Proof-of-Concept CASE Volatility Plugins

This repository contains a sub-set of Volatility plugins that produce output in the CASE/UCO format.

These plugins have been taken from core Volatility plugins and adapted the output to produce CASE/UCO JSON-LD. These currently are proof-of-concept only, and may not fully comply to the CASE/UCOontology as it is an evolving standard.

This repository takes the following plugins from the Volatility framework and adapats the output to be CASE/UCO compliant based on the v0.1.0 release:

• handles.py
• procdump.py
• cmdline.py

All Volatility work belongs to their respective authors which can be found here.

Installation of 3rd Party Libraries

• CASE Python Library.
• Volatility Python library.

Running Custom PoC Plugins

CASE/UCO Handle List from Memory Image

vol.py --plugins='volplugs/src/' -f memory_images/memory.img --profile WinXPSP2x86 casehandles

CASE/UCO Procdump

vol.py --plugins='volplugs/src/' -f memory_images/memory.img caseprocdump --dump-dir dumpdir

CASE/UCO Commandline dumping

vol.py --plugins='volplugs/src/' -f memory_images/memory.img casecmdline