multivol 0.1.0__py3-none-any.whl → 0.1.3__py3-none-any.whl

multivol/multi_volatility3.py

@@ -26,43 +26,7 @@ class multi_volatility3:
                 return os.path.join(host_path, rel_path)
         return path
 
-
-    def generate_command_volatility3_json(self, command, dump, dump_dir, symbols_path, docker_image, cache_dir, plugin_dir):
-        # Generates the Docker command to run a Volatility3 module with JSON output
-        return [
-            "docker", "run", "--rm", 
-            "-v", f"{dump_dir}:/dumps/{dump}", 
-            "-v", f"{cache_dir}:/home/root/.cache",
-            "-v", f"{symbols_path}:/tmp", 
-            "-v", f"{plugin_dir}:/root/plugins_dir",
-            "-ti", docker_image,
-            "vol",
-            "-q",
-            "-f", f"/dumps/{dump}",
-            "-s", "/tmp",
-            "-p", "/root/plugins_dir",
-            "-r", "json",
-            command
-        ]
-    
-    def generate_command_volatility3_text(self, command, dump, dump_dir, symbols_path, docker_image, cache_dir, plugin_dir):
-        # Generates the Docker command to run a Volatility3 module with text output
-        return [
-            "docker", "run", "--rm", 
-            "-v", f"{dump_dir}:/dumps/{dump}", 
-            "-v", f"{cache_dir}:/home/root/.cache",
-            "-v", f"{symbols_path}:/tmp", 
-            "-v", f"{plugin_dir}:/root/plugins_dir",
-            "-ti", docker_image,
-            "vol",
-            "-q",
-            "-f", f"/dumps/{dump}",
-            "-s", "/tmp",
-            "-p", "/root/plugins_dir",
-            command
-        ]
-
-    def execute_command_volatility3(self, command, dump, dump_dir, symbols_path, docker_image, cache_dir, plugin_dir, output_dir, format, quiet=False, lock=None, host_path=None):
+    def execute_command_volatility3(self, command, dump, dump_dir, symbols_path, docker_image, cache_dir, plugin_dir, output_dir, format, quiet=False, lock=None, host_path=None, fetch_symbols=False):
         # Executes a Volatility3 command in Docker and handles output
         if not quiet:
             self.safe_print(f"[+] Starting {command}...", lock)
@@ -98,6 +62,9 @@ class multi_volatility3:
         dump_filename = os.path.basename(dump)
         base_args = f"vol -q -f /dump_dir/{dump_filename} -s /symbols -p /plugins"
 
+        if fetch_symbols:
+            base_args = f"{base_args} --remote-isf-url https://github.com/Abyss-W4tcher/volatility3-symbols/raw/master/banners/banners.json"
+
         if format == "json":
             self.output_file = os.path.join(output_dir, f"{command}_output.json")
             cmd_args = f"{base_args} -r json {command}"
@@ -224,6 +191,7 @@ class multi_volatility3:
                 ]
         elif opsys == "windows.light":
             return ["windows.cmdline.CmdLine",
+                    "windows.info.Info",
                     "windows.filescan.FileScan",
                     "windows.netscan.NetScan",
                     "windows.netstat.NetStat",

multivol/multivol.py

@@ -111,8 +111,11 @@ def runner(arguments):
             )
         else:
             # Enforce priority execution for Info module to ensure symbols are downloaded/cached
-            info_module = "windows.info.Info"
-            if info_module in commands:
+            if arguments.windows:
+                info_module = "windows.info.Info"
+            else:
+                info_module = "linux.bash.Bash"
+            if arguments.windows or (arguments.linux and arguments.fetch_symbol):
                 commands.remove(info_module)
                 volatility3_instance.execute_command_volatility3(info_module, 
                                                                 os.path.basename(arguments.dump), 
@@ -125,7 +128,8 @@ def runner(arguments):
                                                                 arguments.format,
                                                                 False, # quiet
                                                                 lock,  # lock
-                                                                arguments.host_path
+                                                                arguments.host_path,
+                                                                True if arguments.fetch_symbol else False
                                                             )
 
             
@@ -142,7 +146,8 @@ def runner(arguments):
                 arguments.format,
                 False, # quiet=False so we see the output as it happens
                 lock, # lock
-                arguments.host_path
+                arguments.host_path,
+                True if arguments.fetch_symbol else False
                 )) for cmd in commands]
             
             # Progress counters
@@ -215,6 +220,7 @@ def main():
     vol3_os_group.add_argument("--linux", action="store_true", help="It's a Linux memory dump")
     vol3_os_group.add_argument("--windows", action="store_true", help="It's a Windows memory dump")
     vol3_parser.add_argument("--light", action="store_true", help="Use the principal modules.")
+    vol3_parser.add_argument("--fetch-symbol", action="store_true", help="Fetch automatically symbol from github.com/Abyss-W4tcher/volatility3-symbols", required=False)
     vol3_parser.add_argument("--full", action="store_true", help="Use all modules.")
     vol3_parser.add_argument("--format", help="Format of the outputs: json, text", required=False, default="text")
     vol3_parser.add_argument("--processes", type=int, required=False, default=None, help="Max number of concurrent processes")
@@ -242,6 +248,10 @@ def main():
         print("[-] --linux not available with --full or --light")
         sys.exit(1)
 
+    if args.fetch_symbol and not args.linux:
+        print("[-] --fetch-symbol only available with --linux")
+        sys.exit(1)
+
     # Validate output format
     if (args.format != "json") and (args.format != "text"):
         print("Format not supported !")

multivol-0.1.3.dist-info/METADATA

@@ -0,0 +1,128 @@
+Metadata-Version: 2.4
+Name: multivol
+Version: 0.1.3
+Summary: MultiVolatility: Analyze memory dumps faster than ever with Volatility2 and Volatility3 in parallel using Docker
+Home-page: https://github.com/BoBNewz/MultiVolatility
+Classifier: Programming Language :: Python :: 3
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Operating System :: OS Independent
+Requires-Python: >=3.6
+Description-Content-Type: text/markdown
+License-File: LICENSE
+Requires-Dist: pyyaml
+Requires-Dist: requests
+Requires-Dist: flask
+Requires-Dist: flask-cors
+Requires-Dist: docker
+Requires-Dist: rich
+Dynamic: classifier
+Dynamic: description
+Dynamic: description-content-type
+Dynamic: home-page
+Dynamic: license-file
+Dynamic: requires-dist
+Dynamic: requires-python
+Dynamic: summary
+
+# MultiVolatility ⚡️
+
+**Analyze memory dumps faster than ever with Volatility2 and Volatility3 in parallel.**
+
+MultiVolatility (`multivol`) is a powerful CLI wrapper that orchestrates memory forensics using Docker. It parallizes execution across multiple CPU cores, dramatically reducing the time required to run full scan suites on `windows` or `linux` memory dumps.
+
+![Demo](https://raw.githubusercontent.com/BoBNewz/MultiVolatility/00d7b95cba1e35c9a4810f3e145bddc324e24628/CLI/demo.gif)
+## Features
+
+- **Parallel Execution**: runs multiple Volatility plugins simultaneously using your machine's full CPU power.
+- **Hybrid Support**: Seamlessly supports both **Volatility 2** and **Volatility 3**.
+- **Containerized**: Runs all analysis in Docker containers—no complex dependency hell or Python 2/3 conflicts on your host.
+- **Smart Caching**: Automatically manages symbol downloads and caching to prevent redundant network requests.
+- **Flexible Output**: Supports both textual reports and structured JSON output for integration with other tools (like the MultiVol Web UI).
+
+## Prerequisites
+
+1.  **Docker**: Ensure Docker Desktop (or Engine) is installed and running.
+    *   [Install Docker](https://docs.docker.com/get-docker/)
+2.  **Python 3.6+**
+
+## Installation
+
+You can install `multivol` directly from PyPI:
+
+```bash
+pip install multivol
+```
+
+### From Source
+
+Alternatively, you can clone the repository and install it locally:
+
+```bash
+git clone https://github.com/BoBNewz/MultiVolatility.git
+cd MultiVolatility/CLI
+pip install .
+```
+
+This installs the `multivol` command available system-wide.
+
+### Building the Docker Images
+Before running the tool, you must build the analysis images:
+
+```bash
+# Build Volatility 2
+docker build Dockerfiles/volatility2/ -t volatility2:latest
+
+# Build Volatility 3
+docker build Dockerfiles/volatility3/ -t volatility3:latest
+```
+
+## Usage
+
+The basic syntax is:
+
+```bash
+multivol [vol2|vol3] --dump <path_to_dump> --image <docker_image> [options]
+```
+
+### Examples
+
+**Run a standard Windows analysis with Volatility 3:**
+```bash
+multivol vol3 --dump memdump.raw --image volatility3:latest --windows --light
+```
+
+**Run a full analysis on a Linux dump:**
+```bash
+multivol vol3 --dump linux_dump.wem --image volatility3:latest --linux --full
+```
+
+**Use Volatility 2 with a specific profile:**
+```bash
+multivol vol2 --dump box_win7.raw --image volatility2:latest --profile Win7SP1x64 --windows --light
+```
+
+### Options
+
+| Option | Description |
+| :--- | :--- |
+| `--dump` | **Required.** Path to the memory dump file. |
+| `--image` | **Required.** Name of the Docker image to use (e.g., `volatility3:latest`). |
+| `--windows` / `--linux` | **Required.** Specify the OS of the memory dump. |
+| `--light` | Run a curated set of essential plugins (Fast). |
+| `--full` | Run the comprehensive suite of all available plugins (Slow). |
+| `--commands` | Run a specific comma-separated list of plugins (e.g., `pslist,filescan`). |
+| `--processes` | Limit the number of concurrent Docker containers (Default: CPU Count). |
+| `--api` | Start the tool in API mode for Web UI integration. |
+
+## Web Integration
+
+MultiVol comes with a companion Web Interface for visualizing results and creating scans (Process Trees, File Browsers, etc.).
+
+To use the CLI as a backend for the Web UI:
+ (optional).
+ 
+Run `multivol --api`. or use the `docker-compose.yml`
+
+## License
+
+This project is licensed under the GNU General Public License v3.0 - see the [LICENSE](LICENSE) file for details.

multivol-0.1.3.dist-info/RECORD

@@ -0,0 +1,11 @@
+multivol/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+multivol/api.py,sha256=N_7Sm8Ys_rjRI9MLm-ThTMcDXe6JJU1G11p6zljvQUs,37503
+multivol/multi_volatility2.py,sha256=_Z2yxF05xLjzJSZBBisUEMT6WKy1YahbH4E-l41XvnI,9789
+multivol/multi_volatility3.py,sha256=9jSfw5ti9TKTGO_tbeM4IaCJfufpNQoR_wILHF4Rmbs,9608
+multivol/multivol.py,sha256=TI3y7jcC39XK3zxgwlKiOmTfOT69jzNDgbqf44p11Qc,13435
+multivol-0.1.3.dist-info/licenses/LICENSE,sha256=OXLcl0T2SZ8Pmy2_dmlvKuetivmyPd5m1q-Gyd-zaYY,35149
+multivol-0.1.3.dist-info/METADATA,sha256=P_825nIZyAAIZlo-gXzPdjNpwdV-vK1UOXbybwQq_IY,4292
+multivol-0.1.3.dist-info/WHEEL,sha256=wUyA8OaulRlbfwMtmQsvNngGrxQHAvkKcvRmdizlJi0,92
+multivol-0.1.3.dist-info/entry_points.txt,sha256=FM4lUHzrKUmV37U6IemQkRGXEJdgyB7-dwtw1jgwTQc,52
+multivol-0.1.3.dist-info/top_level.txt,sha256=DcxSP883XnM_ad5TXyCIZkzDcYSoI1bPTie_AzHlN0A,9
+multivol-0.1.3.dist-info/RECORD,,

multivol-0.1.0.dist-info/METADATA

@@ -1,45 +0,0 @@
-Metadata-Version: 2.4
-Name: multivol
-Version: 0.1.0
-Summary: MultiVolatility: Analyze memory dumps faster than ever with Volatility2 and Volatility3 in parallel using Docker
-Home-page: https://github.com/BoBNewz/MultiVolatility
-Classifier: Programming Language :: Python :: 3
-Classifier: License :: OSI Approved :: MIT License
-Classifier: Operating System :: OS Independent
-Requires-Python: >=3.6
-Description-Content-Type: text/markdown
-License-File: LICENSE
-Requires-Dist: pyyaml
-Requires-Dist: requests
-Requires-Dist: flask
-Requires-Dist: flask-cors
-Requires-Dist: docker
-Requires-Dist: rich
-Dynamic: classifier
-Dynamic: description
-Dynamic: description-content-type
-Dynamic: home-page
-Dynamic: license-file
-Dynamic: requires-dist
-Dynamic: requires-python
-Dynamic: summary
-
-# MultiVolatility
-
-MultiVolatility uses multi-processing to run volatility2 and volatility3 docker containers.
-The tool comes with the possibility to send JSON outputs to a web application.
-
-## Build docker images
-
-```shell
-git clone https://github.com/BoBNewz/MultiVolatility.git
-cd MultiVolatility
-docker build Dockerfiles/volatility2/ -t volatility2
-docker build Dockerfiles/volatility3/ -t volatility3
-```
-
-## Send outputs to the web application
-
-Modify the URL and the API password in the config.yml.
-
-![MultiVolatility](https://github.com/user-attachments/assets/f77c636d-b647-4218-9617-20268616689c)

multivol-0.1.0.dist-info/RECORD

@@ -1,11 +0,0 @@
-multivol/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-multivol/api.py,sha256=N_7Sm8Ys_rjRI9MLm-ThTMcDXe6JJU1G11p6zljvQUs,37503
-multivol/multi_volatility2.py,sha256=_Z2yxF05xLjzJSZBBisUEMT6WKy1YahbH4E-l41XvnI,9789
-multivol/multi_volatility3.py,sha256=y7_vDG9iQcpPMYwyejq2V1Hhjkzml-2E8Xa0LW0LEXU,10733
-multivol/multivol.py,sha256=7OP8SpmLL-t6Tuf7Gz4ecqQIRRPj-la0uXpfXHql8Jg,12824
-multivol-0.1.0.dist-info/licenses/LICENSE,sha256=OXLcl0T2SZ8Pmy2_dmlvKuetivmyPd5m1q-Gyd-zaYY,35149
-multivol-0.1.0.dist-info/METADATA,sha256=JdTQKyTRlTprtU9XAIBlEdZ8N10VmQokDxTGsXhheIY,1383
-multivol-0.1.0.dist-info/WHEEL,sha256=wUyA8OaulRlbfwMtmQsvNngGrxQHAvkKcvRmdizlJi0,92
-multivol-0.1.0.dist-info/entry_points.txt,sha256=FM4lUHzrKUmV37U6IemQkRGXEJdgyB7-dwtw1jgwTQc,52
-multivol-0.1.0.dist-info/top_level.txt,sha256=DcxSP883XnM_ad5TXyCIZkzDcYSoI1bPTie_AzHlN0A,9
-multivol-0.1.0.dist-info/RECORD,,