Skip to content
kevthehermit edited this page Apr 17, 2016 · 11 revisions

Basic Configuration and Usage

Table of Contents

Configuration

Plugins

Third party plugins can be included in one of two ways.

  • Add plugins to the VolUtility/plugins folder
  • From the main page click 'Add Plugins' and enter the full path to the folder containing your plugins.

If you add new plugins after the session has been created you will have to update the available plugins by clicking the refresh button on the Plugin Results ToolBar

Profiles

Profiles are required in order for volatility to correctly map memory. By default all windows profiels are included. Profiles for linux and mac are not provided but can be sourced or created.

  • Link to vol profiles
  • Link to create profiles page

Once you have a profile zip package they can be added in a similar manner to plugins. 1 Copy the zip in to VolUtility/plugins/overlays 2 From the main page click 'Add Plugins' and enter the full path to teh folder containing your profiles. (must be in a subfolder labeled overlays)

Yara Rules

Yara rules can be added to the VolUtility/yararules folder. If you want your rule to be included in the 'all rules' scan. you will need to add it the index.yar file.

You will need to refresh the session page in order to see any new rules added.

Sessions

VolUtiltiy operates on a principal of sessions. Each memory image has its own session that is used to track all the plugin results and associated data. These sessions are persisted in a database and so can be resumed at a later stage. The memory image MUST be on the same host that is running VolUtility. There is no capability to upload via the web panel. There is no limit to the number of sessions that can be stored. This is limited by your own storage requirements.

Creation

To create a session navigate to the home page and click the New + Button

Enter the following details.

  • Title
  • Path to Image file
  • Select the profile if known else leave on AutoDetect
  • Enter a Description (Optional)

Click submit. Once the image is validated the loading screen will close and the page will refresh automatically.

There is no GUI method to modify the Session yet. This can be achieved directly in the DB.

Clone this wiki locally