VolExp

Volatility Explorer

This program allows the user to access a Memory Dump. It can also function as a plugin to the Volatility Framework (https://github.com/volatilityfoundation/volatility). This program functions similarly to Process Explorer/Hacker, but additionally it allows the user access to a Memory Dump (or access the real-time memory on the computer using Memtriage). This program can run from Windows, Linux and MacOS machines, but can only use Windows memory images.

note: volatility explorer for volatility3 https://github.com/memoryforensics1/Vol3xp

Quick Start

Download the volexp.py file (download the memtriage.py file as well and replace it with your memtriage.py file if you want to use memtriage https://github.com/gleeda/memtriage).
Run as a standalone program or as a plugin to Volatility:
- As a standalone program:
```
 python2 volexp
```
- As a Volatility plugin:
```
 python2 vol.py -f <memory file path> --profile=<memory profile> volexp
```

Some Features:

python2 memtriage.py --plugins=volexp

Some of the information display will not update in real time (except Processes info(update slowly), real time functions like struct analyzer, PE properties, run real time plugin, etc.).
The program also allows to view Loaded dll’s, open handles and network connections of each process (Access to a dll’s properties is also optional).

Lower Pane

To present more information of a process, Double-Click (or Left-Click and select Properties) to bring up an information window.

Process properties

Or present more information on any PE.

PE properties

The program allows the user to view the files in the Memory Dump as well as their information. Additionally it allows the user to extract those files (HexDump/strings view is also optional).

File Explorer

The program supports viewing of the Windows Objects and files’s matadata (MFT).

Other Explorers (Winobj and MFT explorer)

The program also support viewing a regview of the memory dump

RegView

Additionally, the program supports struct analysis. (writing on the memory’s struct, running Volatility functions on a struct is available). Example of getting all the load modules inside _EPROCESS struct in another struct analyzer window:

Struct Analyzer

The Program is also capable of automatically marking suspicious processes found by another plugin. Example of a running threadmap plugin:

Cmd Plugin run threadmap

View memory use of a process.

Vad Information

Manually marking a certain process and adding a sidenote on it.
User’s actions can be saved on a seperate file for later usage.

get help: https://github.com/memoryforensics1/VolExp/wiki/VolExp-help:

volexp help

This site is open source. Improve this page.