Skip to content

ForensicTools/Tessera-464_2131-Green

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

26 Commits
linux_profiles
linux_profiles
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
plugins.txt
plugins.txt
 
 
profiles.txt
profiles.txt
 
 
tessera
tessera
 
 

Repository files navigation

Tessera

Author: Kayla Green

Front-end wrapper for The Volatility Framework.

This tool acts as an interactive, easier-to-use wrapper around the already popular Volatility framework. Currently the tool is written in python and uses subprocess calls (ew, I know) due to the cumbersome nature of the Volatility libraries.

Usage

Call/Run program using:
./tessera

After booting, Tessera will ask if you'd like to make a case.
Creating a case means that all information entered will be stored in a file for easy record keeping.
Choosing no skips the case building option.
> Choosing yes brings you into the case building menu. Case takes a string for input.

Enter case name: Case#067 - Mark Phillips

Tessera will then ask for a list of investigator names. Terminate the list by entering a "."

Enter investigator names: John Doe
Mary Sue
.

The next portion asked for is the location of the memory dump that is being analyzed; this location is verified by Tessera, so if Tessera can't find the image, it will ask for a new location.
Enter full path to image: /home/john/forensics/mark.img

Tessera then will hash the image using the SHA-1 algorithm. This hash will be displayed to you. If you chose to build a case, this information will be stored in a file at the end of the Tessera run.

Tessera then takes the image and runs imageinfo on it to get a list of profiles. It automatically lists these and then asks you to choose a number. If no number is specified (you just hit enter), it will grab the first option. If you choose OTHER, it will prompt for a profile name. This must be a valid profile that Volatility knows about.

Profile appears to be:
1. WIN7SP0x64
2. WIN7SP1x64
3. OTHER
Choose profile: 3
Enter profile: WIN2008R2SP0x64

Tessera will then attempt to built the case with the information that you have given it. If the case was successfully built and Tessera runs into no problems, it will inform the user of its success. Otherwise it will (hopefully) exit gracefully.
<code> Case successfully built.

From here on out, Tessera will ask questions about what type of information you want to get from the image. List of supported plugins can be found in the plugins.txt file. By default, this is the same list of plugins in the standalone copy of the Volatility Framework. To call a plugin, simply type in its name.

Information gathered will be found in a directory located in the CWD where the image file sits in this format:
/IMAGE_LOCATION/Tessera/case_file/output

In addition, a hail mary option is available to drill through all available plugins. This is not a smart function and does not perform OS detection; use at your own risk.

Future Additions

  1. Create log of volatility commands utilized on backend (FINISHED)
  2. Create base Tessera config file to store commonly chosen items (investigator names, etc.)
  3. Generate LaTeX-built Forensic Reports of Collected Information and Commands Issued
  4. Rebuild in C++ for Speed and easier transport

About

Front-end package for memory capture and forensic tools

Resources

Readme

License

GPL-2.0 license
Activity
Custom properties

Stars

2 stars

Watchers

1 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Contributors 3

  •  
  •  
  •  

Languages