dwarf2json

dwarf2json is a Go-based tool designed to convert DWARF debug information into Volatility3's Intermediate Symbol File (ISF) JSON format. This enables memory forensics analysis on Linux and macOS systems using Volatility3, a popular memory analysis framework.

The tool is particularly useful for analysts who need to generate symbol tables from binaries or debug files, facilitating the interpretation of memory dumps without relying on pre-built symbol packs. It supports distinct commands for Linux and macOS targets, ensuring compatibility with platform-specific symbol structures.

By producing ISF JSON, dwarf2json bridges the gap between low-level debug data and high-level forensic tools, streamlining workflows in incident response and malware analysis scenarios.

dwarf2json reads DWARF symbol and type information from input files, typically debug symbols embedded in binaries or separate DWARF files. It processes this data using Go's parsing capabilities to extract structs, functions, and other symbols relevant to Volatility3. The output is structured JSON in the ISF format, which Volatility3 plugins consume to map memory addresses to symbolic names for Linux (via 'linux' command) or macOS (via 'mac' command) analysis.