Skip to content

JamesHabben/evolve

master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 
 
 
web
 
 
 
 
 
 
 
 
 
 


Web interface for the Volatility Memory Forensics Framework https://github.com/volatilityfoundation/volatility

Current Version: 1.6 (2017-11-16)

See what people are saying: #EvolveTool
Short video demo: https://youtu.be/55G2oGPQHF8
Pre-Scan video: https://youtu.be/mqMuQQowqMI

Installation

This requires volatility to be a library, not just an EXE file sitting somewhere. Run these commands at python shell:

Download Volatility source zip from https://github.com/volatilityfoundation/volatility
Inside the extracted folder run:
setup.py install

Then install these dependencies:
pip install bottle
pip install yara <br/ > pip install distorm3 <br/ > pip install maxminddb <br/ >

Usage

-f File containing the RAM dump to analyze
-p Volatility profile to use during analysis (--profile may not work even though it shows as an option)
-d Optional path for output file. Default is beside memory image
-l Restrict web server from serving content outside of the local machine
-r comma separated list of plugins to run at the start

!!! WARNING: Avoid writing sqlite to NFS shares. They can lock or get corrupt. If you must, try mounting share with 'nolock' option.

Features

  • Works with any Volatility module that provides a SQLite render method (some don't)
  • Automatically detects plugins - If volatility sees the plugin, so will eVOLve
  • All results stored in a single SQLite db stored beside the RAM dump
  • Web interface is fully AJAX using jQuery & JSON to pass requests and responses
  • Uses Bottle module in Python to provide a standalone web server
  • Option to edit SQL query to provide enhanced data views with data from multiple tables
  • Run plugins and view data from any browser - even a tablet!
  • Allow multiple people to review results of single RAM dump
  • Multiprocessing for full CPU usage
  • Pre-Scan runs a list of plugins at the start

Coming Features

  • Save custom queries for future use
  • Import/Export queries to share with others
  • Threading for more responsive interface while modules are running
  • Export/save of table data to JSON, CSV, etc
  • Review mode which requires only the generated SQLite file for better portability

Please send your ideas for features!



Release notes:
v1.0 - Initial release
v1.1 - Threading, Output folder option, removed unused imports
v1.2 - Pre-Scan option to run list of plugins at the start
v1.3 - Added Morph function and sample Morphs. Also fixed multiprocess bug in Windows.
v1.4 - Added Morph config builder and more sample Morphs. Added searchable and sortable table.
v1.5 - Added dynamic memory profile chooser.
v1.6 - Added plugin search and other optimizations.

About

Web interface for the Volatility Memory Forensics Framework

Resources

Stars

Watchers

Forks

Packages

No packages published

Contributors 4

  •  
  •  
  •  
  •