Voltaire – New Tool for Cyber Incident Response from LIFARS

LIFARS Voltaire - New Open Source Tool for Cyber Incident Response TriageWhat is Voltaire/Voila?
At LIFARS, we process memory images as part of our incident response process. In these cases, it is important to be quick and to be in a position to review data rather than have to focus on the process itself. As such, we have developed a set of bash scripts, which we later moved to python.

As we work with Volatility, we called it _Voltaire_ in honor of the French Enlightenment writer. As our python script grew, we added a companion shell script, _voila_, to cover the common invocations.

As a cybersecurity company, we think that our job is to make the Internet a better place. We thus have decided to open source our code to help the security community.

 

What does Voltaire/Voila do?

Its basic role is to run a series of Volatility modules on a memory image, extract the data and store it in a SQLite database. Following that, some queries are run to identify some known patterns indicating “bad things” automatically.

For example, we run a series of test akin to the SANS‘ “Find evil …“, or we look for variations on known process names.

 

Learn more about LIFARS New Open Source Tool:

LIFARS Voltaire – New Open Source Tool for Cyber Incident Response Triage;

Voltaire by LIFARS, LLC github.com/Lifars

“Volatility Framework – Volatile memory extraction utility framework” github.com/volatilityfoundation/volatility

“Volatility 3.0 development”  github.com/volatilityfoundation/volatility3