Volatility Autopsy Plugin Module

If you ever wanted to do memory analysis in Autopsy you now can. May I present to you the Volatility Autopsy Python plugin module. You can now run most (have not tested all the plugins yet be enough do work to present it to the community) of Volatility’s plugins against a memory image. One of the great things about this module is that you can run the plugins against multiple memory images that have been brought into Autopsy and display the plugin output for each memory image.

There are currently two (2) modules for this plugin. One module is to run basic volatility plugins against memory images and the other allows you to dump files from the memory images. Volatility must be installed and working in order to run these modules, you can go here or here to get your copy of volatility.

In order to run these plugins against memory images the memory images must first be ingested into Autopsy, you can do this by adding a data source of Logical Files and selecting the memory image files to include. they will then be added to the case, you will then need to right click on the logical file data source that has the memory images and choose which volatility module to run against them. I will describe the two (2) modules below:

Volatility Module:

The Volatility module will allow the user to run Volatility (exe or py file) against one or more memory images. Memory image(s) can be add to Autopsy as a Logical files. Users have the choice to run any plugin that is supported by volatility. When the current plugin runs, it will write the output for the plugin(s) selected to a SQLite database in the Autopsy module output directory and then be imported into the extracted content of Autopsy for the user to examine. The name of the extracted content is as follows “Volatility <Plugin Run> <Memory Image File Name>”. Modules that do not support rendering their output into SQLite will not run for now. For Modules that dump files see the Volatility Dump Files module. Future enhancements will work on importing other Volatility rendered output. The following is a screen shot of the Volatility plugin:

Volatility Plugin Module GUI Settings.

The Volatility Executable directory hold the standalone executable location or the python code location (python must be installed on the system if you are choosing to run the python code). The version combo box is the version of Volatility you will be using. The “Save Volatility Exec Dir” button will save the location and version to a settings SQLite database so that the user does not have to keep entering the location for every run. The Plugins in the multiple selection list box are all the plugins that Volatility supports for either version 2.5 or 2.6. The plugin names are kept in a SQLite database that is queried when the version number is changed. If a user wants to add other modules to the list all they need to do is add it to the database. When the next version of Volatility comes out then the plugins that the new version supports will have to be added to the database. This makes it easy to support future versions. The profiles in the combo box are all the profiles that volatility supports by default. This information is also stored in a SQLite database so it be added to as well. If the user wants to add Linux and OS X memory images all they have to do is add the entry to the database. There is also an Autodetect profile so if the user does not know what version a memory image is or they are running multiple images they can use it. When a user is running the plugin against multiple memory images they will need to select the Autodetect profile since each memory image may use a different profile. There is also a text field for any optional parameters that the user may want to add. Once the user enters all the necessary fields they can then start the plugin.

The plugin will then take the options and run volatility based on the profile that has been selected. If the profile has been selected to be Autodetect it will run Volatility against the memory image using the plugin imageinfo to get the profile, it will then process each plugin selected using the profile that was found. After all the plugins have been run the SQLite database that was created is then opened and read and each plugins output is stored in the Extracted Content, an example is shown below.

Volatility Multiple Memory Image Extracted Content.

Volatility Dump Files Module:

This module has a lot of the same code behind it that is in the Volatility module. There are 2 differences. The first difference is that the plugins that are available are only ones that dump files from Volatility. The second difference is that you can specify what Pids (coma separated) that you want to pull files from. When this plugin is run, it will dump the files to the Autopsy Module Output directory under the Volatility directory. A screen shot of the module GUI parameters is below:

Volatility Dump FIles Module GUI Settings.

I have tested this module using the dumpregistry and procdump and was able to get the files to be written to the volatility Module Output directory under Dump-Files. I have only run this against one (1) image at a time, I will look at what it will take to allow this module to be run against a Data source that has multiple memory images in it.

Now I am planning to do more work on these modules to make them better so expect some improvements to happen in the future. Please run and test this module(s) out and provide me with any and all feedback so I can add and improve the module.

The plugin(s) can be found here.

All feedback good or bad is appreciated. Enjoy the plugin!