Virustotal Analysis Plugin¶
Notes on how to use the viper analysis plugin.
Setting up Viper¶
The Viper project maintains installation instructions here: https://viper-framework.readthedocs.io/en/latest/installation/index.html
Running plaso¶
First run log2timeline to extract events:
log2timeline.py timeline.plaso image.raw
Note that hashing must be turned on for the viper plugin to work correctly. This is default setting for log2timeline.py.
Next run psort to tag events, then output them:
psort.py --analysis viper -o timeline_with_viper_tags.csv timeline.plaso
If a file processed by Plaso is present in the viper instance, it will be tagged with viper_present
. If it’s part of a project in viper, it will also be tagged with viper_project_$PROJECTNAME
.