Volatility 2.4 Standalone executable integration with EnCase for centralized reporting of memory forensic results through the use of bookmarks.

Download the Volatility 2.4 Standalone executable from The Volatility Foundation. The plugin needs to be configured with the location of the Volatility program by right clicking on the memory image that displays a tool menu called Volatility 2.4 Standalone. Choose the Executable Location option that will allow you to browse and select the program. The identified location will be stored in a configuration file that the plugin will reference.

EnCase will export the acquired PhysicalMemory to a DD format using the unique GUID as identification so that it can be stored in the case specific temporary folder. Volatility will run the requested commands against the memory and return the completed analysis to the Console View plus create a Note Bookmark for centralized reporting. The examiner can execute their own Volatility analysis by using the Command Ninja option that provides a completed command line -f argument for the memory location to get them started. Also you can set the --profile command line argument by right clicking on the memory image and choosing the Profile Selection option.

This script was developed for use in EnCase training. For more details, please click the following link:

• OpenText EnCase Training