Thursday, April 2, 2015

Quick Volatility Script

As much as I love running all the same commands in volatility over and over again, I decided what I love even more is scripting it all and then viewing the output at my leisure once the computer is done chugging away with my most commonly used plugins.

It's quick and dirty, like most of my scripts, but I'm dumping it here so that I can easily drop it onto a new computer/build/VM/whatever...


#Simply runs a bunch of my most commonly used volatility plugins

 if [ $# -lt 2 ]
    #I added the script to /usr/bin/memscan and gave it execute
    echo "Useage: memscan imagename profile"

    if [ ! -d dump ];
        #The script doesn't use this folder, but I do ;)
        mkdir dump

    for plugin in pslist pstree psxview malfind hivelist dlllist
        echo "Running $plugin"
        python /usr/share/volatility/ -f $1 --profile=$2 $plugin > $plugin.txt
    echo "Running autoruns"
    python /usr/share/volatility/ --plugins=/usr/share/
volatility/contrib/plugins/autoruns /usr/share/volatility/ $1 -- profile=$2 autoruns > autoruns.txt
    echo "Running mimikatz"
    python /usr/share/volatility/ --plugins=/usr/share/volatility/contrib/plugins /usr/share/volatility/ -f $1 --profile=$2 mimikatz > passwords.txt
    echo "Creating timeline"
    python /usr/share/volatility/ -f $1 --profile=$2 mftparser --output=body --output-file=mftparser.txt
    mactime -b mftparser.txt -d -z UTC-6 > timeline.txt

No comments:

Post a Comment