Overview

A python script developed to process Windows memory images based on triage type.

Requirements

  • Python3
  • Bulk Extractor
  • Volatility2 with Community Plugins
  • Volatility3
  • Plaso
  • Yara

How to Use

Quick Triage

python3 winSuperMem.py -f memdump.mem -o output/ -tt 1

Full Triage

python3 winSuperMem.py -f memdump.mem -o output/ -tt 2

Comprehensive Triage

python3 winSuperMem.py -f memdump.mem -o output/ -tt 3

Installation

  1. Install Python 3
  2. Install Python 2
  3. pip3 install -r requirements.txt
  4. Install Volatility 3 Framework
  5. Install Volatility 2 Framework
  6. Download Volatility 2 Community Plugins
  7. Install Bulk Extractor
  8. Install Plaso
  9. Install Yara
  10. Install Strings

How to Read the Output

  • Output directory structure of comprehensive triage:
    • BEoutputdir – Bulk Extractor output
    • DumpedDllsOutput – Dumped DLLs loaded into processes
    • DumpedFilesOutput – Dumped files in memory
    • DumpedModules – Dumped loaded drivers
    • DumpedProcessOutput – Dumped running processes
    • DumpedRegistriy – Dumped loaded registry hives
    • EVTxtract – Extracted data with EVTxtract
    • IOCs.csv – Collected IPs identified in the output data set
    • Logging.log – Logging for the script
    • Plaso – Plaso master timeline
    • Strings – Unicode, Ascii, Big Endian strings output
    • Volatility2 – Volatility2 plugin output
    • Volatility3 – Volatility3 plugin output
    • Yara – Yara matches

Troubleshooting

There are a number of known bugs, which are outlined in this section.

  • Dumping files may not work on Windows images below Windows8. The offset supplied by the volatility3 filescan plugin is sometimes physical and not virtual. There is not a descriptor specifying which is returned either. The current script is expecting virtual only. You can fix this by changing the dumpfiles function from --virtaddr to --physaddr.

GitHub

https://github.com/CrowdStrike/SuperMem