Web interface for the Volatility Memory Forensics Framework
https://github.com/volatilityfoundation/volatility
Short video demo: https://youtu.be/55G2oGPQHF8
This requires volatility to be a library, not just an EXE file sitting somewhere. Run these commands at python shell:
Download Volatility source zip from https://github.com/volatilityfoundation/volatility
Inside the extracted folder run:
setup.py install
Then install these dependencies:
pip install bottle
pip install yara
<br/ >
pip install distorm3
<br/ >
- Note: you may need to prefix
sudo
on the above commands depending on your OS. - Note: You may also need to prefix
python
if it is not in your run path. - Note: Windows may require distorm3 download: https://pypi.python.org/pypi/distorm3/3.3.0
-f File containing the RAM dump to analyze
-p Volatility profile to use during analysis
!!! WARNING: NFS shares can lock or corrupt SQLite files. Try mounting share with 'nolock' option.
- Works with any Volatility module that provides a SQLite render method (some don't)
- Automatically detects plugins - If volatility sees the plugin, so will eVOLve
- All results stored in a single SQLite db stored beside the RAM dump
- Web interface is fully AJAX using jQuery & JSON to pass requests and responses
- Uses Bottle module in Python to provide a standalone web server
- Option to edit SQL query to provide enhanced data views with data from multiple tables
- Run plugins and view data from any browser - even a tablet!
- Allow multiple people to review results of single RAM dump
- Save custom queries for future use
- Import/Export queries to share with others
- Threading for more responsive interface while modules are running
- Export/save of table data to JSON, CSV, etc
- Review mode which requires only the generated SQLite file for better portability
Please send your ideas for features!