This is not finished as there is more information that I would like to correlate from the output of Volatility. But if you are somewhat curious, this is what I have so far: vol2html.pl. You can see an example report here. The output files for this report and the perl script are bundled together here. There is minimal error checking.
To use, first redirect the output of Volatility for pslist, dlllist and files to text files:
./volatility pslist -f mem.dd > pslist.txt
./volatility files -f mem.dd >files.txt
./volatility dlllist -f mem.dd >dlllist.txt
Then feed the perl script these files:
./vol2html.pl -pslist pslist.txt \
-files files.txt -dlllist dlllist.txt
There is more coming...
The venus website is down so if you need to download vol2html you can get it from the new Google code page
4 comments:
Sweet, look forward to more :-)
One of the great strengths of using Volatility with Linux has to be the flexibility it has for globbing commands to together and using scripts to manipulate text for a desired output. Useful for building stuff :-)
JL,
I ran across your blog the other day by way of Twitter, oddly enough. I was kind of surprised, since echo6 knows of my proclivity for all things Perl, and for memory analysis, that he hadn't said anything...
Anyway, I hope you don't mind, but I'm currently working on the memory analysis chapter from Windows Forensic Analysis, second edition, and would like to include your script...
Thanks,
h
Harlan,
I would be honored :-)
I'll have another update soon... Just been busy at the moment.
All the best,
-Jamie
Perl is the best scripting language for Text processing and handle regex. I have posted few articles related to those at my blog
http://icfun.blogspot.com/search/label/perl
Also Perl's Cpan has lots of support that I don't even need to think extra while developing project. I didn't find such help on other programming language except Java and .NET
Post a Comment