Difference between pages "List of Volatility Plugins" and "Email analysis"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Process Enumeration)
 
(New page: == Metadata Extraction == * [http://alioth.debian.org/docman/view.php/30390/47/readpst.1.html READPST] converts pst files to mbox format * Philip Guo has written python scripts to "extra...)
 
Line 1: Line 1:
The [[Volatility Framework]] was designed to be expanded by plugins. Here is a list of the published plugins for the framework. Note that these plugins are not hosted on the wiki, but all on external sites.
+
== Metadata Extraction ==
  
== Command Shell ==
+
* [http://alioth.debian.org/docman/view.php/30390/47/readpst.1.html READPST] converts pst files to mbox format
* [http://moyix.blogspot.com/2008/08/indroducing-volshell.html volshell] - Creates a python shell can be used with the framework.
+
* Philip Guo has written python scripts to "extract and organize email header information (e.g., senders, recipients, subjects, dates, etc.) from mbox files". his tools are available on his webpage [http://www.stanford.edu/~pgbovine/mbox-analysis.htm here]
  
== Malware Detection ==
+
== Tools ==
* [http://mnin.blogspot.com/2009/01/malfind-volatility-plug-in.html malfind] - Automates the process of finding and extracting (usually malicious) code injected into another process
+
  
== Data Recovery ==
+
* [http://sneakers.cs.columbia.edu/ids/emt/ Columbia Email Mining Toolkit]
 
+
* [http://jessekornblum.com/tools/volatility/cryptoscan.py cryptoscan] - Finds [[TrueCrypt]] passphrases
+
* [http://moyix.blogspot.com/2008/10/plugin-post-moddump.html moddump] - Dump out a kernel module (aka driver)
+
* [http://moyix.blogspot.com/2009/01/memory-registry-tools.html Registry tools] - A suite of plugins for accessing data from the registry, including password hashes, LSA secrets, and arbitrary registry keys.
+
* [http://moyix.blogspot.com/2008/08/linking-processes-to-users.html getsids] - Get information about what user (SID) started a process.
+
* [http://moyix.blogspot.com/2008/08/auditing-system-call-table.html ssdt] - List entries in the system call table. Can be used to detect certain rootkits that hook system calls by replacing entries in this table.
+
* [http://moyix.blogspot.com/2008/09/window-messages-as-forensic-resource.html threadqueues] - Enumerates window messages pending for each thread on the system. Window messages are the mechanism used to send things like button presses, mouse clicks, and other events to GUI programs.
+
 
+
== Process Enumeration ==
+
 
+
* [http://jessekornblum.com/tools/volatility/suspicious.py suspicious] (By Jesse Kornblum) - Identify "suspicious" processes. This version counts any command line running [[TrueCrypt]] or any command line that starts with a lower case drive letter as suspicious.
+
 
+
== Output Formatting ==
+
 
+
* [http://scudette.blogspot.com/2008/10/pstree-volatility-plugin.html pstree] - Produces a tree-style listing of processes
+
* [http://gleeda.blogspot.com/2009/03/briefly-vol2html-update.html vol2html] - Converts volatility output to HTML. Not technically a plugin, but useful nonetheless.
+

Latest revision as of 19:44, 19 January 2009

Metadata Extraction

  • READPST converts pst files to mbox format
  • Philip Guo has written python scripts to "extract and organize email header information (e.g., senders, recipients, subjects, dates, etc.) from mbox files". his tools are available on his webpage here

Tools