Skip to content

volaX is aimed to ease the ability to have to write the same full command in volatility every time. It stores the memory path to be used and the profile for the memory to be used.

License

Notifications You must be signed in to change notification settings

Samohtechs/volaX

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

20 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

***   *** ******** ****         ****            ****   ****
***   *** ******** ****      ***    ***          **** ****
***   *** ***  *** ****      ***    ***           ******
***   *** ***  *** ****      **********           ******
***   *** ***  *** ****      **********         **** ****
 *** ***  ******** ********* ***    ***        ****   ****
  ****    ******** ********* ***    ***       ****     **** v1.0
  
Memory Forensics made Easy!""")

############################################################################################################
# PLEASE NOTE: THIS IS NOT A NEW IMPLEMENTATION OF VOLATILITY. IT SIMPLY USES THE VERSION OF VOLATILITY    #
# (specifically volatility 2). This simple program aims to simply ease the use of volatility.              #
# It saves the profile of the image all you have to do is focus on other commands to accomplish your task. #
# To change profile use cp or cprofile, a prompt will follow for you to enter another profile.             #
############################################################################################################

############################################################################################################
# WRITTEN BY: SAMOH MOHAMMED. TWITTER @ghostshado3. GITHUB @samohtechs. Website: https://samohtechs.tk     #
# you can clone or fork this work here www.github.com/samohtechs/volaX                                     #
############################################################################################################

REQUIREMENTS

  • python 3.x
  • volatility (version 2 or 3)
  • volatility must be accessible globally as 'volatility' for volatility 2 and 'volatility3' for volatility 3 or you can add your own path in the file volpath.py as required.

USAGE:

  • help this help
  • help volatility help menu
  • cp, cprofile change profile name (when profile has already been selected)
  • q, exit, quit exit program
  • shell to enter shell commands mode

When Running the script

You will have to select one option from five options given that are

1 - Volatility 2
2 - Volatility 3
3 - To specify your own path and version (be keen with version as it will result to unexpected behaviour when used with wrong volatility)
4 - To use your own path and version that you have set in the specific variables found in the volpath.py file. So next time you want to use that simply select 4.
0 - to exit

FOR USE WITH VOLATILITY 2:

After running the script and selecting option 1 (or 3, or 4 and specify your path and version as 2), you will then be asked to enter the image name/ full path

>> Enter name of image: /path/to/image

Pressing enter, it will run imageinfo and bring you to the next prompt to allow you to enter the profile name which you can find in the "Suggested Profile(s)"

>> Enter profile name to use: Win7SP1x64

Now from there another prompt will be given where you only have to enter specific plugins to use with the profile. Above the prompt will be the full path to your image and the profile

(volatility -f /path/to/memoryimage --profile=Win7SP1x64)
>> Enter plugin $ pstree

To change the profile.

just enter cp or cprofile like, >> Enter plugin $ cp or >> Enter plugin $ cprofile. a prompt to allow you to enter new profile will follow

>>> New Profile % newProfile

Now you new profile will be reflected.

To execute Shell/Terminal commands

Enter shell in the prompt >> Enter plugin $ shell

>>> Shell command % ifconfig <br>

enter exit to go back to previous prompt.

And that is All!

FOR USE WITH VOLATILITY 3:

Everything is just the same as in volatility 2 with small difference when you first run the script

  1. Select option 2 to use volatility 3 (or 3, or 4 and specify your path and version as 2), you will then be asked to enter the image name/ full path

>> Enter name of image: /path/to/image

Pressing enter will bring you to the prompt where you can continue providing other plugins for use.

(volatility -f /path/to/memoryimage)
>> Enter plugin $ pstree

And that is All!

HOPE THIS SIMPLE TOOL MAKES YOUR WORK A LITTLE TIRESOME 😊

About

volaX is aimed to ease the ability to have to write the same full command in volatility every time. It stores the memory path to be used and the profile for the memory to be used.

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages