*** *** ******** **** **** **** ****
*** *** ******** **** *** *** **** ****
*** *** *** *** **** *** *** ******
*** *** *** *** **** ********** ******
*** *** *** *** **** ********** **** ****
*** *** ******** ********* *** *** **** ****
**** ******** ********* *** *** **** **** v1.0
Memory Forensics made Easy!""")
############################################################################################################
# PLEASE NOTE: THIS IS NOT A NEW IMPLEMENTATION OF VOLATILITY. IT SIMPLY USES THE VERSION OF VOLATILITY #
# (specifically volatility 2). This simple program aims to simply ease the use of volatility. #
# It saves the profile of the image all you have to do is focus on other commands to accomplish your task. #
# To change profile use cp or cprofile, a prompt will follow for you to enter another profile. #
############################################################################################################
############################################################################################################
# WRITTEN BY: SAMOH MOHAMMED. TWITTER @_cyb3rwolf. GITHUB @samohtechs. #
# LINKEDIN: https://www.linkedin.com/in/samoh-mohammed/ PORTFOLIO: https://samohtechs.com #
# you can clone or fork this work here www.github.com/samohtechs/volaX #
############################################################################################################
- python 3.x
- volatility (version 2 or 3)
- volatility must be accessible globally as 'volatility' for volatility 2 and 'volatility3' for volatility 3 or you can add your own path in the file volpath.py as required.
- help this help
- --help volatility help menu
- cp, cprofile change profile name (when profile has already been selected)
- q, exit, quit exit program
- shell to enter shell commands mode
Run python3 vola.py
or
./vola (this is a bash script that runs python3 vola.py. Make sure to run chmod +x ./vola to give executable permission.). Then,
You will have to select one option from five options given that are
1 - To specify your own path and version (be keen with version as it will result to unexpected behaviour when used with wrong volatility)
2 - Volatility 2
3 - Volatility 3
4 - To use your own path and version that you have set in the specific variables found in the volpath.py file. So next time you want to use that simply select 4.
0 - to exit
After running the script and selecting option 1 (or 3, or 4 and specify your path and version as 2), you will then be asked to enter the image name/ full path
>> Enter name of image: /path/to/image
then
>> Enter profile name (leave blank to run imageinfo):
Pressing enter (if no profile specified), it will run imageinfo and bring you to the next prompt to allow you to enter the profile name which you can find in the "Suggested Profile(s)"
>> Enter profile name to use: Win7SP1x64
Now from there another prompt will be given where you only have to enter specific plugins to use with the profile. Above the prompt will be the full path to your image and the profile
(volatility -f /path/to/memoryimage --profile=Win7SP1x64)
>> Enter plugin $ pstree
just enter cp or cprofile like, >> Enter plugin $ cp or >> Enter plugin $ cprofile. a prompt to allow you to enter new profile will follow
>>> New Profile % newProfile
Now you new profile will be reflected.
Enter shell in the prompt >> Enter plugin $ shell
>>> Shell command % ifconfig
enter exit to go back to previous prompt.
And that is All!
Everything is just the same as in volatility 2 with small difference when you first run the script
- Select option 2 to use volatility 3 (or 3, or 4 and specify your path and version as 2), you will then be asked to enter the image name/ full path
>> Enter name of image: /path/to/image
Pressing enter will bring you to the prompt where you can continue providing other plugins for use.
(volatility -f /path/to/memoryimage)
>> Enter plugin $ pstree
And that is All!
HOPE THIS SIMPLE TOOL MAKES YOUR WORK A LITTLE LESS TIRESOME 😊