Home

Awesome

AutoVolatility

AutoVolatility is a script made to run several volatility plugins at the same time

How to use

AutoVolatility will create a new folder in the output directory for each plugin executed.

You can run the "main" volatility plugins doing

python autoVolatility.py -f MEMFILE -d OUT_DIRECTORY

Be default autoVolatility tries to execute volatility. If you do not have volatility executable in path or with this name, you can set where your volatility executable is using the option -e

python autoVolatility.py -f MEMFILE -d OUT_DIRECTORY -e /home/user/tools/volatility/vol.py

AutoVolatility will use the plugin "imageinfo" to figure out the profile to use. But if you know the profile, you can set it using the option -p

python autoVolatility.py -f MEMFILE -d OUT_DIRECTORY -p WinXPSP2x86

If you want to run almos all the default plugins that comes with volatility you can use the option -a

python autoVolatility.py -f MEMFILE -d OUT_DIRECTORY -a

By default autoVolatility uses 8 threads, but you can change it with the option -t

python autoVolatility.py -f MEMFILE -d OUT_DIRECTORY -t 16 # 16 threads

If want autoVolatility to run other plugins, you can do so using the option -c

python autoVolatility.py -f MEMFILE -d OUT_DIRECTORY -c amcache,auditpol,cachedump,clipboard,cmdline,cmdscan # Only these plugins will be executed

The plugins executed by default are:


dump_plugins = ["dumpcerts", "dumpregistry", "dumpfiles", "dumpregistry"]

plugins = ["amcache", "auditpol", "cachedump", "clipboard", "cmdline", "cmdscan", "connections", "connscan", "consoles", "deskscan", "devicetree", "dlllist",
            "envars", "getservicesids", "handles", "hashdump", "hibinfo", "hivelist", "hivescan", "iehistory", "ldrmodules", "lsadump", "malfind", "mbrparser", "memmap", "mftparser", "modules", "notepad", 
            "privs", "pslist", "psscan", "pstree", "psxview", "qemuinfo", "servicediff", "sessions", "sockets", "sockscan", "ssdt", "strings", "svcscan", "symlinkscan", "thrdscan", "verinfo", "windows", "wintree"]

The plugins executed using the option -a are:

dump_plugins = ["dumpcerts", "dumpregistry", "dumpfiles", "dumpregistry"]


plugins_all = ["amcache", "apihooks", "atoms", "atomscan", "auditpol", "bigpools", "bioskbd", "cachedump", "callbacks", "clipboard", "cmdline", "cmdscan", "connections", "connscan", "consoles", "crashinfo",
                "deskscan", "devicetree", "dlldump", "dlllist", "driverirp", "drivermodule", "driverscan", "editbox", "envars", "eventhooks", "evtlogs", "filescan", 
                "gahti", "gditimers", "gdt", "getservicesids", "getsids", "handles", "hashdump", "hibinfo", "hivelist", "hivescan", "hpakextract", "hpakinfo", "idt", "iehistory", "imagecopy", "imageinfo",
                "joblinks", "kdbgscan", "kpcrscan", "ldrmodules", "lsadump", "malfind", "mbrparser", "memdump", "memmap", "messagehooks", "mftparser", "moddump", "modscan", "modules", "multiscan", "mutantscan",
                "notepad", "objtypescan", "patcher", "printkey", "privs", "procdump", "pslist", "psscan", "pstree", "psxview", "qemuinfo", "raw2dmp", "screenshot", "servicediff", "sessions", "shellbags", "shimcache",
                "shutdowntime", "sockets", "sockscan", "ssdt", "strings", "svcscan", "symlinkscan", "thrdscan", "threads", "timeliner", "timers", "truecryptmaster", "truecryptpassphrase", "truecryptsummary",
                "unloadedmodules", "userassist", "userhandles", "vaddump", "vadinfo", "vadtree", "vadwalk", "vboxinfo", "verinfo", "vmwareinfo", "windows", "wintree", "wndscan"]