Difference between revisions of "List of Volatility Plugins"

From ForensicsWiki
Jump to: navigation, search
(Output Formatting)
(Process Enumeration)
Line 18: Line 18:
 
== Process Enumeration ==
 
== Process Enumeration ==
  
* [http://jessekornblum.com/tools/volatility/suspicious.py suspicious] - Identify "suspicious" processes. This version counts any command line running [[TrueCrypt]] or any command line that starts with a lower case drive letter as suspicious.
+
* [http://jessekornblum.com/tools/volatility/suspicious.py suspicious] (By Jesse Kornblum) - Identify "suspicious" processes. This version counts any command line running [[TrueCrypt]] or any command line that starts with a lower case drive letter as suspicious.
  
 
== Output Formatting ==
 
== Output Formatting ==

Revision as of 08:16, 6 May 2009

The Volatility Framework was designed to be expanded by plugins. Here is a list of the published plugins for the framework. Note that these plugins are not hosted on the wiki, but all on external sites.

Command Shell

  • volshell - Creates a python shell can be used with the framework.

Malware Detection

  • malfind - Automates the process of finding and extracting (usually malicious) code injected into another process

Data Recovery

  • cryptoscan - Finds TrueCrypt passphrases
  • moddump - Dump out a kernel module (aka driver)
  • Registry tools - A suite of plugins for accessing data from the registry, including password hashes, LSA secrets, and arbitrary registry keys.
  • getsids - Get information about what user (SID) started a process.
  • ssdt - List entries in the system call table. Can be used to detect certain rootkits that hook system calls by replacing entries in this table.
  • threadqueues - Enumerates window messages pending for each thread on the system. Window messages are the mechanism used to send things like button presses, mouse clicks, and other events to GUI programs.

Process Enumeration

  • suspicious (By Jesse Kornblum) - Identify "suspicious" processes. This version counts any command line running TrueCrypt or any command line that starts with a lower case drive letter as suspicious.

Output Formatting

  • pstree - Produces a tree-style listing of processes
  • vol2html - Converts volatility output to HTML. Not technically a plugin, but useful nonetheless.