Cyber-investigation Analysis Standard Expression (CASE)

Read the CASE Wiki tab to learn everything you need to know about the Cyber-investigation Analysis Standard Expression (CASE) ontology. For learning about the Unified Cyber Ontology, CASE's parent, see UCO.

Proof-of-Concept CASE Volatility Plugins

Note: This POC is not ontology-correct! However, it attempts to adhere to v0.1.0 of CASE.

This repository contains a sub-set of Volatility plugins that produce output in the CASE format.

These plugins have been taken from core Volatility plugins and adapted the output to produce CASE JSON-LD. These currently are proof-of-concept only, and may not fully comply to the CASE ontology as it is an evolving standard.

This repository takes the following plugins from the Volatility framework and converts the output to CASE format:

All Volatility work belongs to their respective authors which can be found here.

Installation of 3rd Party Libraries

Running Custom PoC Plugins

CASE Handle List from Memory Image:

vol.py --plugins='volplugs/src/' -f memory_images/memory.img --profile WinXPSP2x86 casehandles

CASE Procdump:

vol.py --plugins='volplugs/src/' -f memory_images/memory.img caseprocdump --dump-dir dumpdir

CASE Commandline dumping:

vol.py --plugins='volplugs/src/' -f memory_images/memory.img casecmdline

I have a question!

Before you post a Github issue or send an email ensure you've done this checklist:

  1. Determined scope of your task. It is not necessary for most parties to understand all aspects of the ontology, mapping methods, and supporting tools.

  2. Familiarize yourself with the labels and search the Issues tab. Typically, only light-blue and red labels should be used by non-admin Github users while the others should be used by CASE Github admins. All but the red Project labels are found in every casework repository.