AutoProbe is a Bash script designed to automate the process of investigating memory dumps for suspicious processes. The script utilizes the Volatility framework to perform a series of checks and analyses, making it easier for forensic analysts to identify potentially malicious activities within memory images.
- Automatically identifies the memory image
- Lists processes using
pslist,psscan, andpsxview - Compares results to identify hidden or terminated processes
- Categorizes processes (singleton, Windows core, non-core)
- Inspects handles, registry keys, and DLLs for selected processes
- Dumps processes and analyzes loaded DLLs
- uses virustotal for scanning dumped processes hashes
To install the standalone version of Volatility on Linux, follow these steps:
-
Go to the Volatility 2.6.1 release page and download the standalone file for Linux.
-
Unzip the downloaded file. You can use the
unzipcommand in the terminal: -
mv <filename> volatility -
sudo mv volatility /usr/bin
-
Clone the repository:
git clone https://github.com/yourusername/autoprobe.git cd autoprobe -
Make the script executable:
chmod +x autoprobe.sh
-
Run the script with a memory image:
./autoprobe.sh <memory image>
Replace
<memory image>with the path to your memory dump file.
The script saves results and dumped files in the following directories:
results: Contains scan results and analysis outputdump: Contains dumped processes and DLLs
Contributions are welcome! Please fork the repository and create a pull request with your changes. For major changes, please open an issue to discuss what you would like to change.
This project is licensed under the GNU License.