Skip to content

A Jupyter notebook to assist with the analysis of the output generated from Volatility memory extraction framework.

License

Notifications You must be signed in to change notification settings

blueteam0ps/memOptix

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

24 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

enter image description here

memOptix

made-with-python

This Jupyter notebook was created to assist DFIR professionals with triaging Windows memory dumps.

Please note that this notebook was created based on the output generated from CrowdStrike's Supermem python script (https://github.com/CrowdStrike/SuperMem). SuperMem triage mode 2 or 3 should be run against the memory dump prior to running this notebook. A separate Volatility processing cell is provided as part of this notebook, if you decide to run Volatility against a memory dump interactively to generate the required output.

Following Open Source projects are used in this notebook

https://github.com/microsoft/msticpy

https://github.com/volatilityfoundation/volatility3

https://github.com/CrowdStrike/SuperMem

Author : J Marasinghe

Pre-requisites

  • Python 3.8 or above
  • Volatility3
  • Following API keys are required to support MSTICPY with its enrichments. GeoIPLite, GreyNoise and OTX

Usage

  1. git clone https://github.com/blueteam0ps/memOptix.git
  2. Update msticpyconfig.yaml and include the API keys described in the pre-requisites
  3. Open the memOptix-analyst.ipynb within Jupyter and follow instructions within the notebook
  4. If you are not planning to run Supermem and want to generate the CSVs required for the notebook please run the following cell. If you already have the CSVs, then update the path as instructed and skip the CSV generation.

Generate CSVs

Screenshots

Network IOC enrichment

Process Tree Visualisation

Timeseries analysis

Image Credit Memory icons created by Darius Dan - Flaticon

About

A Jupyter notebook to assist with the analysis of the output generated from Volatility memory extraction framework.

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published