Cyber-investigation Analysis Standard Expression (CASE)
Read the CASE Wiki tab to learn everything you need to know about the Cyber-investigation Analysis Standard Expression (CASE) ontology. For learning about the Unified Cyber Ontology, CASE's parent, see UCO.
Implementation of CASE into Volatility Plugins
Development Status: Alpha
Alpha status implies:
- Designation of versions of CASE and UCO the project supports.
- Follow Semantic Versioning (SEMVER).
These plugins have been taken from core Volatility plugins and adapted the output to produce CASE JSON-LD. The Alpha status of this code means it may not fully comply to the CASE ontology as it is an evolving standard.
This repository takes the following plugins from the Volatility framework and converts the output to CASE format:
Installation of 3rd Party Libraries
Running Custom Plugins
CASE Handle List from Memory Image:
vol.py --plugins='volplugs/src/' -f memory_images/memory.img --profile WinXPSP2x86 casehandles
vol.py --plugins='volplugs/src/' -f memory_images/memory.img caseprocdump --dump-dir dumpdir
CASE Commandline dumping:
vol.py --plugins='volplugs/src/' -f memory_images/memory.img casecmdline
I have a question!
Before you post a Github issue or send an email ensure you've done this checklist:
Determined scope of your task. It is not necessary for most parties to understand all aspects of the ontology, mapping methods, and supporting tools.
Familiarize yourself with the labels and search the Issues tab. Typically, only light-blue and red labels should be used by non-admin Github users while the others should be used by CASE Github admins. All but the red
Projectlabels are found in every