compared to interpreted version.

Download

 

The current version of Volatility Workbench is v3.0.1008

 

This build is based on Volatility 3 Framework v2.7.0. The source code for Volatility 3 Framework was downloaded from github on June 6, 2024 and compiled using Pyinstaller

 

Click to download the Volatility Workbench (14 MB)

 

Older Versions

 

Volatility Workbench V2.1 (28 MB)

 

Collection of Additional Profiles for v2.1

 

A set of supported Mac and Linux platform versions to choose from: Profiles (143MB)

 

Note: Select and add only the profiles you need into the “profiles” folder (Included in the Volatility Workbench download). An overload of profiles could slow down the analysis process.

 

Sample Memory Dumps

 

Windows (Windows 11 64bit) Windows-11-Dump (1.22GB)

 

Windows (Windows 10 64bit) Windows-10-Dump (1.6GB)
 

Installation Instructions

 

Download the Zip file above. Unzip it, then double click on the Volatility Workbench executable file (VolatilityWorkbench.exe). For convience a copy of the Volatility command line tool is also included.

 

For instuctions on how to analyse Mac/Linux dumps that are not present in the Volatilty Workbench GUI dropdown menu, view the “profile-list.txt” file in the profiles folder.

 

If you need a tool to collect a memory dump from a live machine, consider using OSForensics, as it writes a configuration file (CFG) along with the dump file, speeding up the analysis process in Volatility.

 

Source code is included with the zip download above.

 

Requirements

 

Windows 11, Windows 10, or Windows 7

 

The command line version of Volatility is slow and single threaded, while memory dumps are large. Hence, a fast CPU and SSD can help.

 

Config file specification

 

Volatility Workbench reads and writes a configuration file (.CFG) which contains meta data about the memory dump file.

 

Specifications for the Volatility dump configuration file can be found here.

 

Licensing

 

Volatility Workbench is released under the same license as Volatility itself.

 

Known Issues

 

For information regarding the known issues in the current version of Volatility, please see this page.