ForensicsWiki will continue to operate as it has before and will not be shutting down. Thank you for your continued support of ForensicsWiki.

Difference between revisions of "List of Volatility Plugins"

From ForensicsWiki
Jump to: navigation, search
m (Fixing broken links)
(Added moyix's registry suite)
Line 8: Line 8:
 
* [http://jessekornblum.com/tools/volatility/cryptoscan.py cryptoscan] - Finds [[TrueCrypt]] passphrases
 
* [http://jessekornblum.com/tools/volatility/cryptoscan.py cryptoscan] - Finds [[TrueCrypt]] passphrases
 
* [http://moyix.blogspot.com/2008/10/plugin-post-moddump.html moddump] - Dump out a kernel module (aka driver)
 
* [http://moyix.blogspot.com/2008/10/plugin-post-moddump.html moddump] - Dump out a kernel module (aka driver)
 +
* [http://moyix.blogspot.com/2009/01/memory-registry-tools.html Registry tools] - A suite of plugins for accessing data from the registry, including password hashes, LSA secrets, and arbitrary registry keys.
  
 
== Process Enumeration ==
 
== Process Enumeration ==

Revision as of 13:12, 17 January 2009

The Volatility Framework was designed to be expanded by plugins. Here is a list of the published plugins for the framework. Note that these plugins are not hosted on the wiki, but all on external sites.

Command Shell

  • volshell - Creates a python shell can be used with the framework.

Data Recovery

  • cryptoscan - Finds TrueCrypt passphrases
  • moddump - Dump out a kernel module (aka driver)
  • Registry tools - A suite of plugins for accessing data from the registry, including password hashes, LSA secrets, and arbitrary registry keys.

Process Enumeration

  • suspicious - Identify "suspicious" processes. This version counts any command line running TrueCrypt or any command line that starts with a lower case drive letter as suspicious.

Output Formatting

  • pstree - Produces a tree-style listing of processes
  • vol2html - Converts volatility output to HTML. Not technically a plugin, but useful nonetheless.