Anatomy of Volatility
Volatility uses a stacked AS model. This approach allows a much needed layer of abstraction between the underlying file formats and the higher level plugins. For example, when you write a plugin, you don't need to worry about the differences (such as how data is stored, compressed, etc) between raw dumps, crash dumps, or hibernation files. All of that is handled within the AS.
Most often, a FileAddressSpace will be the lowest AS in the stack (unless you're working with something like firewire), since it interfaces directly with the memory dump file. If you're working with an x86 crash dump, there will be a WindowsCrashDumpSpace32 AS on top of the file AS, which provides parsing of the crash dump headers. Since crash dumps are paging address spaces, there will be yet another AS on top of the crash dump space (for example IA32PagedMemoryPae) which reads the page tables and translates virtual addresses to physical offsets.
A Linux Profile is essentially a zip file with information on the kernel’s data struc-tures and debug symbols. This is what Volatility uses to locate critical informationand how to parse it once found. If a pre-built profile does not exist, you’ll need tobuild your own.
