What is Voltaire/Voila?
At LIFARS, we process memory images as part of our incident response process. In these cases, it is important to be quick and to be in a position to review data rather than have to focus on the process itself. As such, we have developed a set of bash scripts, which we later moved to python.
As we work with Volatility, we called it _Voltaire_ in honor of the French Enlightenment writer. As our python script grew, we added a companion shell script, _voila_, to cover the common invocations.
As a cybersecurity company, we think that our job is to make the Internet a better place. We thus have decided to open source our code to help the security community.
What does Voltaire/Voila do?
Its basic role is to run a series of Volatility modules on a memory image, extract the data and store it in a SQLite database. Following that, some queries are run to identify some known patterns indicating “bad things” automatically.
For example, we run a series of test akin to the SANS‘ “Find evil …“, or we look for variations on known process names.
Learn more about LIFARS New Open Source Tool:
LIFARS Voltaire – New Open Source Tool for Cyber Incident Response Triage;
Voltaire by LIFARS, LLC github.com/Lifars
“Volatility Framework – Volatile memory extraction utility framework” github.com/volatilityfoundation/volatility
“Volatility 3.0 development” github.com/volatilityfoundation/volatility3