blacktop / docker-volatility Goto Github PK

For instance, when running the mbrparser plugin, I get the following output:
Volatility Foundation Volatility Framework 2.3.1
ERROR : volatility.plugins.mbrparser: Install distorm3 code.google.com/p/distorm/

Is it possible to add Multi-Arch support? Trying to run this on Linux ARM64 VM in Apple silicon

The plugins in volatility/contrib/plugins are not enabled by default in volatility.

They are not included in the enabled plugins. The easiest way would be for them to be copied to /plugins

Upon running the following error appears
*** Failed to import volatility.plugins.community.LoïcJaquemet.vol_haystack (ImportError: cannot import name api)

Currently, the plugins tag fails to run volatility:

$ docker run --rm -v $(pwd):/data:ro blacktop/volatility:plugins --plugins=/plugins --info                                                   

Volatility Foundation Volatility Framework 2.6
*** Failed to import volatility.plugins.community.YingLi.python_strings (ImportError: No module named YingLi.python_strings)
ERROR   : volatility.debug    : Please install DPAPIck library: https://bitbucket.org/jmichel/dpapick
*** Failed to import volatility.plugins.community.StanislasLejay.linux.get_profile (ImportError: No module named linux.get_profile)
*** Failed to import volatility.plugins.community.FrancescoPicasso.mimikatz (AttributeError: 'module' object has no attribute 'ULInt32')
*** Failed to import volatility.plugins.community.AlexanderTarasenko.windbg (ImportError: No module named pykd)
*** Failed to import volatility.plugins.community.TranVienHa.osint (ImportError: No module named socks)

I guess as the Community repository evolves, new dependencies are added.

You need to hardcode a tag/commit in the Dockerfile to make sure you install all the dependencies in the build. I will try to create a PR.

Thx for the work maintaining this :-)

Following the instructions as listed here and on the docker hub, this does not work, as I don't have the silentbanker.vmem file.

Thanks for all your work on this image and for providing it to the community. Would it be possible to get a new version with the latest library of community plugins? In particular, baseline.py is not found in the current image.

Thanks.

Hello, it seems the dump files option seems to be dumping files out to the volatility container. Is there anyway to provide option to attached to local or expose the host OS director for dump file option?

This is a Windows 10 Enterprise image, but it is 17134.

PS docker run -it --rm -v D:\Memory:/data:ro blacktop/volatility imageinfo --filename=/data/hiber.raw --profile=Win10x64_17134
Volatility Foundation Volatility Framework 2.6.1
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : No suggestion (Instantiated with Win7SP1x64)
AS Layer1 : WindowsHiberFileSpace32 (Unnamed AS)
AS Layer2 : FileAddressSpace (/data/hiber.raw)
PAE type : No PAE
DTB : 0x1ad000L
KUSER_SHARED_DATA : 0xfffff78000000000L