evolve: Web interface for the Volatility Memory Forensics Framework

evolve – Web interface for the Volatility Memory Forensics Framework


  • Works with any Volatility module that provides an SQLite render method (some don’t)
  • Automatically detects plugins – If volatility sees the plugin, so will eVOLve
  • All results stored in a single SQLite DB stored beside the RAM dump
  • A web interface is fully AJAX using jQuery & JSON to pass requests and responses
  • Uses Bottle module in Python to provide a standalone web server
  • Option to edit SQL query to provide enhanced data views with data from multiple tables
  • Run plugins and view data from any browser – even a tablet!
  • Allow multiple people to review results of single RAM dump
  • Multiprocessing for full CPU usage
  • Pre-Scan runs a list of plugins at the start



-f File containing the RAM dump to analyze
-p Volatility profile to use during analysis (–profile may not work even though it shows as an option)
-d Optional path for output file. Default is beside memory image
-l Restrict web server from serving content outside of the local machine
-r comma-separated list of plugins to run at the start

!!! WARNING: Avoid writing SQLite to NFS shares. They can lock or get corrupt. If you must, try mounting share with ‘nolock’ option.



Source: https://github.com/JamesHabben/