|−|The [[ Volatility Framework]] was designed to be expanded by plugins. Here is a list of the published plugins for the framework. Note that these plugins are not hosted on the wiki, but all on external sites. |+|
| || |
|−|== Command Shell == |+|
|−|* [http: //moyix.blogspot.com/2008/08/indroducing-volshell.html volshell] - Creates a python shell can be used with the framework. |+|
| || |
Data Recovery == |+|
| || |
|−|* [http://jessekornblum.com/tools/volatility/cryptoscan.py cryptoscan] - Finds [[TrueCrypt]] passphrases |+|
|−|* [http://moyix.blogspot.com/2008/10/plugin-post-moddump.html moddump] - Dump out a kernel module (aka driver) |+|
memory , including and . to the in . , and other .
|−|* [http://moyix.blogspot.com/2009/01/memory -registry-tools.html Registry tools] - A suite of plugins for accessing data from the registry, including password hashes, LSA secrets, and arbitrary registry keys. |+|
|−|* [http://moyix.blogspot.com/2008/08/linking-processes-to -users.html getsids] - Get information about what user (SID) started a process. |+|
|−|* [http://moyix.blogspot.com/2008/08/auditing-system-call-table.html ssdt] - List entries in the system call table. Can be used to detect certain rootkits that hook system calls by replacing entries in this table. |+|
|−|* [http://moyix.blogspot.com/2008/09/window-messages-as-forensic-resource.html threadqueues] - Enumerates window messages pending for each thread on the system. Window messages are the mechanism used to send things like button presses, mouse clicks, and other events to GUI programs. |+|
| || |
|−|== Process Enumeration == |+|
| || |
[http: //jessekornblum. com/tools/volatility/suspicious. py suspicious] - Identify "suspicious" processes. This version counts any command line running [[TrueCrypt]] or any command line that starts with a lower case drive letter as suspicious. |+|
* : ..
| || |
Output Formatting == |+|
|−|* [ http: //scudette.blogspot.com/2008/10/pstree-volatility-plugin.html pstree] - Produces a tree-style listing of processes |+|
[http:// gleeda.blogspot.com /2009/01/vol2htmlpl-update.html vol2html] - Converts volatility output to HTML. Not technically a plugin, but useful nonetheless. |+|
Revision as of 14:53, 17 April 2012
The Incident Response edition of Second Look®: Linux Memory Forensics is designed for use by investigators who need quick, easy, and effective Linux memory acquisition and analysis capabilities.
Second Look® preserves the volatile system state, capturing evidence and information that does not exist on disk and may otherwise be lost as an investigation proceeds. A command-line script allows for acquisition of memory from running systems without introducing any additional software. A memory access driver is provided for use on systems without a native interface to physical memory.
Second Look® interprets live system memory or captured memory images, detecting and reverse engineering malware, including stealthy kernel rootkits and backdoors. A kernel integrity verification approach is utilized to compare the Linux kernel in memory with a reference kernel. Pikewerks provides thousands of reference kernels derived from original distribution kernel packages, and a script for creating reference kernels for other systems, such as those running custom kernels.
Second Look® also applies an integrity verification approach for the analysis of each process in memory. This enables it to detect unauthorized applications as well as stealthy user-level malware.
Second Look® is regularly updated to support analysis of the latest kernels and the most commonly used Linux distributions. The following are its capabilities as of April 2012:
- Supported target kernels: 2.6.x, 3.x up to 3.2
- Supported target architectures: x86 32- and 64-bit
- Supported target distributions: Debian 4-6, RHEL/CentOS 4-6, Ubuntu 4.10-12.04, and more!
Second Look® is a product of Raytheon Pikewerks Corporation: