-
Notifications
You must be signed in to change notification settings - Fork 82
Usage
Basic Configuration and Usage
Table of Contents
VolUtility operates on the principal of sessions. Each memory image has its own session that is used to track all the plugin results and associated data. These sessions are persisted in a database and so can be resumed at a later stage. The memory image MUST be on the same host that is running VolUtility. There is no capability to upload via the web panel. There is no limit to the number of sessions that can be stored. This is limited by your own storage requirements.
To create a session navigate to the home page and click the New + Button
Enter the following details.
- Title
- Path to Image file
- Select the profile if known else leave on AutoDetect
- Enter a Description (Optional)
Click submit. Once the image is validated the loading screen will close and the page will refresh automatically.
There is no GUI method to modify the Session yet. This can be achieved directly in the DB.
The plugin results page when loaded has a right click context menu that can provide advanced options depending on the plugin that is currently displayed:
- All - Bookmark / Highlight Row
- All - Search Cell Value
- pslist - Store Process Memory
- filescan - Store File Object
- dumpregistry - Navigate Registry Keys
VolUtility includes the Python-Registry Library to provide a native Hive Viewer.
To view Hives follow these steps:
- Run the dumpregistry plugin to store all the hive files in the DataBase.
- Click the File Details link in the row of the hive you want to view.
- Click the Registry button in the new window that opens. This should load the registry viewer.
- Click on Nodes to expand them and view any keys.
- Nodes and keys are loaded over ajax so may take a moment for keys to be loaded.
There are occasions when the WebUI can not achieve the same results as the command line. For these situations the WebUI provides a convenient method to run these commands and to see the output.
From the Session page Tools Bar select 'Vol Command Line' from the search type then in the search field add your full command line without the vol.py.
This can include things like | grep > file.txt etc
To simplify matters you can also tell the command line to use the profile and path from the currently loaded session.
Examples:
%profile% %path% malfind -p 3208 –dump-dir=/tmp/malfind
%profile% %path% pslist | grep explorer.exe >
e.g. %profile% %path% malfind -p 3208 –dump-dir=/tmp/malfind
WARNING
This option can be used to run any command on the host system with the level of access you used to runserver. So avoid any unauthenticated access to the web interface.
Warning This will remove all data from your database without confirmation. Make sure this is what you want to achieve.
from a terminal window run the following commands.
$ mongo
> use voldb
> db.dropDatabase()
{ "dropped" : "voldb", "ok" : 1 }
> use voldbfs
> db.dropDatabase()
{ "dropped" : "voldbfs", "ok" : 1 }
exit
Reloading the volutility web page should show all the sessions have been removed.