Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/Hestat/calamity
A script to assist in processing forensic RAM captures for malware triage
https://github.com/Hestat/calamity
dfir malware-analysis memory-forensics volatility
Last synced: 2 months ago
JSON representation
A script to assist in processing forensic RAM captures for malware triage
- Host: GitHub
- URL: https://github.com/Hestat/calamity
- Owner: Hestat
- License: gpl-3.0
- Created: 2019-04-02T00:55:53.000Z (almost 6 years ago)
- Default Branch: master
- Last Pushed: 2021-02-04T13:55:45.000Z (almost 4 years ago)
- Last Synced: 2024-08-02T20:44:11.025Z (5 months ago)
- Topics: dfir, malware-analysis, memory-forensics, volatility
- Language: Shell
- Homepage:
- Size: 33.2 KB
- Stars: 28
- Watchers: 5
- Forks: 7
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
- awesome-memory-forensics - Calamity
README
## Calamity
```
========================================================================================================= Calamity =========================
A script to assist in processing forensic RAM captures for malware triage
Run the script with no options and it will run in guided mode prompting the
user to choose options as requiredIf you already know the correct volatility memory profile you can use the
following options
-f, --filepath provide the complete filepath to the RAM memory dump
-p, --profile provide the memory profile you want volatility to use
-s, --scan will run all scans and prompt user as required
-q, --quick will run a quick scan for malware, no user input required to complete
-c, --config same as quickscan but will try to extract malware configurations as wellExample:
calamity -f /home/user/memory.dmp -p Win10x64_10586 -scalamity --fullpath /home/user/memory.dmp --profile Win10x64_10586 --scan
================================================================================
```
Full walkthrough and writeup:
https://laskowski-tech.com/2019/05/18/calamity-a-volatility-script-to-aid-malware-triage/Original inspiration to Volatility Labs writeup in this article:
https://volatility-labs.blogspot.com/2016/08/automating-detection-of-known-malware.htmlWhich led me to write up my version:
https://laskowski-tech.com/2019/02/18/volatility-workflow-for-basic-incident-response/Which led to this project. Good Hunting.
Install instructions:
On base system (has been tested for Ubuntu, Kali)
```
git clone https://github.com/Hestat/calamity.git
cd calamity
sudo ./install.sh
```Docker option:
```
docker pull hestat/calamitydocker run --rm -it -v ~/memory-dumps:/home/nonroot/memdumps hestat/calamity:latest bash
```The /memory-dumps folder is where the memory images reside on the host OS, you will be dropped into a bash shell in the home directory of the nonroot user with a folder called memdumps which is mapped to the folder on the host OS.