PyDFIRRam is a Python library designed to simplify and enhance memory forensics tasks. It provides tools to streamline research, parsing, and analysis of memory dumps, allowing users to focus on data rather than commands.
PyDFIRRam is built with Poetry, so you need to install it.
You can install pyDFIRRam with the following commands:
- Clone the repository:
git clone https://github.com/pyDFIR/pyDFIRRam
- Install it with Poetry:
poetry install
You can use the library in multiple ways:
- In a Jupyter Lab environment
- In a script
Kickstart the project by running:
poetry run jupyter labIn Jupyter Lab, you can use the library as follows:
from pathlib import Path
from pydfirram.modules import Windows
dumpfile = Path(DUMP_FILE)
win = Windows(dumpfile)
output = win.PsList(pid=[4]).to_df(max_row=True) # max_row=True is an option on to_df to see all the content of the dataframe. All the content will be printed in your Jupyter output cell.
print(output)You can also use the library in a Python script:
from pathlib import Path
from pydfirram.modules.windows import Windows
dumpfile = Path(DUMP_FILE)
win = Windows(dumpfile)
output = win.pslist()
# To get a list:
print(output.to_list())
# For a DataFrame:
print(output.to_df())
# Or convert it to JSON:
print(win.pslist().to_json())All supported features are documented, check it out on our documentation !
- Facilitate research and the try-and-retry process with Volatility
- Easily parse outputs
- Focus on data rather than commands
- Use as a dataset
- Manage multiple dumps in the same program