If you would like to practice memory forensics using Volatility but you don't like command line tools and you hate to remmber plugins then VolUtility is your friend.
Volutility1 2 is a web frontend for Volatility framework.
In this dairy, I will install VolUtlity on Linux SIFT3 workstation.
In this dairy I am not going to discuss how to install MongoDB , for futher details about how to install MongoDB please refer to:
In this diary I am going to use the default config file “volutility.conf.sample”
cd in to the VolUtility folder and run the following command , in this diary I will use port 8000 as a listening port
VolUtility operates on the principal of sessions. Each memory image has its own session that is used to track all the plugin results and associated data.
To create a new session, navigate to the home page and click the New + Button
Enter a name for the session and the location of the memory image ,for the profile you can either specify it or you can choose autodetect, then click on submit button :
You have to wait for few minutest till it finishes from processing the image, once it finished the status will change to “Complete”
To examine the image click on the session name , in this the dairy it’s “SANS ISC” . Once you click on the session it will take you to a new page.
On the upper left corner there will be some information about the session:
Now let’s try some of the plugins :
To run a plug in you type the plugin name in the Filter Plugins text box and you can run it by clicking on the Play button .
And here is some sample outputs
One advantage of using VolUtility over using the command line is the possibility of exporting results to csv file, to do so click on down arrow next to the result
And you can of course filter your result using tools such as MS Excel.
Jun 13th 2017
2 weeks ago