evolve icon indicating copy to clipboard operation
evolve copied to clipboard
verified publisher icon JamesHabben

Feature Request: Allow Analysis of Multiple Memory Images

Open jpoling-dswrx opened this issue 9 years ago • 3 comments

Being able to work with multiple memory images at once (perhaps by utilizing sessions a la VolUtility) would be a great feature as compared to currently having to run a separate instance for each image.

jpoling-dswrx avatar May 19 '16 20:05 jpoling-dswrx

Thanks for the request. I have a bit of code heading in that direction already. Open to any more thoughts you might have about presenting it.

JamesHabben avatar May 19 '16 20:05 JamesHabben

If/once you incorporate image upload (or referencing of images to process on the same server) as I saw here (https://github.com/JamesHabben/evolve/issues/11), then all you'd have to add would be logic/code to context switch between images.

Specifically in terms of "presenting it" (purely UI/UX), tabs or drop-down at the top could suffice for switching amongst the images.

In the end, my vote would be to build a capability to create sessions (aka "Cases", "Investigations", etc.) that can:

  • Each hold multiple memory images
  • Be seen/shared by others

And, ultimately, all data can exist in a central repo of which can be queried to run searches against all plugin output from every image to find artifacts/commonalities in the entire DB.

I know some (if not all) may be completely outside the scope of this, but I share it in case it interests you or others care to comment/vote.

jpoling-dswrx avatar May 19 '16 22:05 jpoling-dswrx

I like that idea of having a central server. That would probably require a refactor on a different platform from bottle since it doesn't support things like authentication or SSL.

As it sits, the plugin data is available to anyone that can reach the webserver. That allows multiple examiners to be viewing the same plugin output. I haven't specifically tested it, but it should even handle multiple examiners submitting plugin jobs since it is all threaded on the host. The javascript in each examiner's browser handles the periodic checkin for status updates on plugin runs, and thats built by the server for each request.

With loading multiple images in, I have somewhat of a rough design in my head. Part of that will allow for VolDiff type functionality to compare images with each other, and to be able to view the results of multiple images in the same view. The javascript search on the plugin table is really fast and would allow you to quickly narrow down the records based on a keyword, and you would be able to spot patterns across dump files.

Love the ideas!

JamesHabben avatar May 19 '16 23:05 JamesHabben