GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → dhondta → AppmemDumper

dhondta / AppmemDumper

Licence: GPL-3.0 license
Forensics triage tool relying on Volatility and Foremost

Programming Languages

python
139335 projects - #7 most used programming language

Labels

automationtoolforensicstriagevolatilityctf-toolssecurity-toolsforemosttinyscript

Projects that are alternatives of or similar to AppmemDumper

python-tinyscript
Devkit for quickly building CLI tools with Python
Stars: ✭ 39 (+77.27%)
Mutual labels:  ctf-tools, tinyscript
uac
UAC is a Live Response collection script for Incident Response that makes use of native binaries and tools to automate the collection of AIX, Android, ESXi, FreeBSD, Linux, macOS, NetBSD, NetScaler, OpenBSD and Solaris systems artifacts.
Stars: ✭ 260 (+1081.82%)
Mutual labels:  forensics, triage
Vol3xp
Volatility Explorer Suit
Stars: ✭ 31 (+40.91%)
Mutual labels:  forensics, volatility
Judge-Jury-and-Executable
A file system forensics analysis scanner and threat hunting tool. Scans file systems at the MFT and OS level and stores data in SQL, SQLite or CSV. Threats and data can be probed harnessing the power and syntax of SQL.
Stars: ✭ 66 (+200%)
Mutual labels:  forensics
CRC-manipulator
Change CRC checksums of your files.
Stars: ✭ 73 (+231.82%)
Mutual labels:  forensics
Palmprint-Recognition-in-the-Wild
No description or website provided.
Stars: ✭ 22 (+0%)
Mutual labels:  forensics
GetConsoleHistoryAndOutput
An Incident Response tool to extract console command history and screen output buffer
Stars: ✭ 41 (+86.36%)
Mutual labels:  forensics
xeca
PowerShell payload generator
Stars: ✭ 103 (+368.18%)
Mutual labels:  ctf-tools
RdpCacheStitcher
RdpCacheStitcher is a tool that supports forensic analysts in reconstructing useful images out of RDP cache bitmaps.
Stars: ✭ 176 (+700%)
Mutual labels:  forensics
flare-wmi
No description or website provided.
Stars: ✭ 399 (+1713.64%)
Mutual labels:  forensics
cora-docs
CoRA Docs
Stars: ✭ 36 (+63.64%)
Mutual labels:  forensics
LogESP
Open Source SIEM (Security Information and Event Management system).
Stars: ✭ 162 (+636.36%)
Mutual labels:  forensics
BlockHashLoc
Recover files using lists of blocks hashes, bypassing the File System entirely
Stars: ✭ 45 (+104.55%)
Mutual labels:  forensics
Eruditus
Discord CTF helper bot for CyberErudites
Stars: ✭ 34 (+54.55%)
Mutual labels:  ctf-tools
urlRecon
📝 urlRecon - Info Gathering or Recon tool for Urls -> Retrieves * Whois information of the domain * DNS Details of the domain * Server Fingerprint * IP geolocation of the server
Stars: ✭ 31 (+40.91%)
Mutual labels:  forensics
jerseyctf-2021-challenges
JerseyCTF 2021
Stars: ✭ 22 (+0%)
Mutual labels:  ctf-tools
paragon apfs sdk ce
Paragon APFS SDK Free
Stars: ✭ 97 (+340.91%)
Mutual labels:  forensics
sensible-github-labels
Github labels for teams that like workflows and structure
Stars: ✭ 121 (+450%)
Mutual labels:  triage
marcellelee.github.io
No description or website provided.
Stars: ✭ 27 (+22.73%)
Mutual labels:  forensics
qed
The scalable, auditable and high-performance tamper-evident log project
Stars: ✭ 87 (+295.45%)
Mutual labels:  forensics
View All Similar Projects ➔

PyPi Build Status DOI Python Versions Requirements Status Known Vulnerabilities License

Introduction

This tool automates the research of some artifacts for forensics purpose in memory dumps based upon Volatility for a series of common Windows applications. It is aimed to facilitate triage while addressing multiple forensics images.

It can also open multiple archive formats. In case of an archive, the tool will extract all its files to a temporary directory and then try to open each file as a memory dump (except files named README or README.md).

System Requirements

This framework was tested on an Ubuntu 18.04 with Python 2.7. It relies on Foremost and Volatility

$ sudo apt-get install foremost
$ git clone https://github.com/volatilityfoundation/volatility /tmp/vol-setup
$ cd /tmp/vol-setup && sudo python setup.py install

Setup

$ pip install appmemdumper

Behind a proxy ?

Do not forget to add option --proxy=http://[user]:[pwd]@[host]:[port] to your pip command.

Quick Start

  1. Help
$ app-mem-dumper --help
AppMemDumper 2.4.3
Author   : Alexandre D'Hondt
Copyright: © 2020 A. D'Hondt
License  : GNU Affero General Public License v3.0

This tool automates the research of some artifacts for forensics purpose in memory dumps based upon Volatility for a
series of common Windows applications.

It can also open multiple archive formats (it uses pyunpack). In case of an archive, the tool will extract all its files
to a temporary directory and then try to open each file as a memory dump.

usage: ./app-mem-dumper [-a APPS] [-s SYST] [-f] [-p PLUGINS]
                       [--profile PROFILE] [-d DUMP_DIR] [-t TEMP_DIR] [-u]
                       [-h] [--help] [-v]
                       dump

positional arguments:
 dump  memory dump file path


application/system dumpers:
 -a APPS  comma-separated list of integers designating applications to be parsed
           Currently supported: 

            [0] AdobeReader             [8] Notepad
            [1] Chrome                  [9] OpenOffice
            [2] Firefox                 [10] PDFLite
            [3] FoxitReader             [11] SumatraPDF
            [4] InternetExplorer        [12] Thunderbird
            [5] KeePass                 [13] TrueCrypt
            [6] MSPaint                 [14] Wordpad
            [7] MediaPlayerClassic    
           (default: all)
 -s SYST  comma-separated list of integers designating system items to be parsed
           Currently supported: 

            [0] Autoruns                [9] Malfind
            [1] Clipboard               [10] Mimikatz
            [2] CommandLines            [11] NetworkConnections
            [3] CriticalProcessesInfo   [12] ProcessesInfo
            [4] Devices                 [13] Registry
            [5] DumpInfo                [14] Timeline
            [6] FilesList               [15] UserActivities
            [7] Kernel                  [16] UserHashes
            [8] LsaSecrets            
           (default: none)

volatility options:
 -f, --force           force profile search, do not use cached profile (default: False)
 -p PLUGINS, --plugins-dir PLUGINS
                       path to custom plugins (default: None)
 --profile PROFILE     force Volatility profile (default: None)
                        NB: has the precedence on -f/--force

output options:
 -d DUMP_DIR, --dump-dir DUMP_DIR
                       dump directory (default: files)
 -t TEMP_DIR, --temp-dir TEMP_DIR
                       temporary directory for decompressed images (default: .temp)
 -u, --update          update previous dump directories (default: False)

extra arguments:
 -h             show usage message and exit
 --help         show this help message and exit
 -v, --verbose  verbose mode (default: False)

Usage examples:
 ./app-mem-dumper memory.dmp
 ./app-mem-dumper my-dumps.tar.gz
 ./app-mem-dumper dumps.zip -a none -s all
 ./app-mem-dumper dump.raw -a 1,2,4 -f
 ./app-mem-dumper dump.mem -a 0,3,10,11 -s 0
 ./app-mem-dumper dump.raw -v --profile Win7SP1x86
  1. Example of output
$ app-mem-dumper memory.dump -v -p plugins
[appmemdumper] XX:XX:XX [DEBUG] Attempting to decompress 'memory.dump'...
[appmemdumper] XX:XX:XX [DEBUG] Not an archive, continuing...
[appmemdumper] XX:XX:XX [DEBUG] Setting output directory to 'files/memory.dump'...
[appmemdumper] XX:XX:XX [INFO] Opening dump file 'memory.dump'...
[appmemdumper] XX:XX:XX [INFO] Getting profile...
[appmemdumper] XX:XX:XX [INFO] Getting processes...
[appmemdumper] XX:XX:XX [DEBUG] > Executing command 'pslist'...
[appmemdumper] XX:XX:XX [DEBUG] Found       : mspaint.exe
[appmemdumper] XX:XX:XX [DEBUG] Not handled : audiodg.exe, csrss.exe, dllhost.exe, [...]
[appmemdumper] XX:XX:XX [DEBUG] Profile: Win7SP0x86
[appmemdumper] XX:XX:XX [INFO] Processing dumper 'dumpinfo'...
[appmemdumper] XX:XX:XX [INFO] Processing dumper 'mspaint'...
[appmemdumper] XX:XX:XX [DEBUG] Dumping for PID XXXX
[appmemdumper] XX:XX:XX [DEBUG] > Calling command 'memdump'...
[appmemdumper] XX:XX:XX [DEBUG] >> volatility --plugins=/path/to/plugins --file=[...]
[appmemdumper] XX:XX:XX [INFO] > /path/to/files/memory.dump/mspaint-2640-memdump.data
[appmemdumper] XX:XX:XX [WARNING] 
The following applies to collected objects of:
- mspaint

Raw data (.data files) requires manual handling ;
Follow this procedure:
1. Open the collected resources with Gimp
2. Set the width and height to the expected screen resolution
3. Set another color palette than 'RVB'
Restart this procedure by setting other parameters for width|height|palette.
Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].