Difference between pages "Volatility Framework" and "List of Volatility Plugins"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Memory acquisition drivers)
 
(Output Formatting)
 
Line 1: Line 1:
{{Infobox_Software |
+
The [[Volatility Framework]] was designed to be expanded by plugins. Here is a list of the published plugins for the framework. Note that these plugins are not hosted on the wiki, but all on external sites.
  name = Volatility |
+
  maintainer = [[AAron Walters]] |
+
  os = {{Cross-platform}} |
+
  genre = {{Memory analysis}} |
+
  license = {{GPL}} |
+
  website = [https://www.volatilesystems.com/default/volatility https://www.volatilesystems.com/] |
+
}}
+
  
The '''Volatility Framework''' is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. The extraction techniques are performed completely independent of the system being investigated but offer unprecedented visibility into the runtime state of the system. The framework is intended to introduce people to the techniques and complexities associated with extracting digital artifacts from volatile memory samples and provide a platform for further work into this exciting area of research.  
+
== Command Shell ==
 +
* [http://moyix.blogspot.com/2008/08/indroducing-volshell.html volshell] - Creates a python shell can be used with the framework.
  
The project was originally developed by and is now headed up by [[AAron Walters]] of [[Volatile Systems]].
+
== Malware Detection ==
 +
* [http://mnin.blogspot.com/2009/01/malfind-volatility-plug-in.html malfind] - Automates the process of finding and extracting (usually malicious) code injected into another process
  
== Plugins ==
+
== Data Recovery ==
See: [[List of Volatility Plugins]]
+
  
== Memory acquisition drivers ==
+
* [http://jessekornblum.com/tools/volatility/cryptoscan.py cryptoscan] - Finds [[TrueCrypt]] passphrases
 +
* [http://moyix.blogspot.com/2008/10/plugin-post-moddump.html moddump] - Dump out a kernel module (aka driver)
 +
* [http://moyix.blogspot.com/2009/01/memory-registry-tools.html Registry tools] - A suite of plugins for accessing data from the registry, including password hashes, LSA secrets, and arbitrary registry keys.
 +
* [http://moyix.blogspot.com/2008/08/linking-processes-to-users.html getsids] - Get information about what user (SID) started a process.
 +
* [http://moyix.blogspot.com/2008/08/auditing-system-call-table.html ssdt] - List entries in the system call table. Can be used to detect certain rootkits that hook system calls by replacing entries in this table.
 +
* [http://moyix.blogspot.com/2008/09/window-messages-as-forensic-resource.html threadqueues] - Enumerates window messages pending for each thread on the system. Window messages are the mechanism used to send things like button presses, mouse clicks, and other events to GUI programs.
  
In 2012 [[Michael Cohen]] contributed both a Linux and a Windows Open Source memory (acquisition) driver to the volatility project.
+
== Process Enumeration ==
  
These drivers are currently available in the volatility scudette branch and soon to be released as a separate download. To obtain this branch run:
+
* [http://jessekornblum.com/tools/volatility/suspicious.py suspicious] - Identify "suspicious" processes. This version counts any command line running [[TrueCrypt]] or any command line that starts with a lower case drive letter as suspicious.
<pre>
+
svn checkout http://volatility.googlecode.com/svn/branches/scudette/ volatility
+
</pre>
+
  
In the scudette branch the drivers can be found under:
+
== Output Formatting ==
<pre>
+
volatility/tools/linux
+
volatility/tools/windows
+
</pre>
+
  
=== Linux ===
+
* [http://scudette.blogspot.com/2008/10/pstree-volatility-plugin.html pstree] - Produces a tree-style listing of processes
 
+
* [http://gleeda.blogspot.com/2009/03/briefly-vol2html-update.html vol2html] - Converts volatility output to HTML. Not technically a plugin, but useful nonetheless.
To build the kernel module for the current kernel version, make sure you have a working build environment and the kernel headers installed. Change into this directory and run make:
+
<pre>
+
cd volatility/tools/linux/
+
make
+
</pre>
+
 
+
The acquisition driver is named pmem.ko.
+
 
+
To load the driver:
+
<pre>
+
sudo insmod pmem.ko
+
</pre>
+
 
+
To check if the driver is running:
+
<pre>
+
sudo lsmod
+
</pre>
+
 
+
The driver create a device file named:
+
<pre>
+
/dev/pmem
+
</pre>
+
 
+
To unload the driver:
+
<pre>
+
sudo rmmod pmem
+
</pre>
+
 
+
To read acquire the memory just read from the device file. e.g.
+
<pre>
+
dd if=/dev/pmem of=image.raw
+
</pre>
+
 
+
For more information see:
+
<pre>
+
volatility/tools/linux/README
+
</pre>
+
 
+
=== Mac OS X ===
+
 
+
A Mac OS X driver is currently being worked on.
+
 
+
=== Windows ===
+
Since recent versions of 64 bit Windows require a signed driver the volatility scudette branch comes with both pre-built (binary) and source versions of the driver. The prebuilt binary is signed.
+
 
+
Both the i386 and amd64 binary version of the driver can be found on the [http://code.google.com/p/volatility/downloads/list downloads] part of the Volatility code repository as winpmem or in the scudette branch under:
+
<pre>
+
volatility/tools/winpmem/binaries/
+
</pre>
+
 
+
E.g.
+
<pre>
+
volatility/tools/winpmem/binaries/amd64/winpmem.sys
+
</pre>
+
 
+
A standalone tool for imaging memory that uses an embedded copy of the pmem driver can be found as winpmem.exe in:
+
<pre>
+
volatility/tools/winpmem/executables/Release/
+
</pre>
+
 
+
To load the driver:
+
<pre>
+
winpmem.exe -l
+
</pre>
+
 
+
The device filename is (This can not be changed without recompiling):
+
<pre>
+
\\.\pmem
+
</pre>
+
 
+
To read and acquire the physical memory and write it to image.raw:
+
<pre>
+
winpmem.exe image.raw
+
</pre>
+
 
+
To unload the driver:
+
<pre>
+
winpmem.exe -u
+
</pre>
+
 
+
For more information see:
+
<pre>
+
volatility/tools/windows/README
+
</pre>
+
 
+
== See Also ==
+
* [[List of Volatility Plugins]]
+
 
+
== External Links ==
+
* [https://www.volatilesystems.com/default/volatility Official web site]
+
* [http://code.google.com/p/volatility/ Code repository], direct link to [http://code.google.com/p/volatility/source/browse/ source]
+
* [http://code.google.com/p/volatility/w/list Volatility Documentation]
+

Revision as of 09:03, 27 April 2009

The Volatility Framework was designed to be expanded by plugins. Here is a list of the published plugins for the framework. Note that these plugins are not hosted on the wiki, but all on external sites.

Command Shell

  • volshell - Creates a python shell can be used with the framework.

Malware Detection

  • malfind - Automates the process of finding and extracting (usually malicious) code injected into another process

Data Recovery

  • cryptoscan - Finds TrueCrypt passphrases
  • moddump - Dump out a kernel module (aka driver)
  • Registry tools - A suite of plugins for accessing data from the registry, including password hashes, LSA secrets, and arbitrary registry keys.
  • getsids - Get information about what user (SID) started a process.
  • ssdt - List entries in the system call table. Can be used to detect certain rootkits that hook system calls by replacing entries in this table.
  • threadqueues - Enumerates window messages pending for each thread on the system. Window messages are the mechanism used to send things like button presses, mouse clicks, and other events to GUI programs.

Process Enumeration

  • suspicious - Identify "suspicious" processes. This version counts any command line running TrueCrypt or any command line that starts with a lower case drive letter as suspicious.

Output Formatting

  • pstree - Produces a tree-style listing of processes
  • vol2html - Converts volatility output to HTML. Not technically a plugin, but useful nonetheless.