This EnScript is designed to facilitate easier use of Volatility in EnCase.
The script should be used in conjunction with the standalone Volatility executable, which can be downloaded from the following URL:
The script supports any number of Volatility plugins, which will be remembered for later use. One or more plugins can also be set as default
The script is designed to run in the foreground thread as an EnCase plugin and will block EnCase being used for any other purpose when active. The script is invoked by right-clicking the memory-dump to be processed.
Multithreading is used to prevent EnCase hanging when a memory dump is extracted prior to analysis and when processing is underway in Volatility
Multiple threads also allow more than one plugin to be executed at a time. That said, the overall time taken to perform a batch-analysis will depend on the plugin that takes longest to run.
When the script is first executed, it will set the maximum number of threads to the number of physical cores in the host machine and remember this setting for later use.
It's possible to transfer the script's INI file to another machine, in which case the location of the Volatility executable and the maximum number of threads may need to be adjusted.
The script will write extracted copies of memory-dumps to the current case's temporary folder.
Case-specific configuration-data and the results of each analysis will be written to the Volatility Plugin sub-folder of the current case's folder.
Volatility uses the standard error-stream to output feedback. This will be written to a bookmark called Error Output in the bookmark sub-folder created for each plugin.
The script will use the --output-file parameter to redirect the main output to a text-file. This will avoid performance issues caused by plugins that generate a lot of data.
Depending on size and output-type, the script will read the main output data into a bookmark called Main Output.
If the data is too large or the user has changed the type to JSON or some other format, the text in the Main Output bookmark will redirect the user to open the output file by right-clicking on the bookmark called Main Output Path and then clicking on the script's View Output Data menu-option.
The examiner should be aware of two things when opening the output file in this fashion.
Firstly, any text will have UNIX line-endings. The examiner can overcome this by changing the TXT file association in Windows to an editor that supports this type of line-ending.
Secondly, no check is made of the size or type of the output data.
The examiner is free to change the type of the output file using the --output parameter, but the file's path, name, and extension cannot be changed otherwise it would break the functionality provided by the script.
The examiner is advised to use the Windows Task Manager should they wish to monitor processing in more detail.
Debugging information will be written to the console window, which must be activated prior to processing if real-time monitoring is to be performed - it won't be possible to switch to the console once processing is under way.
YOU MAY ALSO LIKE