Difference between pages "List of Volatility Plugins" and "Nickfile (NK2)"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
 
(See also)
 
Line 1: Line 1:
The [[Volatility Framework]] was designed to be expanded by plugins. Here is a list of the published plugins for the framework. Note that these plugins are not hosted on the wiki, but all on external sites.
+
[[Microsoft]] [[Outlook]] uses the '''Nickfile (NK2)''' to store e-mail address aliases.
  
== Command Shell ==
+
The file type is also known as the Outlook AutoComplete File or the Nickname file.
* [http://moyix.blogspot.com/2008/08/indroducing-volshell.html volshell] - Creates a python shell can be used with the framework.
+
  
== Data Recovery ==
+
== MIME types ==
  
* [http://jessekornblum.com/tools/volatility/cryptoscan.py cryptoscan] - Finds [[TrueCrypt]] passphrases
+
The actual mime type of the NK2 format is unspecified
* [http://moyix.blogspot.com/2008/10/plugin-post-moddump.html moddump] - Dump out a kernel module (aka driver)
+
* [http://moyix.blogspot.com/2009/01/memory-registry-tools.html Registry tools] - A suite of plugins for accessing data from the registry, including password hashes, LSA secrets, and arbitrary registry keys.
+
* [http://moyix.blogspot.com/2008/08/linking-processes-to-users.html getsids] - Get information about what user (SID) started a process.
+
* [http://moyix.blogspot.com/2008/08/auditing-system-call-table.html ssdt] - List entries in the system call table. Can be used to detect certain rootkits that hook system calls by replacing entries in this table.
+
* [http://moyix.blogspot.com/2008/09/window-messages-as-forensic-resource.html threadqueues] - Enumerates window messages pending for each thread on the system. Window messages are the mechanism used to send things like button presses, mouse clicks, and other events to GUI programs.
+
  
== Process Enumeration ==
+
== File signature ==
  
* [http://jessekornblum.com/tools/volatility/suspicious.py suspicious] - Identify "suspicious" processes. This version counts any command line running [[TrueCrypt]] or any command line that starts with a lower case drive letter as suspicious.
+
The NK2 has the following file signature:
 +
hexadecimal: 0D F0 AD BA
  
== Output Formatting ==
+
Note that other sources claim that the file signature is
 +
hexadecimal: 0D F0 AD BA 0A 00 00 00
  
* [http://scudette.blogspot.com/2008/10/pstree-volatility-plugin.html pstree] - Produces a tree-style listing of processes
+
== Contents ==
* [http://gleeda.blogspot.com/2009/01/vol2htmlpl-update.html vol2html] - Converts volatility output to HTML. Not technically a plugin, but useful nonetheless.
+
 
 +
The NK2 basically contains a list of items. The attributes of these items are defined by the [[Microsoft]] [[Outlook]] [[Message API (MAPI)]].
 +
 
 +
== External Links ==
 +
 
 +
* [http://code.google.com/p/libnk2/downloads/detail?name=Nickfile%20%28NK2%29%20format.pdf Nickfile (NK2) format specification], by the [[libnk2|libnk2 project]]
 +
* [http://code.google.com/p/libpff/downloads/detail?name=MAPI%20definitions.pdf MAPI definitions], by the [[libpff|libpff project]]
 +
 
 +
[[Category:File Formats]]

Revision as of 02:11, 26 August 2012

Microsoft Outlook uses the Nickfile (NK2) to store e-mail address aliases.

The file type is also known as the Outlook AutoComplete File or the Nickname file.

Contents

MIME types

The actual mime type of the NK2 format is unspecified

File signature

The NK2 has the following file signature: hexadecimal: 0D F0 AD BA

Note that other sources claim that the file signature is hexadecimal: 0D F0 AD BA 0A 00 00 00

Contents

The NK2 basically contains a list of items. The attributes of these items are defined by the Microsoft Outlook Message API (MAPI).

External Links