Difference between revisions of "List of Volatility Plugins"

From Forensics Wiki
Jump to: navigation, search
m (Fixing broken links)
(Added moyix's registry suite)
Line 8: Line 8:
 
* [http://jessekornblum.com/tools/volatility/cryptoscan.py cryptoscan] - Finds [[TrueCrypt]] passphrases
 
* [http://jessekornblum.com/tools/volatility/cryptoscan.py cryptoscan] - Finds [[TrueCrypt]] passphrases
 
* [http://moyix.blogspot.com/2008/10/plugin-post-moddump.html moddump] - Dump out a kernel module (aka driver)
 
* [http://moyix.blogspot.com/2008/10/plugin-post-moddump.html moddump] - Dump out a kernel module (aka driver)
 +
* [http://moyix.blogspot.com/2009/01/memory-registry-tools.html Registry tools] - A suite of plugins for accessing data from the registry, including password hashes, LSA secrets, and arbitrary registry keys.
  
 
== Process Enumeration ==
 
== Process Enumeration ==

Revision as of 08:12, 17 January 2009

The Volatility Framework was designed to be expanded by plugins. Here is a list of the published plugins for the framework. Note that these plugins are not hosted on the wiki, but all on external sites.

Contents

Command Shell

  • volshell - Creates a python shell can be used with the framework.

Data Recovery

  • cryptoscan - Finds TrueCrypt passphrases
  • moddump - Dump out a kernel module (aka driver)
  • Registry tools - A suite of plugins for accessing data from the registry, including password hashes, LSA secrets, and arbitrary registry keys.

Process Enumeration

  • suspicious - Identify "suspicious" processes. This version counts any command line running TrueCrypt or any command line that starts with a lower case drive letter as suspicious.

Output Formatting

  • pstree - Produces a tree-style listing of processes
  • vol2html - Converts volatility output to HTML. Not technically a plugin, but useful nonetheless.