It’s a week late but I finally have enough testing done that I’m happy to call this a 1.0 release. :)
If you’re not sure what VolUtility is then read some of the earlier posts:
tldr; It’s a web front end for the Volatility memory analysis framework.
I have been tweeting some of this as I go and the previous posts cover most of the core functions. In this post I’m going to highlight the new elements that have been added and whats coming up next.
The major addition is an Extensions framework that allow you to add features and functionality to the data that is returned from Volatility plugins. There are two types of extensions
Each of the extensions can be disabled by entering them in the disabled section of the volutility.conf file. More details can be found in the wiki.
Post process extensions take the rows and columns that are returned by the volatility plugin and can modify / inject the data. An example is the iplookup extension. For each row it reads the RemoteIP Column, performs a GeoIP Country lookup and then injects the results in to a new column per row.
These new columns can be added to the database or can be processed each time the plugin output is viewed. At the moment this is at the discretion of the extension author but a future update will make this optional via the config file.
Performs a GeoIP Country lookup for each remote IP. Any RFC IP’s will be listed in this same manner.
These are the more complicated of the two types. VolUtility allows you to store a wide range of files extracted from memory through plugins like filescan, procdump, dumpfiles etc. Theses extensions allow you to add additional analysis tools to these files. Examples include Extracting Strings, Viewing SQLite files etc.
This will extract all ASCII and Unicode strings greater than 4 chars. If the ‘Floss’ by FLARE is installed it will also run advanced string decoding against PE Binaries. (Sort of)
To Extract strings follow these steps:
Click ‘FileDetails’ in the DumpFiles output
Select the ExtractStrings extension
Click the button once to parse all the strings
Click the button a second time to download the strings file.
After the strings have been extracted once they are stored in the database.
Simply displays the hex representation of the file that has been stored.
Hive Viewer allows you to view registry keys and values in a similar fashion to regedit. Once you have dumped the hives you can navigate them by clicking on nodes and expanding them, if there are any keys present their keys and data values will be presented on the right hand side.
It uses Ajax to parse each key on request, so it may take a second after clicking for the sub keys to be populated.
To view Hives follow these steps:
- Run the dumpregistry plugin to store all the hive files in the DataBase.
- Click the File Details link in the row of the hive you want to view.
- Click the Registry button in the new window that opens. This should load the registry viewer.
- Click on Nodes to expand them and view any keys.
- Nodes and keys are loaded over ajax so may take a moment for keys to be loaded.
If you have an SQLite Database file then you can view all the tables and their rows in the browser. Once the tables have loaded in the browser you can search and filter the rows.
To View SQlite Files follow these steps.
- Run the FileScan plugin.
- From the filescan output use the right-click context menu to save your sqlite files.
- Once saved, from the DumpFiles output click ‘File Details’ on the row of the file
- Select the SQLiteViewer Tab
- Click Scan Tables
Search VirusTotal for the hash, or alternatively upload the file and then view the resulting scan results.
Scan stored files against any yara rules you have in the yararules folder.
Parses EXIF metadata from a wide range of file types. Will also display images in the tab.
Cuckoo / Sandbox
This allows you to submit files to a cuckoo instance. Configured via the volutility.conf file it is disabled by default. In the future I hope to support other sandboxes for now Cuckoo is the only one i have access to.
This uses the pffexport library to parse PST files found in memory. It currently uses the python library which does not, at the time of writing, support extracting attachments. A future version will add support either as the python library is updated or through some other method.
That covers off the main additions, there were also plenty of fixes, code tidy and new elements to make the platform more stable and more user-friendly.
As for the future. I’m sure there are still some bugs to be found I’m constantly learning new code and techniques so I will continue to improve on these elements as I go.
Now I have the extensions framework, I have lots if ideas for enriching the data that comes out of volatility to make it easier for analysts to quickly get the answers they need.
I would like to add features like voldiff to perform comparisons against other samples, and with autorun plugins I would like to try to integrate some sort of reporting generation element.
I think that about covers everything.
- Release – https://github.com/kevthehermit/VolUtility/releases/tag/v1.0
- Latest – https://github.com/kevthehermit/VolUtility
- Develop – https://github.com/kevthehermit/VolUtility/tree/develop
As usual Questions, Queries, Comments below.