-
Notifications
You must be signed in to change notification settings - Fork 82
Usage
Basic Configuration and Usage
Table of Contents
Third party plugins can be included in one of two ways. 1 Add plugins to the VolUtility/plugins folder 2 From the main page click 'Add Plugins' and enter the full path to the folder containing your plugins.
If you add new plugins after the session has been created you will have to update the available plugins by clicking the refresh button on the Plugin Results ToolBar
Profiles are required in order for volatility to correctly map memory. By default all windows profiels are included. Profiles for linux and mac are not provided but can be sourced or created.
- Link to vol profiles
- Link to create profiles page
Once you have a profile zip package they can be added in a similar manner to plugins. 1 Copy the zip in to VolUtility/plugins/overlays 2 From the main page click 'Add Plugins' and enter the full path to teh folder containing your profiles. (must be in a subfolder labeled overlays)
Yara rules can be added to the VolUtility/yararules folder. If you want your rule to be included in the 'all rules' scan. you will need to add it the index.yar file.
You will need to refresh the session page in order to see any new rules added.
VolUtiltiy operates on a principal of sessions. Each memory image has its own session that is used to track all the plugin results and associated data. These sessions are persisted in a database and so can be resumed at a later stage. The memory image MUST be on the same host that is running VolUtility. There is no capability to upload via the web panel. There is no limit to the number of sessions that can be stored. This is limited by your own storage requirements.
To create a session navigate to the home page and click the New + Button
Enter the following details.
- Title
- Path to Image file
- Select the profile if known else leave on AutoDetect
- Enter a Description (Optional)
Click submit. Once the image is validated the loading screen will close and the page will refresh automatically.
There is no GUI method to modify the Session yet. This can be achieved directly in the DB.