mirror of
https://github.com/overcuriousity/autopsy-flatpak.git
synced 2025-07-08 22:29:33 +00:00
32 lines
1.6 KiB
Plaintext
32 lines
1.6 KiB
Plaintext
/*! \page volatility_dsp_page Volatility Data Source Processor
|
|
|
|
\section Overview
|
|
|
|
The Volatility data source processor runs Volatility on a memory image and saves the individual module results. If the disk image associated with the memory image is also available, it will create Intesting Item artifacts linking the Volatility results to files in the disk image.
|
|
|
|
\section Usage
|
|
|
|
If you have a disk image associated with your memory image, ingest the disk image into the case first. Then go to "Add Data Source" and select "Memory Image File".
|
|
|
|
\image html volatility_dsp_select.png
|
|
|
|
On the next screen, you can select your memory image and then adjust the settings to choose a profile and which Volatility plugins to run.
|
|
|
|
\image html volatility_dsp_config.png
|
|
|
|
Next you'll see the ingest module configuration panel. No ingest modules will be run when using the Volatility data source processor, so simply hit the "Next" button. When it finishes, you may have some non-critical errors. These frequently come from the data source processor being unable to find files in the original disk image.
|
|
|
|
\section Results
|
|
|
|
There are two types of results that come from running the Volatility data source processor: Module Output and Interesting Items. The Module Output section is found under the memory image in the tree.
|
|
|
|
\image html volatility_dsp_module_output.PNG
|
|
|
|
You can also view the Volatility output under "ModuleOutput/Volatility" in the Autopsy case folder. The Interesting Items link file paths found by Volatility with files in the disk image.
|
|
|
|
\image html volatility_dsp_interesting_items.PNG
|
|
|
|
|
|
|
|
|
|
*/ |