multivol 0.1.6

MultiVolatility: Analyze memory dumps faster than ever with Volatility2 and Volatility3 in parallel using Docker

MultiVolatility ⚡️

Analyze memory dumps faster than ever with Volatility2 and Volatility3 in parallel.

MultiVolatility (multivol) is a powerful CLI wrapper that orchestrates memory forensics using Docker. It parallizes execution across multiple CPU cores, dramatically reducing the time required to run full scan suites on windows or linux memory dumps.

Features

• Parallel Execution: runs multiple Volatility plugins simultaneously using your machine's full CPU power.
• Hybrid Support: Seamlessly supports both Volatility 2 and Volatility 3.
• Containerized: Runs all analysis in Docker containers—no complex dependency hell or Python 2/3 conflicts on your host.
• Smart Caching: Automatically manages symbol downloads and caching to prevent redundant network requests.
• Flexible Output: Supports both textual reports and structured JSON output for integration with other tools (like the MultiVol Web UI).

Prerequisites

1. Docker: Ensure Docker Desktop (or Engine) is installed and running.
   • Install Docker
2. Python 3.6+

Installation

You can install multivol directly from PyPI:

pip install multivol

From Source

Alternatively, you can clone the repository and install it locally:

git clone https://github.com/BoBNewz/MultiVolatility.git
cd MultiVolatility/CLI
pip install .

This installs the multivol command available system-wide.

Building the Docker Images

Before running the tool, you must build the analysis images:

# Build Volatility 2
docker build Dockerfiles/volatility2/ -t volatility2:latest

# Build Volatility 3
docker build Dockerfiles/volatility3/ -t volatility3:latest

Usage

The basic syntax is:

multivol [vol2|vol3] --dump <path_to_dump> --image <docker_image> [options]

Examples

Run a standard Windows analysis with Volatility 3:

multivol vol3 --dump memdump.raw --image volatility3:latest --windows --light

Run a full analysis on a Linux dump:

multivol vol3 --dump linux_dump.wem --image volatility3:latest --linux --full

Use Volatility 2 with a specific profile:

multivol vol2 --dump box_win7.raw --image volatility2:latest --profile Win7SP1x64 --windows --light

Options

Option	Description
--dump	Required. Path to the memory dump file.
--image	Required. Name of the Docker image to use (e.g., volatility3:latest).
--windows / --linux	Required. Specify the OS of the memory dump.
--light	Run a curated set of essential plugins (Fast).
--full	Run the comprehensive suite of all available plugins (Slow).
--commands	Run a specific comma-separated list of plugins (e.g., pslist,filescan).
--processes	Limit the number of concurrent Docker containers (Default: CPU Count).
--api	Start the tool in API mode for Web UI integration.

Web Integration

MultiVol comes with a companion Web Interface for visualizing results and creating scans (Process Trees, File Browsers, etc.).

To use the CLI as a backend for the Web UI: (optional).

Run multivol --api. or use the docker-compose.yml

License

This project is licensed under the GNU General Public License v3.0 - see the LICENSE file for details.