List of Volatility Plugins

From Forensics Wiki

Revision as of 08:12, 17 January 2009 by Jessek (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Jump to: navigation, search

The Volatility Framework was designed to be expanded by plugins. Here is a list of the published plugins for the framework. Note that these plugins are not hosted on the wiki, but all on external sites.

Contents

1 Command Shell
2 Data Recovery
3 Process Enumeration
4 Output Formatting

Command Shell

volshell - Creates a python shell can be used with the framework.

Data Recovery

cryptoscan - Finds TrueCrypt passphrases
moddump - Dump out a kernel module (aka driver)
Registry tools - A suite of plugins for accessing data from the registry, including password hashes, LSA secrets, and arbitrary registry keys.

Process Enumeration

suspicious - Identify "suspicious" processes. This version counts any command line running TrueCrypt or any command line that starts with a lower case drive letter as suspicious.

Output Formatting

pstree - Produces a tree-style listing of processes
vol2html - Converts volatility output to HTML. Not technically a plugin, but useful nonetheless.

Retrieved from "http://www.forensicswiki.org/w/index.php?title=List_of_Volatility_Plugins&oldid=9150"

Personal tools

Log in / create account

About forensicswiki.org:

Toolbox