Description
@volatilityfoundation Volatility requires code to be developed / written and requires the user to know the kernel version of memory dumps being analyzed see;
volatilityfoundation/volatility#493
volatilityfoundation/volatility#490
volatilityfoundation/volatility#489
volatilityfoundation/volatility#473
volatilityfoundation/volatility#451
volatilityfoundation/volatility#383
@google Rekal is better however there exists problems due to the lack of support for PDB client tools on Linux or other platforms. And it still requires users to extract disk files or have them on hand or pre-generated.
google/rekall#305
google/rekall#228
The use of hard coded profiles and names or even extracting these profiles from disk binaries place an excessive burden on users and inhibit automation (i.e. they require knowledge about the memory dumps version). The user of forensic analsysis tools does not often perform memory dumping and may have been provided a dump without that information, automating this process will streamline and reduce errors in these case also.
As this information is technically not required and consideration the release cycle of Windows is now quite frequent. Supporting these tools seems like it would help a lot of people and robot's get their jobs done without failure.
This will have the added side effect of expanding the existing capability of these tools considerably due to the expansive information included in the symbol information. Future versions may expand support for additional modules beyond what's required (essentially only NT! is needed for the purposes of Vola/Rekal).