In this release we've moved a number of the existing plugins that were specifically for malware under a malware category, so if the old plugin was linux.check_afinfo which would now be linux.malware.check_afinfo, or windows.hollowprocesses would now be windows.malware.hollowprocesses. The old plugin names are now deprecated, due to be removed in around a year's time, but will continue to work until they are fully removed. They will issue a reminder that they have been deprecated when run with the old names.

• New plugin:
  • windows.etwpatch
• volshell now supports breakpoints (also known as watchpoints) that can be applied to a specific layer and offset that will break into python at the point the layer read occurs on that offset.
• Various fixes across multiple plugins
• Improved documentation in many areas

New Contributors

• @JakePeralta7 made their first contribution in #1787
• @SolitudePy made their first contribution in #1800
• @geekscrapy made their first contribution in #1813
• @ddogfoodd made their first contribution in #1815

Full Changelog: v2.26.0...v2.26.2

This release aims to achieve functional parity with the archived and no-longer-supported Volatility 2. As such, there are a number of changes, only some of which are listed below:

New plugins

• linux.graphics.fbdev
• linux.ip
• linux.kallsyms
• linux.module_extract
• linux.modxview
• linux.pscallstack
• linux.tracing.ftrace
• linux.tracing.perf_events
• linux.tracing.tracepoints
• linux.vmaregexscan
• linux.vmcoreinfo
• mac.regexscan
• windows.deskscan
• windows.desktops
• windows.direct_system_calls
• windows.indirect_system_calls
• windows.suspended_threads
• windows.vadregexscan
• windows.windows
• windows.windowstations

Framework Changes

• Modernize to pyproject.toml python packaging
• New testing framework to ensure version/component requirements are fulfilled

New Contributors

• @c0rydoras made their first contribution in #1362
• @lesander made their first contribution in #1342
• @TheMythologist made their first contribution in #1402
• @cgoodwine made their first contribution in #1549
• @the-rectifier made their first contribution in #1381
• @Danking555 made their first contribution in #1566
• @DT9 made their first contribution in #1698

Full Changelog: v2.11.0...v2.26.0

• New Plugins:

  • linux.boottime
  • linux.ebpf
  • linux.hidden_modules
  • linux.kthreads
  • linux.pagecache
  • linux.pidhashtable
  • linux.ptrace
  • windows.amcache
  • windows.cmdscan
  • windows.consoles
  • windows.debugregisters
  • windows.orphan_kernel_threads
  • windows.pe_symbols
  • windows.scheduled_tasks
  • windows.unhoooked_system_calls

• Improvements to:

  • Output formatting and filtering in the CLI
  • Additional architecture data files for vmscan

• Note: Python 3.8 is now the minimum supported version of python

• New plugins:

  • vmscan
  • linux.netfilter
  • windows.hollowprocesses
  • windows.kpcrs
  • windows.pedump
  • windows.processghosting
  • windows.psxview
  • windows.registry.getcellroutine
  • windows.shimcachemem
  • windows.suspicious_threads
  • windows.svcdiff
  • windows.svclist
  • windows.threads
  • windows.timers
  • windows.unloadedmodules

• Improvements to:

  • userassist with timeliner support
  • bugfixes and additions to windows.modules and windows.modscan
  • windows.callbacks plugin to support more callbacks
  • Smear protection on windows
  • Clearing the cache
  • Intel layer
  • Clang no longer using long unsigned int for pointers
  • argcomplete support

  Volatility 3 now uses features that require a minimum version of python >= 3.7.3.

• New plugins:
  • windows.iat
  • windows.truecrypt
  • linux.library_list
  • mac.dmesg
• Support for configuration files for common CLI options
• windows.driverirp: Report IRP entries that point inside a hidden module
• windows.thrdscan: Improvements
• linux.kmsg: Supports older kernels
• mac.maps: Add process dump support
• Support for Python 3.12

• New Layers:
  • Amazon S3 support
  • Google Cloud Storage support
• New plugins:
  • linux.vmayarascan
  • windows.mftscan.ads
• New features:
  • Dumping of Elf files added to the elfs plugin
• Improvements to ELF support
• Bugfixes to registry support
• Documentation improvements
• Better support for remote ISF directories

• New plugins:
  • Linux capabilities plugin
• Linux process dumping
• Add support for Xen ELF file format
• Improved Linux subsystem support
• Added tutorials to the documentation
• Improved core API

• New plugins:
  • linux.sockstat
  • linux.iomem
  • linux.psscan
  • linux.envars
  • windows.drivermodule
  • windows.vadwalk
• Pid filtering for Windows pstree plugin
• Minor fixes for Windows callbacks plugin
• Minimum Python version was increased to 3.7
• Python-snappy dependency was replaced with ctypes to ease installation
• Whole codebase was reformatted with black
• Faster release cycle (targetting every 4 months)

For the 2.4.0 release, the major version has jumped a few numbers for compatibility, but this is the next release including the following:

• New plugins
  • linux.mountinfo
  • linux.psaux
  • windows.devicetree
  • windows.joblinks
  • windows.ldrmodules
  • windows.mbrscan
  • windows.mftscan
  • windows.sessions
• Introduced the concept of modules and module requirements
• Unified symbol handling and ISF file caching between OS versions
• Better QEVM support (fixed the QEMU PCI hole)
• Exposed an API for automatic PDB symbol table use
• Improved contributed documentation
• Various bug fixes and changes across the codebase

A maintenance release to resolve a few issues affecting Windows detection and PDB support.