VolUtility Version 1.0 Release

It’s a week late but I finally have enough testing done that I’m happy to call this a 1.0 release. :)

If you’re not sure what VolUtility is then read some of the earlier posts:

  • VolUtility release 0.2
  • Solving GrrCon 2015
  • Solving GrrCon 2016
  • tldr; It’s a web front end for the Volatility memory analysis framework.

    I have been tweeting some of this as I go and the previous posts cover most of the core functions. In this post I’m going to highlight the new elements that have been added and whats coming up next.

    Extensions

    The major addition is an Extensions framework that allow you to add features and functionality to the data that is returned from Volatility plugins. There are two types of extensions

    • PostProcess
    • FileExtensions

    Each of the extensions can be disabled by entering them in the disabled section of the volutility.conf file. More details can be found in the wiki.

    Post Process

    Post process extensions take the rows and columns that are returned by the volatility plugin and can modify / inject the data. An example is the iplookup extension. For each row it reads the RemoteIP Column, performs a GeoIP Country lookup and then injects the results in to a new column per row.

    These new columns can be added to the database or can be processed each time the plugin output is viewed. At the moment this is at the discretion of the extension author but a future update will make this optional via the config file.

    IPLookup

    Performs a GeoIP Country lookup for each remote IP. Any RFC IP’s will be listed in this same manner.

    vol_iplookup

    File Extensions.

    These are the more complicated of the two types. VolUtility allows you to store a wide range of files extracted from memory through plugins like filescan, procdump, dumpfiles etc. Theses extensions allow you to add additional analysis tools to these files. Examples include Extracting Strings, Viewing SQLite files etc.

    ExtractStrings

    This will extract all ASCII and Unicode strings greater than 4 chars. If the ‘Floss’ by FLARE is installed it will also run advanced string decoding against PE Binaries. (Sort of)

    To Extract strings follow these steps:

    Click ‘FileDetails’ in the DumpFiles output

    Select the ExtractStrings extension

    Click the button once to parse all the strings

    Click the button a second time to download the strings file.

    After the strings have been extracted once they are stored in the database.

    HexViewer

    Simply displays the hex representation of the file that has been stored.

    vol_hex

    Hive Viewer

    Hive Viewer allows you to view registry keys and values in a similar fashion to regedit. Once you have dumped the hives you can navigate them by clicking on nodes and expanding them, if there are any keys present their keys and data values will be presented on the right hand side.

    It uses Ajax to parse each key on request, so it may take a second after clicking for the sub keys to be populated.

    vol_reg_keys

    The JavaScript that opens and collapses nodes is still a little buggy I’m working on it. My JavaScript foo is not very strong.

    To view Hives follow these steps:

    • Run the dumpregistry plugin to store all the hive files in the DataBase.
    • Click the File Details link in the row of the hive you want to view.
    • Click the Registry button in the new window that opens. This should load the registry viewer.
    • Click on Nodes to expand them and view any keys.
    • Nodes and keys are loaded over ajax so may take a moment for keys to be loaded.

    SQLiteViewer

    If you have an SQLite Database file then you can view all the tables and their rows in the browser. Once the tables have loaded in the browser you can search and filter the rows.

    vol_sqlite

    To View SQlite Files follow these steps.

    • Run the FileScan plugin.
    • From the filescan output use the right-click context menu to save your sqlite files.
    • Once saved, from the DumpFiles output click ‘File Details’ on the row of the file
    • Select the SQLiteViewer Tab
    • Click Scan Tables

    VirusTotalSearch

    Search VirusTotal for the hash, or alternatively upload the file and then view the resulting scan results.

    vol_virustotal

    YaraScanner

    Scan stored files against any yara rules you have in the yararules folder.

    vol_yara

    ExifData

    Parses EXIF metadata from a wide range of file types. Will also display images in the tab.

    vol_exif_doc

    vol_exif_img

    Cuckoo / Sandbox

    This allows you to submit files to a cuckoo instance. Configured via the volutility.conf file it is disabled by default. In the future I hope to support other sandboxes for now Cuckoo is the only one i have access to.

    vol_cuckoo_submit

    vol_cuckoo_running

    PSTViewer

    This uses the pffexport library to parse PST files found in memory. It currently uses the python library which does not, at the time of writing, support extracting attachments. A future version will add support either as the python library is updated or through some other method.

    vol_pst

    That covers off the main additions, there were also plenty of fixes, code tidy and new elements to make the platform more stable and more user-friendly.

    As for the future. I’m sure there are still some bugs to be found I’m constantly learning new code and techniques so I will continue to improve on these elements as I go.

    Now I have the extensions framework, I have lots if ideas for enriching the data that comes out of volatility to make it easier for analysts to quickly get the answers they need.

    I would like to add features like voldiff to perform comparisons against other samples, and with autorun plugins I would like to try to integrate some sort of reporting generation element.

    I think that about covers everything.

    As usual Questions, Queries, Comments below.

     

     

    Comments