Difference between pages "Carver 2.0 Planning Page" and "List of Volatility Plugins"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Requirements)
 
m (Fixing broken links)
 
Line 1: Line 1:
This page is for planning Carver 2.0.
+
The [[Volatility Framework]] was designed to be expanded by plugins. Here is a list of the published plugins for the framework. Note that these plugins are not hosted on the wiki, but all on external sites.
  
= License =
+
== Command Shell ==
 +
* [http://moyix.blogspot.com/2008/08/indroducing-volshell.html volshell] - Creates a python shell can be used with the framework.
  
BSD
+
== Data Recovery ==
  
= OS =
+
* [http://jessekornblum.com/tools/volatility/cryptoscan.py cryptoscan] - Finds [[TrueCrypt]] passphrases
 +
* [http://moyix.blogspot.com/2008/10/plugin-post-moddump.html moddump] - Dump out a kernel module (aka driver)
  
Linux/FreeBSD/MacOS
+
== Process Enumeration ==
  
= Requirements =
+
* [http://jessekornblum.com/tools/volatility/suspicious.py suspicious] - Identify "suspicious" processes. This version counts any command line running [[TrueCrypt]] or any command line that starts with a lower case drive letter as suspicious.
* AFF and EWF file images supported from scratch.
+
* File system aware layer.
+
** By default, files are not carved.
+
* Plug-in architecture for identification/validation.
+
** Can we exercise libmagic or at least the patterns they identify?
+
* Ship with validators for:
+
** JPEG
+
** PNG
+
** GIF
+
** MSOLE
+
** ZIP
+
** TAR (gz/bz2)
+
* Simple fragment recovery carving using gap carving.  
+
* Recovering of individual ZIP sections and JPEG icons that are not sector aligned.
+
* Autonomous operation (what is it? [[User:.FUF|.FUF]] 19:18, 28 October 2008 (UTC)).
+
* Tested on 500GB-sized images. Should be able to carve a 500GB image in roughly 50% longer than it takes to read the image.
+
** Perhaps allocate a percentage budget per-validator (i.e. each validator adds N% to the carving time)
+
* Parallelizable.
+
* Configuration:
+
** Can handle config files,like Revit07, to enter different file formats used by the carver.
+
** Disengage internal configuration structure from configuration files, create parsers that present the expected structure
+
**  Either extend Scalpel/Foremost syntaxes for extended features or create a tertiary syntax, at which point a converter would likely be useful.
+
* Can output audit.txt file.
+
* Easy integration into ascription software.
+
  
= Ideas =
+
== Output Formatting ==
* Use as much TSK if possible. Don't carry your own FS implementation there way photorec does.
+
* Extracting/carving data from [[Thumbs.db]]? I've used [[foremost]] for it with some success. [[Vinetto]] has some critical bugs :( [[User:.FUF|.FUF]] 19:18, 28 October 2008 (UTC)
+
* Carving data structures. For example, extract all TCP headers from image by defining TCP header structure and some fields (e.g. source port > 1024, dest port = 80). This will extract all data matching the pattern and write a file with other fields. Another example is carving INFO2 structures and URL activity records from index.dat [[User:.FUF|.FUF]] 19:18, 28 October 2008 (UTC)
+
  
= Supported File Systems =
+
* [http://scudette.blogspot.com/2008/10/pstree-volatility-plugin.html pstree] - Produces a tree-style listing of processes
 
+
* [http://gleeda.blogspot.com/2009/01/vol2htmlpl-update.html vol2html] - Converts volatility output to HTML. Not technically a plugin, but useful nonetheless.
Build a large list of supported filesystems. File carving programs ignore the filesystem, but this doesn't mean that they support all of them. Do we support Reiser4 with tail packing? Or exFAT? Or NTFS with compression? Document this. [[User:.FUF|.FUF]] 19:18, 28 October 2008 (UTC)
+

Revision as of 08:30, 16 January 2009

The Volatility Framework was designed to be expanded by plugins. Here is a list of the published plugins for the framework. Note that these plugins are not hosted on the wiki, but all on external sites.

Command Shell

  • volshell - Creates a python shell can be used with the framework.

Data Recovery

Process Enumeration

  • suspicious - Identify "suspicious" processes. This version counts any command line running TrueCrypt or any command line that starts with a lower case drive letter as suspicious.

Output Formatting

  • pstree - Produces a tree-style listing of processes
  • vol2html - Converts volatility output to HTML. Not technically a plugin, but useful nonetheless.