|
|
| Line 1: |
Line 1: |
| − | The [[Volatility Framework]] was designed to be expanded by plugins. Here is a list of the published plugins for the framework. Note that these plugins are not hosted on the wiki, but all on external sites.
| + | Nuix Pty Ltd is a computer software company. Their suite of products include: |
| | | | |
| − | == Command Shell ==
| + | * [[Nuix Desktop]] - the main processing and analysis product. |
| − | * [http://moyix.blogspot.com/2008/08/indroducing-volshell.html volshell] (By [http://moyix.blogspot.com/2008/08/indroducing-volshell.html Moyix])- Creates a python shell can be used with the framework. | + | * [[Proof Finder]] - a 'starter' version of Nuix Desktop that is limited in the amount of data it can ingest at once. |
| | | | |
| − | == Malware Detection == | + | == External Links == |
| − | * [http://mhl-malware-scripts.googlecode.com/files/idt.py IDT] (By [http://mnin.blogspot.com/2009/07/new-and-updated-volatility-plug-ins.html Michael Hale Ligh]) - Prints the Interrupt Descriptor Table (IDT) addresses for one processor
| + | |
| − | * [http://mhl-malware-scripts.googlecode.com/files/driverirp.py DriverIRP] (By [http://mnin.blogspot.com/2009/07/new-and-updated-volatility-plug-ins.html Michael Hale Ligh]) - Prints driver IRP function addresses
| + | |
| − | * [http://mhl-malware-scripts.googlecode.com/files/kernel_hooks.py kernel_hooks] (By [http://mnin.blogspot.com/2009/07/new-and-updated-volatility-plug-ins.html Michael Hale Ligh]) - Detects IAT, EAT, and in-line hooks in kernel drivers instead of usermode modules
| + | |
| − | * [http://mhl-malware-scripts.googlecode.com/files/malfind2.py malfind2] - (By [http://mnin.blogspot.com/2009/07/new-and-updated-volatility-plug-ins.html Michael Hale Ligh]) - Automates the process of finding and extracting (usually malicious) code injected into another process
| + | |
| − | * [http://mhl-malware-scripts.googlecode.com/files/orphan_threads.py orphan_threads] (By [http://mnin.blogspot.com/2009/07/new-and-updated-volatility-plug-ins.html Michael Hale Ligh]) - Detects hidden system/kernel threads
| + | |
| − | * [http://mhl-malware-scripts.googlecode.com/files/usermode_hooks2.py usermode_hooks2] (By [http://mnin.blogspot.com/2009/07/new-and-updated-volatility-plug-ins.html Michael Hale Ligh]) - Detect IAT/EAT/Inline rootkit hooks in usermode processes
| + | |
| − | * [http://mhl-malware-scripts.googlecode.com/files/kernel_hooks.py kernel_hooks] (By [http://mnin.blogspot.com/2009/07/new-and-updated-volatility-plug-ins.html Michael Hale Ligh]) - Detect IAT/EAT/Inline hooks in kernel drivers
| + | |
| | | | |
| − | == Data Recovery ==
| + | [http://www.nuix.com/ Official Website] |
| | | | |
| − | * [http://jessekornblum.com/tools/volatility/cryptoscan.py cryptoscan] (By [[Jesse Kornblum]]) - Finds [[TrueCrypt]] passphrases
| + | [[Category:Vendors]] |
| − | * [http://moyix.blogspot.com/2008/10/plugin-post-moddump.html moddump] (By [http://moyix.blogspot.com/2008/10/plugin-post-moddump.html Moyix]) - Dump out a kernel module (aka driver)
| + | |
| − | * [http://www.cc.gatech.edu/%7Ebrendan/volatility/dl/volreg-0.6.tar.gz Registry tools] (By [http://moyix.blogspot.com/2009/01/memory-registry-tools.html Moyix]) - A suite of plugins for accessing data from the registry, including password hashes, LSA secrets, and arbitrary registry keys.
| + | |
| − | * [http://www.cc.gatech.edu/%7Ebrendan/volatility/dl/volrip-0.1.tar.gz Modified Regripper & Glue Code] (By [http://moyix.blogspot.com/2009/03/regripper-and-volatility-prototype.html Moyix]) - Code to run a modified RegRipper against the registry hives embedded in a memory dump. Note that due to a dependency on Inline::Python, this only works on Linux.
| + | |
| − | * [http://moyix.blogspot.com/2008/08/linking-processes-to-users.html getsids] (By [http://moyix.blogspot.com/2008/08/linking-processes-to-users.html Moyix]) - Get information about what user (SID) started a process.
| + | |
| − | * [http://moyix.blogspot.com/2008/08/auditing-system-call-table.html ssdt] (By [http://moyix.blogspot.com/2008/08/auditing-system-call-table.html Moyix]) - List entries in the system call table. Can be used to detect certain rootkits that hook system calls by replacing entries in this table.
| + | |
| − | * [http://kurtz.cs.wesleyan.edu/%7Ebdolangavitt/memory/threadqueues.py threadqueues] (By [http://moyix.blogspot.com/2008/09/window-messages-as-forensic-resource.html Moyix]) - Enumerates window messages pending for each thread on the system. Window messages are the mechanism used to send things like button presses, mouse clicks, and other events to GUI programs.
| + | |
| − | * [http://computer.forensikblog.de/files/volatility_plugins/volatility_objtypescan-current.zip objtypescan] (By [http://computer.forensikblog.de/en/2009/04/scanning_for_file_objects.html Andreas Schuster]) - Enumerates Windows kernel object types. (Note: If running the SVN version of Volatility, just install the plugin file from this archive)
| + | |
| − | * [http://computer.forensikblog.de/files/volatility_plugins/keyboardbuffer.py keyboardbuffer] (By [http://computer.forensikblog.de/en/2009/04/read_password_from_keyboard_buffer.html#more Andreas Schuster]) - Extracts keyboard buffer used by the BIOS, which may contain BIOS or disk encryption passwords.
| + | |
| − | * [http://computer.forensikblog.de/files/volatility_plugins/volatility_mutantscan-current.zip mutantscan] (By [http://computer.forensikblog.de/en/2009/04/searching_for_mutants.html#more Andreas Schuster]) - Extracts mutexes from the Windows kernel.(Note: If running the SVN version of Volatility, just install the plugin file from this archive.)
| + | |
| − | * [http://computer.forensikblog.de/files/volatility_plugins/volatility_symlinkobjscan-current.zip symlinkobjscan] (By [http://computer.forensikblog.de/en/2009/04/symbolic_link_objects.html#more Andreas Schuster]) - Extracts symbolic link objects from the Windows kernel.(Note: If running the SVN version of Volatility, just install the plugin file from this archive.)
| + | |
| − | * [http://computer.forensikblog.de/files/volatility_plugins/volatility_driverscan-current.zip driverscan] (By [http://computer.forensikblog.de/en/2009/04/scanning_for_drivers.html#more Andreas Schuster]) - Scan for kernel _DRIVER_OBJECTs. (Note: If running the SVN version of Volatility, just install the plugin file from this archive.)
| + | |
| − | * [http://computer.forensikblog.de/files/volatility_plugins/volatility_fileobjscan-current.zip fileobjscan] (By [http://computer.forensikblog.de/en/2009/04/linking_file_objects_to_processes.html#more Andreas Schuster]) - File object -> process linkage, including hidden files. (Note: If running the SVN version of Volatility, just install the plugin file from this archive.)
| + | |
| − | | + | |
| − | == Process Enumeration ==
| + | |
| − | | + | |
| − | * [http://jessekornblum.com/tools/volatility/suspicious.py suspicious] (By [[Jesse Kornblum]]) - Identify "suspicious" processes. This version counts any command line running [[TrueCrypt]] or any command line that starts with a lower case drive letter as suspicious.
| + | |
| − | | + | |
| − | == Output Formatting ==
| + | |
| − | | + | |
| − | * [http://scudette.blogspot.com/2008/10/pstree-volatility-plugin.html pstree] (By [http://scudette.blogspot.com/2008/10/pstree-volatility-plugin.html Scudette]) - Produces a tree-style listing of processes
| + | |
| − | * [http://gleeda.blogspot.com/2009/03/briefly-vol2html-update.html vol2html] (By [http://gleeda.blogspot.com/2008/11/vol2html-perl-script.html Jamie Levy AKA Gleeda]) - Converts volatility output to HTML. Not technically a plugin, but useful nonetheless.
| + | |
| − | | + | |
| − | == Other Helper Tools ==
| + | |
| − | | + | |
| − | Though these are not actual plugins they are helpful tools for obtaining output from the [[Volatility Framework]].
| + | |
| − | | + | |
| − | * [http://volatility.googlecode.com/files/vol-Report%28win%29.zip VolReport(win)] (By [http://volatility.googlecode.com/files/VolReport%28win%29_%20Simple%20Aggregation%20for%20Volatility%20Output.pdf SAL])
| + | |
| − | * [http://forensiczone.blogspot.com/2009/10/volatility-batch-file-maker.html Volatility Batch File Maker] (By [http://forensiczone.blogspot.com/2009/10/walk-through-volatility-batch-file.html Richard McQuown])
| + | |
Nuix Pty Ltd is a computer software company. Their suite of products include:
