Never Ending Security

It starts all here

Evolve – An Python Based Web Interface For Memory Forensics Framework Volatility


Web interface for the Volatility Memory Forensics Framework https://github.com/volatilityfoundation/volatility

Current Version: 1.2 (2015-05-07)

Short video demo: https://youtu.be/55G2oGPQHF8 Pre-Scan video: https://youtu.be/mqMuQQowqMI

Installation

This requires volatility to be a library, not just an EXE file sitting somewhere. Run these commands at python shell:

Download Volatility source zip from https://github.com/volatilityfoundation/volatility
Inside the extracted folder run:
setup.py install

Then install these dependencies:
pip install bottle
pip install yara
pip install distorm3

  • Note: you may need to prefix sudo on the above commands depending on your OS.
  • Note: You may also need to prefix python if it is not in your run path.
  • Note: Windows may require distorm3 download: https://pypi.python.org/pypi/distorm3/3.3.0

Usage

-f File containing the RAM dump to analyze
-p Volatility profile to use during analysis
-d Optional path for output file. Default is beside memory image
-r comma separated list of plugins to run at the start

!!! WARNING: Avoid writing sqlite to NFS shares. They can lock or get corrupt. If you must, try mounting share with ‘nolock’ option.

Features

  • Works with any Volatility module that provides a SQLite render method (some don’t)
  • Automatically detects plugins – If volatility sees the plugin, so will eVOLve
  • All results stored in a single SQLite db stored beside the RAM dump
  • Web interface is fully AJAX using jQuery & JSON to pass requests and responses
  • Uses Bottle module in Python to provide a standalone web server
  • Option to edit SQL query to provide enhanced data views with data from multiple tables
  • Run plugins and view data from any browser – even a tablet!
  • Allow multiple people to review results of single RAM dump
  • Multiprocessing for full CPU usage
  • Pre-Scan runs a list of plugins at the start

Coming Features

  • Save custom queries for future use
  • Import/Export queries to share with others
  • Threading for more responsive interface while modules are running
  • Export/save of table data to JSON, CSV, etc
  • Review mode which requires only the generated SQLite file for better portability

Please send your ideas for features!

Release notes:
v1.0 – Initial release
v1.1 – Threading, Output folder option, removed unused imports
v1.2 – Pre-Scan option to run list of plugins at the start


More information can be found at: https://github.com/JamesHabben/evolve

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s