Published on April 1st, 2016 📆 | 6949 Views ⚑0
VolUtility — Volatility Framework Web Interface
After Evolve, web interface for the volatility forensics framework, many developers started to work on web interface for one of the most popular forensic framework, The Volatility Framework. For those of you who are not familiar with Volatility you can check our previous post where you can briefly familiarize with basic features and from where you can follow links to all Volatility resources. The Volatility Framework. is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples.
Web Interface for Volatility Memory Analysis framework, VolUtility runs plugins and stores the output in a mongo database. This Volatility Framework Web Interface extracts files from plugins (that support dump-dir) and stores them in the database Search across all plugins and file content with string search and yara rules. Allows you to work on multiple images in one database.
Tested on Ubuntu 14.04 LTS
You need to install volatility. Minimum version is 2.5. 2.5 is needed as this is when unified output was introduced.
git clone https://github.com/volatilityfoundation/volatility cd volatility sudo python setup.py install
VolUtility will list what version you have installed under the Help page (At least it will soon)
Mongo & PyMongo
Install mongodb version 3 or higher first.https://docs.mongodb.org/v3.0/tutorial/install-mongodb-on-ubuntu/
Then install pymongo
sudo pip install pymongo
sudo pip install django
sudo pip install virustotal-api
Get the code
git clone https://github.com/kevthehermit/VolUtility
If you would like to add a virus total key
create a file in the web directory named vt_key.py In the file add a single line
API_KEY = 'YourKeyHere'
Run The Code
./manage.py runserver 0.0.0.0:8000
Open your browser and point to https://your.ip:8000
File paths are on the box thats running the interface. This does not Upload mem dumps. Just points to them
Create a new session then click the run button next to each plugin name. Plugins run in the background and you will be notified when a plugin completes. Click the view button next to each plugin to view the output, that can be searched and filtered.
You can add extra plugin directories for example the Volatility Community plugin pack. This must be done before creating a new session. Any sessions created after this will include the extra plugins.
Vol Command Line.
In the session page, on the toolbar there is an option to run vol commands. This takes a full vol.py command string without the
--plugin-dir=/path/to/dir --profile=Win7SP1x86 -f /path/to/image.vmem procdump --dump-dir=/path/to/dump
Clean the DB
The following commands will erase all data in the Volutility Database
mongo use voldb db.dropDatabase() use voldbfs db.dropDatabase() exit