VolDiff is a Python script that leverages the Volatility framework to identify malware threats on Windows 7 memory images.

VolDiff can be used to run a collection of Volatility plugins against memory images captured before and after malware execution. It creates a report that highlights system changes based on memory (RAM) analysis.

VolDiff can also be used against a single Windows memory image to automate Volatility plugin execution, and hunt for malicious patterns.

Please refer to the VolDiff home wiki for details. VolDiff has also been included in the REMnux Linux malware analysis toolkit.

See this wiki page for a sample VolDiff analysis of a system infected with the DarkComet RAT, or this blog post for example VolDiff use againt a malware Trojan.

This work was initially inspired by Andrew Case (@attrc) talk on analyzing the sophisticated Careto malware sample with memory forensics. Kudos to @attrc and all the Volatility development team for creating and maintaining the greatest memory forensic framework out there!