Difference between pages "List of Volatility Plugins" and "Template:Incident response"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Output Formatting)
 
 
Line 1: Line 1:
The [[Volatility Framework]] was designed to be expanded by plugins. Here is a list of the published plugins for the framework. Note that these plugins are not hosted on the wiki, but all on external sites.
+
[[Category:Incident Response]][[:Category:Incident Response|Incident Response]]
 
+
== Command Shell ==
+
* [http://moyix.blogspot.com/2008/08/indroducing-volshell.html volshell] - Creates a python shell can be used with the framework.
+
 
+
== Malware Detection ==
+
* [http://mnin.blogspot.com/2009/01/malfind-volatility-plug-in.html malfind] - Automates the process of finding and extracting (usually malicious) code injected into another process
+
 
+
== Data Recovery ==
+
 
+
* [http://jessekornblum.com/tools/volatility/cryptoscan.py cryptoscan] - Finds [[TrueCrypt]] passphrases
+
* [http://moyix.blogspot.com/2008/10/plugin-post-moddump.html moddump] - Dump out a kernel module (aka driver)
+
* [http://moyix.blogspot.com/2009/01/memory-registry-tools.html Registry tools] - A suite of plugins for accessing data from the registry, including password hashes, LSA secrets, and arbitrary registry keys.
+
* [http://moyix.blogspot.com/2008/08/linking-processes-to-users.html getsids] - Get information about what user (SID) started a process.
+
* [http://moyix.blogspot.com/2008/08/auditing-system-call-table.html ssdt] - List entries in the system call table. Can be used to detect certain rootkits that hook system calls by replacing entries in this table.
+
* [http://moyix.blogspot.com/2008/09/window-messages-as-forensic-resource.html threadqueues] - Enumerates window messages pending for each thread on the system. Window messages are the mechanism used to send things like button presses, mouse clicks, and other events to GUI programs.
+
 
+
== Process Enumeration ==
+
 
+
* [http://jessekornblum.com/tools/volatility/suspicious.py suspicious] - Identify "suspicious" processes. This version counts any command line running [[TrueCrypt]] or any command line that starts with a lower case drive letter as suspicious.
+
 
+
== Output Formatting ==
+
 
+
* [http://scudette.blogspot.com/2008/10/pstree-volatility-plugin.html pstree] - Produces a tree-style listing of processes
+
* [http://gleeda.blogspot.com/2009/03/briefly-vol2html-update.html vol2html] - Converts volatility output to HTML. Not technically a plugin, but useful nonetheless.
+

Latest revision as of 14:25, 12 January 2014

Incident Response