Muninn was built to allow an easier approach to initial memory forensics on Windows 7 and Windows XP machines. Usually, when approaching a memory analysis we start by plotting out the basics and looking for the exceptions. This usually involves a lot of commandlining for each and every data set with Volatility. Muninn will take a case number and a memory image and will try to grab the basic pieces of data we usually look for and export them into a readable txt file which will be 'nicer' to read by a human being. It does not try to lead the memory forensics from a to z but rather to help the auditor through the initial plotting. To check for updates or submit changes follow this repository at the official repository This program is licensed under GPLv3.
Clone this repository using:
git clone https://www.github.com/ytisf/Muninn
Make sure you have all the dependencies installed:
sudo pip install prettytable
Make sure Volatility is installed and linked to vol.py .
sudo apt-get install subversion pcregrep libpcre++-dev python-dev build-essentia libgmp3-dev sudo apt-get install python-pycryptopp sqlite3 libsqlite3-dev wget https://volatility.googlecode.com/files/volatility-2.3.tar.gz tar xfv volatility-2.3.tar.gz cd volatility-2.3/ sudo python setup.py install
The basic command line arguments for Muninn are:
Options: -h, --help show this help message and exit -f FILENAME, --file=FILENAME The path to memory image to analyse -c CASENUMBER, --case=CASENUMBER Case number to use
The image location and case number are mandatory.
Basic structure of Muninn is:
The main execution file. This file just calls other imports. This file manages the flow of the application and is a bit documented. Function names and calls are simple to understand.
This manages errors in the program. It is very simple and not documented (since there is nothing to document). Every other python module in this application will call error_handler.py for output to the user (screen).
Will be called to write the report file. It manages the functions:
- __init___ -
- InitiateDocument - Will create the first block of the document and create the file_handler.
- print_title - Will add a header to the file.
- print_table - Will add a table to the report (since we have many).
- save - This will save the document properly and close the file_handler.
Warning! Black magic regexing here! You've been warned!
- __init__ - This will initialize constructs. In general, all of the function will try to store the output in the main class as attributes to the class and not as a return option or anything like that.
- regex_search - Just what it says.
- check_if_vol_is_installed - Diddo.
- get_image_type - First time we use Volatility, and we use it to get image type.
- document_image_details - Generates basic image details such as MD5.
- get_process_list - Takes the process list from the memory image.
- hive_list - Gets all the hives. Used also at find_hashes
- find_hashes - Extract hashes (and users) from mem image.
- get_network_connections - Extract all UDP and TCP connections. (black craft magic van-dam regex vodoo here)
- get_runkey_from_reg - Gets the startup keys from the Registry.
- drivers - creates the self._drivers object and fills it we the drivers' list.
Just this readme file.
Muninn - An Automatic Initial Memory Forensics Tool Copyright (C) 2014 Yuval tisf Nativ
This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with this program. If not, see http://www.gnu.org/licenses/.