-
Notifications
You must be signed in to change notification settings - Fork 0
Home
At LIFARS, we process memory images as part of our incident response process. In these cases, it is important to be quick and to be in a position to review data rather than have to focus on the process itself. As such, we have developed a set of bash scripts, which we later moved to python.
As we work with Volatility, we called it Voltaire in honor of the French Enlightenment writer. As our python script grew, we added a companion shell script, voila, to cover the common invocations.
As a cybersecurity company, we think that our job is to make the Internet a better place. We thus have decided to open source our code to help the security community.
Its basic role is to run a series of Volatility modules on a memory image, extract the data and store it in a SQLite database. Following that, some queries are run to identify some known patterns indicating "bad things" automatically. For example, we run a series of test akin to the SANS' "Find evil ...", or we look for variations on known process names.