-
Notifications
You must be signed in to change notification settings - Fork 82
Usage
Basic Configuration and Usage
Table of Contents
VolUtility operates on the principal of sessions. Each memory image has its own session that is used to track all the plugin results and associated data. These sessions are persisted in a database and so can be resumed at a later stage. The memory image MUST be on the same host that is running VolUtility. There is no capability to upload via the web panel. There is no limit to the number of sessions that can be stored. This is limited by your own storage requirements.
To create a session navigate to the home page and click the New + Button
Enter the following details.
- Title
- Path to Image file
- Select the profile if known else leave on AutoDetect
- Enter a Description (Optional)
Click submit. Once the image is validated the loading screen will close and the page will refresh automatically.
There is no GUI method to modify the Session yet. This can be achieved directly in the DB.
VolUtility includes the Python-Registry Library to provide a native Hive Viewer.
To view Hives follow these steps:
- Run the dumpregistry plugin to store all the hive files in the DataBase.
- Click the File Details link in the row of the hive you want to view.
- Click the Registry button in the new window that opens. This should load the registry viewer.
- Click on Nodes to expand them and view any keys.
- Nodes and keys are loaded over ajax so may take a moment for keys to be loaded.
Warning This will remove all data from your database without confirmation. Make sure this is what you want to achieve.
from a terminal window run the following commands.
$ mongo
> use voldb
> db.dropDatabase()
{ "dropped" : "voldb", "ok" : 1 }
> use voldbfs
> db.dropDatabase()
{ "dropped" : "voldbfs", "ok" : 1 }
exit
Reloading the volutility web page should show all the sessions have been removed.