Difference between pages "List of Volatility Plugins" and "Nickfile (NK2)"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
 
(See also)
 
Line 1: Line 1:
The [[Volatility Framework]] was designed to be expanded by plugins. Here is a list of the published plugins for the framework. Note that these plugins are not hosted on the wiki, but all on external sites.
+
[[Microsoft]] [[Outlook]] uses the '''Nickfile (NK2)''' to store e-mail address aliases.
  
== Command Shell ==
+
The file type is also known as the Outlook AutoComplete File or the Nickname file.
* [http://moyix.blogspot.com/2008/08/indroducing-volshell.html volshell] - Creates a python shell can be used with the framework.
+
  
== Data Recovery ==
+
== MIME types ==
  
* [http://jessekornblum.com/tools/volatility/cryptoscan.py cryptoscan] - Finds [[TrueCrypt]] passphrases
+
The actual mime type of the NK2 format is unspecified
* [http://moyix.blogspot.com/2008/10/plugin-post-moddump.html moddump] - Dump out a kernel module (aka driver)
+
* [http://moyix.blogspot.com/2009/01/memory-registry-tools.html Registry tools] - A suite of plugins for accessing data from the registry, including password hashes, LSA secrets, and arbitrary registry keys.
+
* [http://moyix.blogspot.com/2008/08/linking-processes-to-users.html getsids] - Get information about what user (SID) started a process.
+
* [http://moyix.blogspot.com/2008/08/auditing-system-call-table.html ssdt] - List entries in the system call table. Can be used to detect certain rootkits that hook system calls by replacing entries in this table.
+
* [http://moyix.blogspot.com/2008/09/window-messages-as-forensic-resource.html threadqueues] - Enumerates window messages pending for each thread on the system. Window messages are the mechanism used to send things like button presses, mouse clicks, and other events to GUI programs.
+
  
== Process Enumeration ==
+
== File signature ==
  
* [http://jessekornblum.com/tools/volatility/suspicious.py suspicious] - Identify "suspicious" processes. This version counts any command line running [[TrueCrypt]] or any command line that starts with a lower case drive letter as suspicious.
+
The NK2 has the following file signature:
 +
hexadecimal: 0D F0 AD BA
  
== Output Formatting ==
+
Note that other sources claim that the file signature is
 +
hexadecimal: 0D F0 AD BA 0A 00 00 00
  
* [http://scudette.blogspot.com/2008/10/pstree-volatility-plugin.html pstree] - Produces a tree-style listing of processes
+
== Contents ==
* [http://gleeda.blogspot.com/2009/01/vol2htmlpl-update.html vol2html] - Converts volatility output to HTML. Not technically a plugin, but useful nonetheless.
+
 
 +
The NK2 basically contains a list of items. The attributes of these items are defined by the [[Microsoft]] [[Outlook]] [[Message API (MAPI)]].
 +
 
 +
== External Links ==
 +
 
 +
* [http://code.google.com/p/libnk2/downloads/detail?name=Nickfile%20%28NK2%29%20format.pdf Nickfile (NK2) format specification], by the [[libnk2|libnk2 project]]
 +
* [http://code.google.com/p/libpff/downloads/detail?name=MAPI%20definitions.pdf MAPI definitions], by the [[libpff|libpff project]]
 +
 
 +
[[Category:File Formats]]

Latest revision as of 02:11, 26 August 2012

Microsoft Outlook uses the Nickfile (NK2) to store e-mail address aliases.

The file type is also known as the Outlook AutoComplete File or the Nickname file.

Contents

[edit] MIME types

The actual mime type of the NK2 format is unspecified

[edit] File signature

The NK2 has the following file signature: hexadecimal: 0D F0 AD BA

Note that other sources claim that the file signature is hexadecimal: 0D F0 AD BA 0A 00 00 00

[edit] Contents

The NK2 basically contains a list of items. The attributes of these items are defined by the Microsoft Outlook Message API (MAPI).

[edit] External Links

Retrieved from "http://www.forensicswiki.org/w/index.php?title=List_of_Volatility_Plugins&oldid=9207"
Personal tools
Namespaces

Variants
Actions
Navigation:
About forensicswiki.org:
Toolbox