Pentest Tools

Published on April 1st, 2016 📆 | 6949 Views ⚑

0

VolUtility — Volatility Framework Web Interface


iSpeech.org
After Evolve, web interface for the volatility forensics framework,  many developers started to work on web interface for one of the most popular forensic framework, The Volatility Framework. For those of you who are not familiar with Volatility you can check our previous post where you can briefly familiarize with basic features and from where you can follow links to all Volatility resources. The Volatility Framework. is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples.

Web Interface for Volatility Memory Analysis framework, VolUtility runs plugins and stores the output in a mongo database. This Volatility Framework Web Interface extracts files from plugins (that support dump-dir) and stores them in the database Search across all plugins and file content with string search and yara rules. Allows you to work on multiple images in one database.

 

https://youtu.be/ruEj94Zhn6I

 

Installation

Tested on Ubuntu 14.04 LTS

 

Volatility

You need to install volatility. Minimum version is 2.5. 2.5 is needed as this is when unified output was introduced.

git clone https://github.com/volatilityfoundation/volatility
cd volatility
sudo python setup.py install

VolUtility will list what version you have installed under the Help page (At least it will soon)

 

Mongo & PyMongo

Install mongodb version 3 or higher first.https://docs.mongodb.org/v3.0/tutorial/install-mongodb-on-ubuntu/

Then install pymongo

sudo pip install pymongo

 

Django

sudo pip install django

 

Other

sudo pip install virustotal-api

 

Get the code

git clone https://github.com/kevthehermit/VolUtility

 

VirusTotal

If you would like to add a virus total key

create a file in the web directory named vt_key.py In the file add a single line API_KEY = 'YourKeyHere'

 [adsense size='1']

 

Run The Code

cd VolUtility ./manage.py runserver 0.0.0.0:8000

Open your browser and point to https://your.ip:8000

File paths are on the box thats running the interface. This does not Upload mem dumps. Just points to them

 

Using VolUtility

Basic usage

Create a new session then click the run button next to each plugin name. Plugins run in the background and you will be notified when a plugin completes. Click the view button next to each plugin to view the output, that can be searched and filtered.

Plugins

You can add extra plugin directories for example the Volatility Community plugin pack. This must be done before creating a new session. Any sessions created after this will include the extra plugins.

 

 

Vol Command Line.

In the session page, on the toolbar there is an option to run vol commands. This takes a full vol.py command string without thevol.py. e.g.

--plugin-dir=/path/to/dir --profile=Win7SP1x86 -f /path/to/image.vmem procdump --dump-dir=/path/to/dump

 

Clean the DB

The following commands will erase all data in the Volutility Database

mongo
use voldb
db.dropDatabase()
use voldbfs
db.dropDatabase()
exit

 

Source && Download

https://github.com/kevthehermit/VolUtility



Leave a Reply

Your email address will not be published.