|
|
| Line 1: |
Line 1: |
| − | The [[Volatility Framework]] was designed to be expanded by plugins. Here is a list of the published plugins for the framework. Note that these plugins are not hosted on the wiki, but all on external sites.
| + | == Metadata Extraction == |
| | | | |
| − | == Command Shell ==
| + | * [http://alioth.debian.org/docman/view.php/30390/47/readpst.1.html READPST] converts pst files to mbox format |
| − | * [http://moyix.blogspot.com/2008/08/indroducing-volshell.html volshell] - Creates a python shell can be used with the framework. | + | * Philip Guo has written python scripts to "extract and organize email header information (e.g., senders, recipients, subjects, dates, etc.) from mbox files". his tools are available on his webpage [http://www.stanford.edu/~pgbovine/mbox-analysis.htm here] |
| | | | |
| − | == Malware Detection == | + | == Tools == |
| − | * [http://mnin.blogspot.com/2009/01/malfind-volatility-plug-in.html malfind] - Automates the process of finding and extracting (usually malicious) code injected into another process
| + | |
| | | | |
| − | == Data Recovery ==
| + | * [http://sneakers.cs.columbia.edu/ids/emt/ Columbia Email Mining Toolkit] |
| − | | + | |
| − | * [http://jessekornblum.com/tools/volatility/cryptoscan.py cryptoscan] - Finds [[TrueCrypt]] passphrases | + | |
| − | * [http://moyix.blogspot.com/2008/10/plugin-post-moddump.html moddump] - Dump out a kernel module (aka driver)
| + | |
| − | * [http://moyix.blogspot.com/2009/01/memory-registry-tools.html Registry tools] - A suite of plugins for accessing data from the registry, including password hashes, LSA secrets, and arbitrary registry keys.
| + | |
| − | * [http://moyix.blogspot.com/2008/08/linking-processes-to-users.html getsids] - Get information about what user (SID) started a process.
| + | |
| − | * [http://moyix.blogspot.com/2008/08/auditing-system-call-table.html ssdt] - List entries in the system call table. Can be used to detect certain rootkits that hook system calls by replacing entries in this table.
| + | |
| − | * [http://moyix.blogspot.com/2008/09/window-messages-as-forensic-resource.html threadqueues] - Enumerates window messages pending for each thread on the system. Window messages are the mechanism used to send things like button presses, mouse clicks, and other events to GUI programs.
| + | |
| − | | + | |
| − | == Process Enumeration ==
| + | |
| − | | + | |
| − | * [http://jessekornblum.com/tools/volatility/suspicious.py suspicious] (By Jesse Kornblum) - Identify "suspicious" processes. This version counts any command line running [[TrueCrypt]] or any command line that starts with a lower case drive letter as suspicious.
| + | |
| − | | + | |
| − | == Output Formatting ==
| + | |
| − | | + | |
| − | * [http://scudette.blogspot.com/2008/10/pstree-volatility-plugin.html pstree] - Produces a tree-style listing of processes
| + | |
| − | * [http://gleeda.blogspot.com/2009/03/briefly-vol2html-update.html vol2html] - Converts volatility output to HTML. Not technically a plugin, but useful nonetheless.
| + | |
