-
Notifications
You must be signed in to change notification settings - Fork 82
Usage
Basic Configuration and Usage
Table of Contents
VolUtility operates on the principal of sessions. Each memory image has its own session that is used to track all the plugin results and associated data. These sessions are persisted in a database and so can be resumed at a later stage. The memory image MUST be on the same host that is running VolUtility. There is no capability to upload via the web panel. There is no limit to the number of sessions that can be stored. This is limited by your own storage requirements.
To create a session navigate to the home page and click the New + Button
Enter the following details.
- Title
- Path to Image file
- Select the profile if known else leave on AutoDetect
- Enter a Description (Optional)
Click submit. Once the image is validated the loading screen will close and the page will refresh automatically.
There is no GUI method to modify the Session yet. This can be achieved directly in the DB.
There are many community developed plugins that can be added to enhance volatility. Adding these plugins to VolUtility is just as easy. There are two methods to adding new plugins
To add global plugins:
-
Copy the plugin files in to the Plugin folder in VolUtilty's directory
-
It is best to add separate plugins in to sub folders to make management easier and to prevent conflicts
-
Any new session created will automatically register the new plugins.
-
From the main VolUtiltiy page you can click the add plugins button on the top right menu bar and add any number of directories that hold additioanl plugins
-
As before these will be automatically registered to any new session that is created.
To add new plugins to existing sessions click the spinning green arrows located on the plugin bar. When the arrow turns green again the plugins have been loaded and should be visible in the plugin list.
Windows profiles are included with volatility by default. Linux and Mac profiles need to be imported seperatly due to the large number of varieties.
To add new profiles follow the same steps as community plugins but ensure that profiles are added to the 'overlays' subfolder
The plugin results page when loaded has a right click context menu that can provide advanced options depending on the plugin that is currently displayed:
- All - Bookmark / Highlight Row
- All - Search Cell Value
- pslist - Store Process Memory
- filescan - Store File Object
- dumpregistry - Navigate Registry Keys
VolUtility includes the Python-Registry Library to provide a native Hive Viewer.
To view Hives follow these steps:
- Run the dumpregistry plugin to store all the hive files in the DataBase.
- Click the File Details link in the row of the hive you want to view.
- Click the Registry button in the new window that opens. This should load the registry viewer.
- Click on Nodes to expand them and view any keys.
- Nodes and keys are loaded over ajax so may take a moment for keys to be loaded.
There are occasions when the WebUI can not achieve the same results as the command line. For these situations the WebUI provides a convenient method to run these commands and to see the output.
From the Session page Tools Bar select 'Vol Command Line' from the search type then in the search field add your full command line without the vol.py.
This can include things like | grep > file.txt etc
To simplify matters you can also tell the command line to use the profile and path from the currently loaded session.
Examples:
%profile% %path% malfind -p 3208 –dump-dir=/tmp/malfind
%profile% %path% pslist | grep explorer.exe >
e.g. %profile% %path% malfind -p 3208 –dump-dir=/tmp/malfind
WARNING
This option can be used to run any command on the host system with the level of access you used to runserver. So avoid any unauthenticated access to the web interface.
Warning This will remove all data from your database without confirmation. Make sure this is what you want to achieve.
from a terminal window run the following commands.
$ mongo
> use voldb
> db.dropDatabase()
{ "dropped" : "voldb", "ok" : 1 }
> use voldbfs
> db.dropDatabase()
{ "dropped" : "voldbfs", "ok" : 1 }
exit
Reloading the volutility web page should show all the sessions have been removed.