The Volatility Framework is an open source, cross-platform, incident response framework that comes with many useful plugins that provide the investigator with a wealth of information from a snapshot of memory, also known as a memory dump. The concept of Volatility has been around for a decade, and apart from analyzing running and hidden processes, is also a very popular choice for malware analysis.

To create a memory dump, several tools such as FTK imager, CAINE, Helix, and LiME (an acronym for Linux Memory Extractor) can be used to acquire the memory image, or memory dump, and then be investigated and analyzed by the tools within the Volatility Framework.

The Volatility Framework can be run on any  operating system (32- and 64-bit) that supports Python, including:

• Windows XP, 7, 8,8.1, and Windows 10
• Windows Server 2003, 2008, 2012/R2, and 2016
• Linux 2.6.11 - 4.2.3 (including Kali, Debian, Ubuntu, CentOS, and more)
• macOS Leopard (10.5.x) and Snow Leopard (10.12.x)

Volatility supports several memory dump formats (both 32- and 64-bit), including:

• Windows crash and hibernation dumps (Windows 7 and earlier)
• VirtualBox
• VMWare .vmem dump
• VMware saved state and suspended dumps—.vmss/.vmsn
• Raw physical memory—.dd
• Direct physical memory dump over IEEE 1394 FireWire
• Expert Witness Format (EWF)—.E01
• QEMU (Quick Emulator)

Volatility even allows for conversion between these formats and boasts of being able to accomplish everything similar tools can.