-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathAutoVol.sh
More file actions
executable file
·167 lines (165 loc) · 9.05 KB
/
AutoVol.sh
File metadata and controls
executable file
·167 lines (165 loc) · 9.05 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
#!/bin/bash
####################
volatility_path="" #leave null if volatility is on /bin/ or /sbin/ etc
#background_proc=0;
user_profile=""; # leave null if not known
plugins=""; # leave null if given by the CLI
memory_path="" #leave null if given by the CLI
Mac_profiles=(Yosemite ElCapitan Sierra HighSierra Leopard SnowLeopard Lion MountainLion Mavericks)
#################### Flags and paths
function help(){
tput setaf 1;
echo "Usage:"
tput sgr 0;
echo " AutoVol.sh [Switches&Paths]"
tput setaf 1;
echo "Switches:"
tput sgr 0;
echo " -h:help/this card"
echo " -f:specify memory file"
echo " --profile:specify user profile if known/given"
echo " --plugins:specify the plugin path"
echo " --info:Runs volatility's --info flag"
#echo " -t to use background processes `(tput setaf 1)` NOTE: This flag makes the script very heavy and must not be used with old computers" `(tput setaf 7)`;
tput setaf 1;
echo -n "e.g: "
tput setaf 7;
echo "AutoVol.sh --plugins=./volatility/volatility/plugins -f memory.mem"
echo "AutoVol.sh --plugins=./volatility/volatility/plugins -f memory.mem --profile=Win10x64"
tput sgr 0;
}
function setFlags(){
#background_proc=`echo $@ |grep -e "-t" |wc -l`
let "counter=${#@}-1"
args=( "$@" )
for i in `seq 0 $counter`
do
if [[ `echo ${args[$i]}| grep -e "^--profile"|wc -l` > 0 ]]
then
user_profile=`echo ${args[$i]} | sed 's/--profile=//g'`
elif [[ `echo ${args[$i]}| grep -e "^--plugins"|wc -l` > 0 ]]
then
plugins=`echo ${args[$i]} | sed 's/--plugins=//g'`
elif [[ `echo ${args[$i]} |grep -e "^-f$" |wc -l` > 0 ]]
then
memory_path=${args[$i+1]}
fi;
done
}
function runWindowsPlugins(){
$volatility_path -f $memory_path --profile=$user_profile pslist |tee $user_profile"_pslist.log"
$volatility_path -f $memory_path --profile=$user_profile pstree |tee $user_profile"_pstree.log"
$volatility_path -f $memory_path --profile=$user_profile psxview |tee $user_profile"_psxview.log"
$volatility_path -f $memory_path --profile=$user_profile psscan |tee $user_profile"_psscan.log"
$volatility_path -f $memory_path --profile=$user_profile cmdline |tee $user_profile"_cmdline.log"
$volatility_path -f $memory_path --profile=$user_profile cmdscan |tee $user_profile"_cmdscan.log"
$volatility_path -f $memory_path --profile=$user_profile consoles |tee $user_profile"_consoles"
$volatility_path -f $memory_path --profile=$user_profile filescan |tee $user_profile"_filescan.log"
$volatility_path -f $memory_path --profile=$user_profile mftparser |tee $user_profile"_mftparser.log"
#$volatility_path -f $memory_path --profile=$user_profile dlllist |tee $user_profile"_dlllist.log"
$volatility_path -f $memory_path --profile=$user_profile envars |tee $user_profile"_envars.log"
$volatility_path -f $memory_path --profile=$user_profile hashdump |tee $user_profile"_hashdump.log"
$volatility_path --plugin=$plugins -f $memory_path --profile=$user_profile mimikatz |tee $user_profile"_mimikatz.log"
$volatility_path -f $memory_path --profile=$user_profile iehistory |tee $user_profile"_iehistory.log"
$volatility_path -f $memory_path --profile=$user_profile svcscan |tee $user_profile"_svcscan.log"
$volatility_path -f $memory_path --profile=$user_profile netscan |tee $user_profile"_netscan.log"
$volatility_path -f $memory_path --profile=$user_profile connscan |tee $user_profile"_connscan.log"
$volatility_path -f $memory_path --profile=$user_profile connections |tee $user_profile"_connections.log"
$volatility_path -f $memory_path --profile=$user_profile sockets |tee $user_profile"_sockets.log"
$volatility_path -f $memory_path --profile=$user_profile sockscan |tee $user_profile"_sockscan.log"
$volatility_path -f $memory_path --profile=$user_profile hivelist |tee $user_profile"_hivelist.log"
$volatility_path -f $memory_path --profile=$user_profile userassist |tee $user_profile"_userassist.log"
$volatility_path -f $memory_path --profile=$user_profile shellbags |tee $user_profile"_shellbags.log"
$volatility_path -f $memory_path --profile=$user_profile shimcache |tee $user_profile"_shimcache.log"
$volatility_path -f $memory_path --profile=$user_profile yarascan |tee $user_profile"_yarascan.log"
$volatility_path -f $memory_path --profile=$user_profile malfind |tee $user_profile"_malfind.log"
$volatility_path -f $memory_path --profile=$user_profile clipboard -v |tee $user_profile"_clipboard.log"
$volatility_path -f $memory_path --profile=$user_profile lsadump |tee $user_profile"_lsadump.log"
#$volatility_path --plugin=$plugins -f $memory_path --profile=$user_profile openvpn |tee $user_profile"_openvpn.log"
$volatility_path -f $memory_path --profile=$user_profile truecryptpassphrase |tee $user_profile"_truecryptpassphrase.log"
$volatility_path -f $memory_path --profile=$user_profile truecryptsummary |tee $user_profile"_truecryptsummary.log"
$volatility_path -f $memory_path --profile=$user_profile truecryptmaster |tee $user_profile"_truecryptmaster.log"
$volatility_path --plugin=$plugins -f $memory_path --profile=$user_profile chromehistory |tee $user_profile"_chromehistory.log"
$volatility_path --plugin=$plugins -f $memory_path --profile=$user_profile chromevisits |tee $user_profile"_chromevisits.log"
$volatility_path --plugin=$plugins -f $memory_path --profile=$user_profile chromedownloads |tee $user_profile"_chromedownloads.log"
$volatility_path --plugin=$plugins -f $memory_path --profile=$user_profile chromedownloadchains |tee $user_profile"_chromedownloadchains.log"
$volatility_path --plugin=$plugins -f $memory_path --profile=$user_profile chromecookies |tee $user_profile"_chromecookies.log"
#
tput setaf 1;
echo "Executing timeliner:"
tput sgr 0;
$volatility_path -f $memory_path --profile=$user_profile timeliner |tee $user_profile"_timeliner.log"
}
function runLinuxPlugins(){
$volatility_path --plugin=$plugins -f $memory_path --profile=$user_profile linux_bash |tee $user_profile"_linux_bash.log"
$volatility_path --plugin=$plugins -f $memory_path --profile=$user_profile linux_pslist |tee $user_profile"_linux_pslist.log"
$volatility_path --plugin=$plugins -f $memory_path --profile=$user_profile linux_pstree |tee $user_profile"_linux_pstree.log"
$volatility_path --plugin=$plugins -f $memory_path --profile=$user_profile linux_psscan |tee $user_profile"_linux_psscan.log"
$volatility_path --plugin=$plugins -f $memory_path --profile=$user_profile linux_psaux |tee $user_profile"_linux_psaux.log"
$volatility_path --plugin=$plugins -f $memory_path --profile=$user_profile linux_psenv |tee $user_profile"_linux_psenv.log"
$volatility_path --plugin=$plugins -f $memory_path --profile=$user_profile linux_psxview |tee $user_profile"_linux_psxview.log"
$volatility_path --plugin=$plugins -f $memory_path --profile=$user_profile linux_ifconfig |tee $user_profile"_linux_ifconfig.log"
$volatility_path --plugin=$plugins -f $memory_path --profile=$user_profile linux_netscan |tee $user_profile"_linux_netscan.log"
$volatility_path --plugin=$plugins -f $memory_path --profile=$user_profile linux_netstat |tee $user_profile"_linux_netstat.log"
$volatility_path --plugin=$plugins -f $memory_path --profile=$user_profile linux_truecrypt_passphrase |tee $user_profile"_linux_truecrypt_passphrase.log"
$volatility_path --plugin=$plugins -f $memory_path --profile=$user_profile linux_enumerate_files |tee $user_profile"_linux_enumerate_files.log"
$volatility_path --plugin=$plugins -f $memory_path --profile=$user_profile
$volatility_path --plugin=$plugins -f $memory_path --profile=$user_profile
$volatility_path --plugin=$plugins -f $memory_path --profile=$user_profile
$volatility_path --plugin=$plugins -f $memory_path --profile=$user_profile
#$volatility_path --plugin=$plugins -f $memory_path --profile=$user_profile
}
function runMacPlugins(){
echo "";
}
####################
if [[ $# == 0 ]]
then
help;
exit 104;
fi;
if [[ $volatility_path == "" ]]
then
volatility_path="volatility"
else
volatility_path="python2 "$volatility_path
fi;
####################
if [[ $1 == "-h" ]]
then
help;
exit 104;
elif [[ $1 == "--info" ]]
then
$volatility_path --info
exit 0;
fi;
setFlags $@;
if [[ $user_profile == "" ]]
then
echo "No user profile specified";
$volatility_path imageinfo -f $memory_path imageinfo |tee imageinfo.log
user_profile=`cat imageinfo.log |head -1 |cut -d ":" -f 2 |cut -d "," -f 1 |cut -d " " -f 2`
fi;
####################
if [[ `echo $user_profile|grep -i "^Win\|^Vista" |wc -l` >0 ]]
then
echo Windows;
runWindowsPlugins;
else
i=0
while [[ i -lt ${#Mac_profiles[@]} && `echo $user_profile |grep "^${Mac_profiles[$i]}" |wc -l` -eq 0 ]]
do
let "i=$i+1";
done;
if [[ $i -lt ${#Mac_profiles[@]} ]]
then
echo "Mac os"
runMacPlugins;
else
echo "Linux"
runLinuxPlugins;
fi;
fi;
#rm `file *.log | grep "empty$"|cut -d ":" -f 1`
exit 0;