List of Volatility Plugins
From Forensics Wiki
Revision as of 09:03, 27 April 2009 by Gleeda
The Volatility Framework was designed to be expanded by plugins. Here is a list of the published plugins for the framework. Note that these plugins are not hosted on the wiki, but all on external sites.
- volshell - Creates a python shell can be used with the framework.
- malfind - Automates the process of finding and extracting (usually malicious) code injected into another process
- cryptoscan - Finds TrueCrypt passphrases
- moddump - Dump out a kernel module (aka driver)
- Registry tools - A suite of plugins for accessing data from the registry, including password hashes, LSA secrets, and arbitrary registry keys.
- getsids - Get information about what user (SID) started a process.
- ssdt - List entries in the system call table. Can be used to detect certain rootkits that hook system calls by replacing entries in this table.
- threadqueues - Enumerates window messages pending for each thread on the system. Window messages are the mechanism used to send things like button presses, mouse clicks, and other events to GUI programs.
- suspicious - Identify "suspicious" processes. This version counts any command line running TrueCrypt or any command line that starts with a lower case drive letter as suspicious.