Cyber-investigation Analysis Standard Expression (CASE)
Read the CASE Wiki tab to learn everything you need to know about the Cyber-investigation Analysis Standard Expression (CASE) ontology. For learning about the Unified Cyber Ontology, CASE's parent, see UCO.
Proof-of-Concept CASE Volatility Plugins
Note: This POC is not ontology-correct! However, it attempts to adhere to v0.1.0 of CASE.
These plugins have been taken from core Volatility plugins and adapted the output to produce CASE JSON-LD. These currently are proof-of-concept only, and may not fully comply to the CASE ontology as it is an evolving standard.
This repository takes the following plugins from the Volatility framework and converts the output to CASE format:
Installation of 3rd Party Libraries
Running Custom PoC Plugins
CASE Handle List from Memory Image:
vol.py --plugins='volplugs/src/' -f memory_images/memory.img --profile WinXPSP2x86 casehandles
vol.py --plugins='volplugs/src/' -f memory_images/memory.img caseprocdump --dump-dir dumpdir
CASE Commandline dumping:
vol.py --plugins='volplugs/src/' -f memory_images/memory.img casecmdline
I have a question!
Before you post a Github issue or send an email ensure you've done this checklist:
Determined scope of your task. It is not necessary for most parties to understand all aspects of the ontology, mapping methods, and supporting tools.
Familiarize yourself with the labels and search the Issues tab. Typically, only light-blue and red labels should be used by non-admin Github users while the others should be used by CASE Github admins. All but the red
Projectlabels are found in every