-
Notifications
You must be signed in to change notification settings - Fork 81
Extensions
Extension
Table of Contents
VolUtility comes with an Extensions framework that allow you to add features and functionality to the data that is returned from Volatility plugins. There are two types of plugins
- PostProcess
- FileExtensions
Post process extensions take the rows and columns that are returned by the volatility plugin and can modify / inject the data. An example is the iplookup extension.
For each row it reads the RemoteIP Column, performs a GeoIP Country lookup and then injects the results in to a new column per row.
Performs a GeoIP Country lookup for each remote IP. Any RFC IP's will be listed in this same manner. The lookups are performed using GeoLite2 data created by MaxMind, available from http://www.maxmind.com.
These are the more complicated of the two types. VolUtility allows you to store a wide range of files extracted from memory through plugins like filescan, procdump, dumpfiles etc. Theses extensions allow you to add additional analysis tools to these files. Examples include Extracting Strings, Viewing SQLite files etc.
This will extract all ASCII and Unicode strings greater than 4 chars. If Floss is installed it will also run advanced string decoding against PE Binaries.
To Extract strings follow these steps:
- Click 'FileDetails' in the DumpFiles output
- Select the ExtractStrings extension
- Click the button once to parse all the strings
- Click the button a second time to download the strings file.
After the strings have been extracted once they are stored in the database.
Displays the raw hex of the stored file.
If you have a stored Outlook PST File then you can parse all the emails and their headers from the PST and view them in the browser. Email Attachments are not yet parsed, You can still download the PST and parse manually.
In order to use this library you need to have libpff installed. The best way to do this is following the instructions on thir wiki https://github.com/libyal/libpff/wiki/Building making sure you enable python.
sudo apt install autoconf automake autopoint libtool pkg-config
git clone https://github.com/libyal/libpff.git
cd libpff/
./synclibs.sh
./autogen.sh
./configure --enable-python
make
sudo make install
sudo ldconfig
To view Hives follow these steps:
- Run the dumpregistry plugin to store all the hive files in the DataBase.
- Click the File Details link in the row of the hive you want to view.
- Click the Registry button in the new window that opens. This should load the registry viewer.
- Click on Nodes to expand them and view any keys.
- Nodes and keys are loaded over ajax so may take a moment for keys to be loaded.
If you have an SQLite Database file then you can view all the tables and their rows in the browser.
To View SQlite Files follow these steps.
- Run the FileScan plugin.
- From the filescan output use the right click context menu to save your sqlite files.
- Once saved, from the DumpFiles output click 'File Details' on the row of the file
- Select the SQLiteViewer Tab
- Click Scan Tables
Search VirusTotal for the hash, or alternatively upload the file and then view the resulting analysis
Scan stored files against any yara rules you have in the yararules folder.
Hive Viewer allows you to view registry keys and values in a similar fashion to regedit. Once you have dumped the hives you can navigate them by clicking on nodes and expanding them, if there are any keys present their keys and data values will be presented on the right hand side.
The JavaScript that opens and collapses nodes is still a little buggy I’m working on it. My JavaScript foo is not very strong.
To view Hives follow these steps:
- Run the dumpregistry plugin to store all the hive files in the DataBase.
- Click the File Details link in the row of the hive you want to view.
- Click the Registry button in the new window that opens. This should load the registry viewer.
- Click on Nodes to expand them and view any keys.
- Nodes and keys are loaded over ajax so may take a moment for keys to be loaded.
Parses EXIF metadata from a wide range of file types. Will also display images in the tab.
This requires sudo apt-get install libimage-exiftool-perl
This allows you to submit files to a cuckoo instance. Configured via the volutility.conf file it is disabled by default. In the future I hope to support other sandboxes for now Cuckoo is the only one i have access to.