-
Notifications
You must be signed in to change notification settings - Fork 9
/
Copy pathautomation-AnalyzeMemImage.yml
40 lines (40 loc) · 1.28 KB
/
automation-AnalyzeMemImage.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
args:
- default: true
description: Path to memory dump file on the system being used
name: memdump
required: true
- description: System with Volatility installed to be used for the analysis
name: system
required: true
comment: Use Volatility to run common memory image analysis commands
commonfields:
id: AnalyzeMemImage
version: -1
name: AnalyzeMemImage
runonce: false
script: |-
var imginfo = executeCommand('Vol', {file:args.memdump, system: args.system, cmd:'imageinfo'});
if (imginfo) {
imginfo[0].Contents = '================ Image Info for ' + args.memdump + '==============\n' + imginfo[0].Contents;
}
var pstree = executeCommand('Vol', {file:args.memdump, system: args.system, cmd:'pstree'});
if (pstree) {
pstree[0].Contents = '================ Process Tree for ' + args.memdump + '==============\n' + pstree[0].Contents;
}
var connscan = executeCommand('Vol', {file:args.memdump, system: args.system, cmd:'connscan'});
if (connscan) {
connscan[0].Contents = '================ Past Network Connections for ' + args.memdump + '==============\n' + connscan[0].Contents;
}
var res = [];
res.push(imginfo);
res.push(pstree);
res.push(connscan);
return res;
scripttarget: 0
system: true
tags:
- memory
- forensics
- volatility
- server
type: javascript