Published on April 1st, 2016 📆 | 3699 Views ⚑
0VolUtility — Volatility Framework Web Interface
iSpeech.org
After Evolve, web interface for the volatility forensics framework, many developers started to work on web interface for one of the most popular forensic framework, The Volatility Framework. For those of you who are not familiar with Volatility you can check our previous post where you can briefly familiarize with basic features and from where you can follow links to all Volatility resources. The Volatility Framework. is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples.
Web Interface for Volatility Memory Analysis framework, VolUtility runs plugins and stores the output in a mongo database. This Volatility Framework Web Interface extracts files from plugins (that support dump-dir) and stores them in the database Search across all plugins and file content with string search and yara rules. Allows you to work on multiple images in one database.
Installation
Tested on Ubuntu 14.04 LTS
Volatility
You need to install volatility. Minimum version is 2.5. 2.5 is needed as this is when unified output was introduced.
git clone https://github.com/volatilityfoundation/volatility
cd volatility
sudo python setup.py install
VolUtility will list what version you have installed under the Help page (At least it will soon)
Mongo & PyMongo
Install mongodb version 3 or higher first.https://docs.mongodb.org/v3.0/tutorial/install-mongodb-on-ubuntu/
Then install pymongo
sudo pip install pymongo
Django
sudo pip install django
Other
sudo pip install virustotal-api
Get the code
git clone https://github.com/kevthehermit/VolUtility
VirusTotal
If you would like to add a virus total key
create a file in the web directory named vt_key.py In the file add a single line API_KEY = 'YourKeyHere'
Run The Code
cd VolUtility ./manage.py runserver 0.0.0.0:8000
Open your browser and point to https://your.ip:8000
File paths are on the box thats running the interface. This does not Upload mem dumps. Just points to them
Using VolUtility
Basic usage
Create a new session then click the run button next to each plugin name. Plugins run in the background and you will be notified when a plugin completes. Click the view button next to each plugin to view the output, that can be searched and filtered.
Plugins
You can add extra plugin directories for example the Volatility Community plugin pack. This must be done before creating a new session. Any sessions created after this will include the extra plugins.
Vol Command Line.
In the session page, on the toolbar there is an option to run vol commands. This takes a full vol.py command string without thevol.py
. e.g.
--plugin-dir=/path/to/dir --profile=Win7SP1x86 -f /path/to/image.vmem procdump --dump-dir=/path/to/dump
Clean the DB
The following commands will erase all data in the Volutility Database
mongo
use voldb
db.dropDatabase()
use voldbfs
db.dropDatabase()
exit
Source && Download
https://github.com/kevthehermit/VolUtility
Gloss