Volatility PowerShell Scripts
Main Volatility Script
Volatility is a memory forensics framework designed to analyze Windows, Linux and Mac memory dumps. For further information see http://code.google.com/p/volatility/
Here are two main scripts and a couple supporting scripts to automate the process of forensic analysis of memory images.
The following commands are run against a memory image: hivelist, userassist, pslist, psscan, pstree, psxview, modscan, ldrmodules, driverscan, driverirp, devicetree, unloadedmodules, envars, dlllist, getsids, getservicesids, handles, filescan, svcscan, connections, connscan, sockscan, sockets, netscan, cmdscan, consoles, and strings.
A directory is created in the same directory that the image file is in called "VolatilityOutput" where the output of all the commands is placed. If the command extracts images from memory (malfind, dlldump, moddump, procdump) the images are put in a directory under VolatilityOutput-(ImageName) named after the command.
By default the script runs imageinfo on the image first to determine the image type and presents you with a menu of options to choose from. If you know you image type you can enter it on the command line and skip this step. The script accepts pipeline input so you can feed it a csv of images and image types and it will run on each image in turn.
The SysInternals string utility is run against each process, dll and driver image extracted and against the main memory image. The main memory image is split with the split.ps1 script so it will be easily editable.
If you cancel the process by ^c you can restart it and the scan will pick up where it left off.
Volatility Timeline Script
This script creates a memory timeline by running the volatility timliner, shellbags and mftparser modules against a memory image. All these are put into one timeline and then run through mactime.ps1 to create a csv timeline. The TimeZone is required, one of the standard timezones.