Remora

Plugin handling

• Auto-discovery — every Volatility3 plugin is found at startup and organized into Windows, Linux, macOS, and Other categories in a searchable tree.
• Generated argument forms — Remora reads each plugin's declared requirements and builds the form for it, with the right widget per field: checkboxes, spinners, dropdowns, file pickers, and text.
• Quick run — double-click any plugin to run it immediately with defaults; a Stop button terminates cleanly and only one plugin runs at a time.
• Robust output parsing — handles JSON arrays, JSON lines, column/row dicts, nested __children records, and raw-text fallback.
• Drag-and-drop images — drop a memory image (.raw .mem .vmem .dmp .lime .E01 and more) and the plugin browser populates, ready to hunt. Images are opened read-only and never modified.

Results & analysis

• Tabbed, sortable results — each run opens a closeable tab; click any header to sort, filter rows with live full-text search, and toggle column visibility.
• Semantic coloring — true/yes render green, false/no red, and null-ish values muted, so anomalies pop at a glance.
• Copy & export anything — right-click to copy a cell or a whole row as TSV, or export the visible view.
• Custom symbol tables — load Linux/macOS ISF symbols (files or directories); they're auto-appended to every subsequent run.

Threat-intel context

• ATT&CK mapping at scale — 65 ATT&CK technique IDs across 137 plugin-to-technique keys, with High/Medium/Low confidence ratings per plugin.
• Threat-actor profiles — filter the plugin set by any of 26 known adversary groups and ransomware families (APT28/29, Lazarus, Conti, LockBit, REvil, Turla, and more) to run just the plugins relevant to that actor's toolkit.
• Coverage Matrix — a grid of every mapped plugin against 10 ATT&CK tactics with confidence symbols, filterable by tactic and confidence and exportable to CSV (Ctrl+Shift+M).

Exports & reporting

Seven export formats, each with an embedded metadata header (plugin, image, timestamp, mapped techniques, and threat actors) and all respecting active column/row filters:

HTML produces a self-contained dark-themed report with ATT&CK badges; PDF renders A4 landscape via Qt; XLSX adds an automatic "MITRE Coverage" sheet. JSON is shaped for SIEM and case-management ingestion.

Volshell & audit

• Embedded Volshell — an interactive Python REPL against the loaded image (Ctrl+Shift+S) with direct access to the layer, context, and symbol APIs, command history, and live stdout/stderr streaming.
• Automatic audit log — created the moment an image loads, written next to the evidence as <image>_<date>.log with ISO-8601 timestamps, the exact vol.py command for every run, row counts, and errors — mirrored live in-GUI.
• Forensic by design — no network access, read-only evidence handling, exact-command transparency, and a non-destructive stop, so every step is independently reproducible.
• Keyboard-driven UX — light/dark themes, three resizable panes, and shortcuts for open (Ctrl+O), refresh (F5), Volshell, and the Coverage Matrix.

Get it running

Remora is a single file that lives in the root of a Volatility3 checkout. Clone Volatility3, install PyQt6, drop remora.py in beside vol.py, and launch:

git clone https://github.com/volatilityfoundation/volatility3.git
cd volatility3
pip install PyQt6 openpyxl   # openpyxl is optional, for XLSX export
curl -O https://raw.githubusercontent.com/BushidoCyb3r/Remora/main/remora.py
python3 remora.py

Requires Python ≥ 3.8 (3.10+ recommended) and PyQt6 ≥ 6.4. remora.py must sit in the Volatility3 root — the same folder as vol.py and volshell.py. Details in the README.