AutoVolatility is a script made to run several volatility plugins at the same time
AutoVolatility will create a new folder in the output directory for each plugin executed.
You can run the "main" volatility plugins doing
python autoVolatility.py -f MEMFILE -d OUT_DIRECTORYBe default autoVolatility tries to execute volatility. If you do not have volatility executable in path or with this name, you can set where your volatility executable is using the option -e
python autoVolatility.py -f MEMFILE -d OUT_DIRECTORY -e /home/user/tools/volatility/vol.pyAutoVolatility will use the plugin "imageinfo" to figure out the profile to use. But if you know the profile, you can set it using the option -p
python autoVolatility.py -f MEMFILE -d OUT_DIRECTORY -p WinXPSP2x86If you want to run almos all the default plugins that comes with volatility you can use the option -a
python autoVolatility.py -f MEMFILE -d OUT_DIRECTORY -aBy default autoVolatility uses 8 threads, but you can change it with the option -t
python autoVolatility.py -f MEMFILE -d OUT_DIRECTORY -t 16 # 16 threadsIf want autoVolatility to run other plugins, you can do so using the option -c
python autoVolatility.py -f MEMFILE -d OUT_DIRECTORY -c amcache,auditpol,cachedump,clipboard,cmdline,cmdscan # Only these plugins will be executedThe plugins executed by default are:
dump_plugins = ["dumpcerts", "dumpregistry", "dumpfiles", "dumpregistry"]
plugins = ["amcache", "auditpol", "cachedump", "clipboard", "cmdline", "cmdscan", "connections", "connscan", "consoles", "deskscan", "devicetree", "dlllist",
"envars", "getservicesids", "handles", "hashdump", "hibinfo", "hivelist", "hivescan", "iehistory", "ldrmodules", "lsadump", "malfind", "mbrparser", "memmap", "mftparser", "modules", "notepad",
"privs", "pslist", "psscan", "pstree", "psxview", "qemuinfo", "servicediff", "sessions", "sockets", "sockscan", "ssdt", "strings", "svcscan", "symlinkscan", "thrdscan", "verinfo", "windows", "wintree"]The plugins executed using the option -a are:
dump_plugins = ["dumpcerts", "dumpregistry", "dumpfiles", "dumpregistry"]
plugins_all = ["amcache", "apihooks", "atoms", "atomscan", "auditpol", "bigpools", "bioskbd", "cachedump", "callbacks", "clipboard", "cmdline", "cmdscan", "connections", "connscan", "consoles", "crashinfo",
"deskscan", "devicetree", "dlldump", "dlllist", "driverirp", "drivermodule", "driverscan", "editbox", "envars", "eventhooks", "evtlogs", "filescan",
"gahti", "gditimers", "gdt", "getservicesids", "getsids", "handles", "hashdump", "hibinfo", "hivelist", "hivescan", "hpakextract", "hpakinfo", "idt", "iehistory", "imagecopy", "imageinfo",
"joblinks", "kdbgscan", "kpcrscan", "ldrmodules", "lsadump", "malfind", "mbrparser", "memdump", "memmap", "messagehooks", "mftparser", "moddump", "modscan", "modules", "multiscan", "mutantscan",
"notepad", "objtypescan", "patcher", "printkey", "privs", "procdump", "pslist", "psscan", "pstree", "psxview", "qemuinfo", "raw2dmp", "screenshot", "servicediff", "sessions", "shellbags", "shimcache",
"shutdowntime", "sockets", "sockscan", "ssdt", "strings", "svcscan", "symlinkscan", "thrdscan", "threads", "timeliner", "timers", "truecryptmaster", "truecryptpassphrase", "truecryptsummary",
"unloadedmodules", "userassist", "userhandles", "vaddump", "vadinfo", "vadtree", "vadwalk", "vboxinfo", "verinfo", "vmwareinfo", "windows", "wintree", "wndscan"]