Download the following 3 files as zip files.
Criminalip
practice
db_file.db
First, the Ciminalip file is a file where the actual plugin exists, so put it in the 'volatility3volatility3frameworkplugins' location.
You can look at the second part of the DB installation and overwrite the rest of the practice files and db_file.db.
Finally, you need to change the path where the api_key and db_file.db exist in each plugin.
Since there is a DB that stores a large amount of IP or URL, you can save credits because you do not query again in the part of the content that you have searched once.
$ pip install alembic #installing for db migrations
Once the installation is complete, you can find by <Ctrl +p> and open the file 'alembic,ini' In the 'alembic,ini' file, find the sqlalchemy.url part and change it as follows. Since we use sqlite3, we need to make the following changes.
sqlalchemy.url = sqlite:///db_file.db
After installation, move the practice and db_file.db files from the downloaded zip file into Volatility3.
API_KEY = '${CRIMINALIP_API_KEY}'
conn = sqlite3.connect('C:\\$home\volatility3\\db_file.db')
| Timeline | Pid | Owner | proto | LocalAddr | ForeignAddr | inbound/outbound | tags | representative | ids | abuse |
---|---|---|---|---|---|---|---|---|---|---|---|
Connection time information | Pid value | Process name | Protocol type | Src IP and port information | Dst IP and port information | Score of the dst IP in Criminal IP | Information regarding issues associated with the dst IP | Representative domain information of the IP | Information corresponding to snort rules | Reported incidents and the number of malicious codes associated with the IP |
$ Criminalip.criminalipip
$ Cariminalip.criminalipip --malIP
| criminalipip | criminalipip --malIP |
---|---|---|
| Timeline | Pid | Process | URL | TotalScore | Phishing Score | Domain type | DGA score | Real IP | Domain created | abuse | Fake https URL | Suspicious URL |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Connection time information | Pid value | Process name | URL information extracted from the process | Final score while searching for URL in Domain Search | The probability of the URL being a phishing | Domain category information set by Google | Score for AI determination of whether a domain was created with a random naming convention | Number of real IPs | Domain creation date | Number of IPs connected to your domain that have been reported as malicious | False https URL status | URLs that may be suspected of phishing: longer than 30 characters in length / use punycode / presence of the @ string |
$ Criminalip.criminalipdomain
$ Criminalip.criminalipdomain --malD
$ Criminalip.criminalipdomain --HardWhite
$ Criminalip.criminalipdomain --malD --HardWhite
criminalipdomian | criminalipdomain --malIP | criminalipdomain --malIP --HardWhite |
---|---|---|
. |
Volatility Software License
Version 1.0 dated October 3, 2019.
This license covers the Volatility software, Copyright 2019 Volatility Foundation.
Software
https://github.com/volatilityfoundation/volatility3/blob/develop/LICENSE.txt