Skip to content

Extensions

kevthehermit edited this page Nov 20, 2016 · 5 revisions

Extension

Table of Contents

VolUtility comes with an Extensions framework that allow you to add features and functionality to the data that is returned from Volatility plugins. There are two types of plugins

  1. PostProcess
  2. FileExtensions

Post Process

Post process extensions take the rows and columns that are returned by the volatility plugin and can modify / inject the data. An example is the iplookup extension.

For each row it reads the RemoteIP Column, performs a GeoIP Country lookup and then injects the results in to a new column per row.

IPLookup

Performs a GeoIP Country lookup for each remote IP. Any RFC IP's will be listed in this same manner. The lookups are performed using GeoLite2 data created by MaxMind, available from http://www.maxmind.com.

File Extensions.

These are the more complicated of the two types. VolUtility allows you to store a wide range of files extracted from memory through plugins like filescan, procdump, dumpfiles etc. Theses extensions allow you to add additional analysis tools to these files. Examples include Extracting Strings, Viewing SQLite files etc.

ExtractStrings

This will extract all ASCII and Unicode strings greater than 4 chars. If Floss is installed it will also run advanced string decoding against PE Binaries.

To Extract strings follow these steps:

  • Click 'FileDetails' in the DumpFiles output
  • Select the ExtractStrings extension
  • Click the button once to parse all the strings
  • Click the button a second time to download the strings file.

After the strings have been extracted once they are stored in the database.

HexViewer

Displays the raw hex of the stored file.

PSTViewer

If you have a stored Outlook PST File then you can parse all the emails and their headers from the PST and view them in the browser. Email Attachments are not yet parsed, You can still download the PST and parse manually.

To view Hives follow these steps:

  • Run the dumpregistry plugin to store all the hive files in the DataBase.
  • Click the File Details link in the row of the hive you want to view.
  • Click the Registry button in the new window that opens. This should load the registry viewer.
  • Click on Nodes to expand them and view any keys.
  • Nodes and keys are loaded over ajax so may take a moment for keys to be loaded.
SQLiteViewer

If you have an SQLite Database file then you can view all the tables and their rows in the browser.

To View SQlite Files follow these steps.

  • Run the FileScan plugin.
  • From the filescan output use the right click context menu to save your sqlite files.
  • Once saved, from the DumpFiles output click 'File Details' on the row of the file
  • Select the SQLiteViewer Tab
  • Click Scan Tables
VirusTotalSearch

Search VirusTotal for the hash, or alternatively upload the file and then view the resulting analysis

YaraScanner

Scan stored files against any yara rules you have in the yararules folder.

Clone this wiki locally