Overview
A python script developed to process Windows memory images based on triage type.
Requirements
- Python3
- Bulk Extractor
- Volatility2 with Community Plugins
- Volatility3
- Plaso
- Yara
How to Use
Quick Triage
python3 winSuperMem.py -f memdump.mem -o output/ -tt 1
Full Triage
python3 winSuperMem.py -f memdump.mem -o output/ -tt 2
Comprehensive Triage
python3 winSuperMem.py -f memdump.mem -o output/ -tt 3
Installation
- Install Python 3
- Install Python 2
- pip3 install -r requirements.txt
- Install Volatility 3 Framework
- Install Volatility 2 Framework
- Download Volatility 2 Community Plugins
- Install Bulk Extractor
- Install Plaso
- Install Yara
- Install Strings
- Install EVTxtract
How to Read the Output
- Output directory structure of comprehensive triage:
- BEoutputdir - Bulk Extractor output
- DumpedDllsOutput - Dumped DLLs loaded into processes
- DumpedFilesOutput - Dumped files in memory
- DumpedModules - Dumped loaded drivers
- DumpedProcessOutput - Dumped running processes
- DumpedRegistry - Dumped loaded registry hives
- EVTxtract - Extracted data with EVTxtract
- IOCs.csv - Collected IPs identified in the output data set
- Logging.log - Logging for the script
- Plaso - Plaso master timeline
- Strings - Unicode, Ascii, Big Endian strings output
- Volatility2 - Volatility2 plugin output
- Volatility3 - Volatility3 plugin output
- Yara - Yara matches
Troubleshooting
There are a number of known bugs, which are outlined in this section.
- Dumping files may not work on Windows images below Windows8. The offset supplied by the volatility3 filescan plugin is sometimes physical and not virtual. There is not a descriptor specifying which is returned either. The current script is expecting virtual only. You can fix this by changing the dumpfiles function from
--virtaddr
to--physaddr
.