SSF Tools - Forensic Analysis Toolkit for cybersecurity professionals
Project description
SSF Tools - Forensic Analysis Toolkit
A forensic analysis toolkit for cybersecurity professionals performing PCI Secure Software Framework assessments and general forensic analysis.
Features
- Volatility Integration: Automated memory analysis workflows using Volatility 3
- Rich CLI Interface: Beautiful, user-friendly command-line interface with colored output
- Intelligent Process Matching: Handles process name truncation and partial extension matching
- File Collision Management: Smart handling of existing files with user-controlled resolution
- Cross-Platform Support: Works on Windows, macOS, and Linux
Installation
Prerequisites
- Python 3.11+ - Required for the SSF Tools CLI
- Volatility 3 - Required for memory analysis
# Install Volatility 3 (recommended via pipx)
pipx install volatility3[full]
# Verify volatility installation
vol.exe --help # Windows
vol --help # Linux/macOS
Install SSF Tools
# Clone the repository
git clone https://github.com/kirkpatrickprice/ssf-tools.git
cd ssf-tools
# Install with uv (recommended)
uv sync
uv run ssf_tools --help
# Or install with pip
pip install -e .
ssf_tools --help
Usage
Volatility Memory Analysis
The volatility sub-command performs comprehensive memory analysis on RAM images:
# Basic usage
ssf_tools volatility memory.dd windows interesting-processes.txt
# With custom options
ssf_tools volatility \
--results-dir ./analysis_results \
--pid-list-file custom-pids.txt \
memory.dd windows interesting-processes.txt
Required Arguments:
IMAGE_FILE: Path to the RAM image file (e.g., memory.dd)PLATFORM: Target platform (windows,mac, orlinux)INTERESTING_PROCESSES_FILE: Text file with process names to analyze (one per line)
Optional Arguments:
--results-dir, -r: Directory to save results (default:<image_dir>/volatility/<image_name>)--pid-list-file, -p: Filename for PID list output (default:pid-list.txt)
Creating an Interesting Processes File
Create a text file with process names you want to analyze:
notepad
chrome
firefox
svchost
explorer
powershell
lsass
The tool handles:
- Case-insensitive matching
- Partial matches (for truncated output)
- Extension flexibility (matches both
notepadandnotepad.exe) - Multiple instances (automatically numbered:
svchost,svchost_2, etc.)
Workflow
The volatility command performs these steps:
- Extract Process List: Runs
volatility pslistto get all processes - Match Interesting Processes: Finds PIDs for your specified processes
- Extract File Handles: Gets file handles for each interesting process
- Extract Memory Dumps: Creates memory dumps for each process
Output Files
Analysis results are saved to the results directory:
results/
├── pid-list.txt # Raw volatility pslist output
├── interesting_pids.json # Matched processes with PIDs
├── handles.txt # File handles for all processes
└── *.dmp # Memory dump files (one per process)
File Collision Handling
When files already exist, the tool prompts for resolution:
- JSON files: Overwrite, Append (merge), or Create new
- Text files: Overwrite, Append, or Create new
- Memory dumps: Overwrite, Keep both (with timestamp), or Skip
Examples
# Windows memory analysis
ssf_tools volatility memory.dd windows processes.txt
# Linux memory analysis with custom output
ssf_tools volatility --results-dir /tmp/analysis memory.lime linux interesting.txt
# macOS analysis
ssf_tools volatility osx_memory.dmg mac processes.txt
Development
# Install development dependencies
uv sync --dev
# Run tests
uv run pytest
# Run linting
uv run ruff check .
# Format code
uv run ruff format .
Contributing
- Fork the repository
- Create a feature branch
- Make your changes
- Add tests
- Submit a pull request
License
MIT License - see LICENSE file for details.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file kp_ssf_tools-0.1.0.tar.gz.
File metadata
- Download URL: kp_ssf_tools-0.1.0.tar.gz
- Upload date:
- Size: 16.1 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.6.14
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
75bcd285bd98e054806a77d88dbcee51f88e9c88d17bbfc068892bf42c0ced8a
|
|
| MD5 |
a9bf0a8ba461713127fccf54a941a43d
|
|
| BLAKE2b-256 |
b69e973e447ec27ba2012c64c90c8c972b494786d68b7de8648ca363e174ac18
|
File details
Details for the file kp_ssf_tools-0.1.0-py3-none-any.whl.
File metadata
- Download URL: kp_ssf_tools-0.1.0-py3-none-any.whl
- Upload date:
- Size: 18.3 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.6.14
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
660a6eb91c579590145dfc8175aa4740b1c8458a316c26f0a383130155544886
|
|
| MD5 |
e61691b6f7fb9e1cafc65cfe48f54c4f
|
|
| BLAKE2b-256 |
480633ae104c6349d472b47fa11b9c5f2d7392b150adfbfa17bf5568f54ac754
|