Difference between pages "HBGary Responder Professional" and "List of Volatility Plugins"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
 
m (Added links to batch script helper tools for the Volatility Framework)
 
Line 1: Line 1:
'''HBGary Responder Professional''' is a computer forensics suite distributed by [[HBGary]].
+
The [[Volatility Framework]] was designed to be expanded by plugins. Here is a list of the published plugins for the framework. Note that these plugins are not hosted on the wiki, but all on external sites.
  
[[File:logo.jpg]]  
+
== Command Shell ==
 +
* [http://moyix.blogspot.com/2008/08/indroducing-volshell.html volshell] (By [http://moyix.blogspot.com/2008/08/indroducing-volshell.html Moyix])- Creates a python shell can be used with the framework.
  
 +
== Malware Detection ==
 +
* [http://mhl-malware-scripts.googlecode.com/files/idt.py IDT] (By [http://mnin.blogspot.com/2009/07/new-and-updated-volatility-plug-ins.html Michael Hale Ligh]) - Prints the Interrupt Descriptor Table (IDT) addresses for one processor
 +
* [http://mhl-malware-scripts.googlecode.com/files/driverirp.py DriverIRP] (By [http://mnin.blogspot.com/2009/07/new-and-updated-volatility-plug-ins.html Michael Hale Ligh]) - Prints driver IRP function addresses
 +
* [http://mhl-malware-scripts.googlecode.com/files/kernel_hooks.py kernel_hooks] (By [http://mnin.blogspot.com/2009/07/new-and-updated-volatility-plug-ins.html Michael Hale Ligh]) - Detects IAT, EAT, and in-line hooks in kernel drivers instead of usermode modules
 +
* [http://mhl-malware-scripts.googlecode.com/files/malfind2.py malfind2] - (By [http://mnin.blogspot.com/2009/07/new-and-updated-volatility-plug-ins.html Michael Hale Ligh]) - Automates the process of finding and extracting (usually malicious) code injected into another process
 +
* [http://mhl-malware-scripts.googlecode.com/files/orphan_threads.py orphan_threads] (By [http://mnin.blogspot.com/2009/07/new-and-updated-volatility-plug-ins.html Michael Hale Ligh]) - Detects hidden system/kernel threads
 +
* [http://mhl-malware-scripts.googlecode.com/files/usermode_hooks2.py usermode_hooks2] (By [http://mnin.blogspot.com/2009/07/new-and-updated-volatility-plug-ins.html Michael Hale Ligh]) - Detect IAT/EAT/Inline rootkit hooks in usermode processes
 +
* [http://mhl-malware-scripts.googlecode.com/files/kernel_hooks.py kernel_hooks] (By [http://mnin.blogspot.com/2009/07/new-and-updated-volatility-plug-ins.html Michael Hale Ligh]) - Detect IAT/EAT/Inline hooks in kernel drivers
  
----
+
== Data Recovery ==
  
Responder™ Professional is a leader in Windows™ physical memory and automated malware analysis. It is an
+
* [http://jessekornblum.com/tools/volatility/cryptoscan.py cryptoscan] (By [[Jesse Kornblum]]) - Finds [[TrueCrypt]] passphrases
application that is known for its ease of use, streamlined workflow, and rapid results. The Professional platform is designed for Incident Responders, Malware Analysts, and Computer Forensic Investigators who demand the very best. Responder Professional provides powerful memory
+
* [http://moyix.blogspot.com/2008/10/plugin-post-moddump.html moddump] (By [http://moyix.blogspot.com/2008/10/plugin-post-moddump.html Moyix]) - Dump out a kernel module (aka driver)
forensics, malware detection, and software behavioral identification with Digital DNA™.
+
* [http://www.cc.gatech.edu/%7Ebrendan/volatility/dl/volreg-0.6.tar.gz Registry tools] (By [http://moyix.blogspot.com/2009/01/memory-registry-tools.html Moyix]) - A suite of plugins for accessing data from the registry, including password hashes, LSA secrets, and arbitrary registry keys.
 +
* [http://www.cc.gatech.edu/%7Ebrendan/volatility/dl/volrip-0.1.tar.gz Modified Regripper & Glue Code] (By [http://moyix.blogspot.com/2009/03/regripper-and-volatility-prototype.html Moyix]) - Code to run a modified RegRipper against the registry hives embedded in a memory dump. Note that due to a dependency on Inline::Python, this only works on Linux.
 +
* [http://moyix.blogspot.com/2008/08/linking-processes-to-users.html getsids] (By [http://moyix.blogspot.com/2008/08/linking-processes-to-users.html Moyix]) - Get information about what user (SID) started a process.
 +
* [http://moyix.blogspot.com/2008/08/auditing-system-call-table.html ssdt] (By [http://moyix.blogspot.com/2008/08/auditing-system-call-table.html Moyix]) - List entries in the system call table. Can be used to detect certain rootkits that hook system calls by replacing entries in this table.
 +
* [http://kurtz.cs.wesleyan.edu/%7Ebdolangavitt/memory/threadqueues.py threadqueues] (By [http://moyix.blogspot.com/2008/09/window-messages-as-forensic-resource.html Moyix]) - Enumerates window messages pending for each thread on the system. Window messages are the mechanism used to send things like button presses, mouse clicks, and other events to GUI programs.
 +
* [http://computer.forensikblog.de/files/volatility_plugins/volatility_objtypescan-current.zip objtypescan] (By [http://computer.forensikblog.de/en/2009/04/scanning_for_file_objects.html Andreas Schuster]) - Enumerates Windows kernel object types. (Note: If running the SVN version of Volatility, just install the plugin file from this archive)
 +
* [http://computer.forensikblog.de/files/volatility_plugins/keyboardbuffer.py keyboardbuffer] (By [http://computer.forensikblog.de/en/2009/04/read_password_from_keyboard_buffer.html#more Andreas Schuster]) - Extracts keyboard buffer used by the BIOS, which may contain BIOS or disk encryption passwords.
 +
* [http://computer.forensikblog.de/files/volatility_plugins/volatility_mutantscan-current.zip mutantscan] (By [http://computer.forensikblog.de/en/2009/04/searching_for_mutants.html#more Andreas Schuster]) - Extracts mutexes from the Windows kernel.(Note: If running the SVN version of Volatility, just install the plugin file from this archive.)
 +
* [http://computer.forensikblog.de/files/volatility_plugins/volatility_symlinkobjscan-current.zip symlinkobjscan] (By [http://computer.forensikblog.de/en/2009/04/symbolic_link_objects.html#more Andreas Schuster]) - Extracts symbolic link objects from the Windows kernel.(Note: If running the SVN version of Volatility, just install the plugin file from this archive.)
 +
* [http://computer.forensikblog.de/files/volatility_plugins/volatility_driverscan-current.zip driverscan] (By [http://computer.forensikblog.de/en/2009/04/scanning_for_drivers.html#more Andreas Schuster]) - Scan for kernel _DRIVER_OBJECTs. (Note: If running the SVN version of Volatility, just install the plugin file from this archive.)
 +
* [http://computer.forensikblog.de/files/volatility_plugins/volatility_fileobjscan-current.zip fileobjscan] (By [http://computer.forensikblog.de/en/2009/04/linking_file_objects_to_processes.html#more Andreas Schuster]) - File object -> process linkage, including hidden files. (Note: If running the SVN version of Volatility, just install the plugin file from this archive.)
  
 +
== Process Enumeration ==
  
----
+
* [http://jessekornblum.com/tools/volatility/suspicious.py suspicious] (By [[Jesse Kornblum]]) - Identify "suspicious" processes. This version counts any command line running [[TrueCrypt]] or any command line that starts with a lower case drive letter as suspicious.
  
 +
== Output Formatting ==
  
'''Memory Preservation:''' FDPro is included with Responder™ Professional. FDPro is the most complete memory acquisition software in the
+
* [http://scudette.blogspot.com/2008/10/pstree-volatility-plugin.html pstree] (By [http://scudette.blogspot.com/2008/10/pstree-volatility-plugin.html Scudette]) - Produces a tree-style listing of processes
industry. FDPro is the only application that can preserve Windows™ physical memory and Pagefile for information security and computer
+
* [http://gleeda.blogspot.com/2009/03/briefly-vol2html-update.html vol2html] (By [http://gleeda.blogspot.com/2008/11/vol2html-perl-script.html Jamie Levy AKA Gleeda]) - Converts volatility output to HTML. Not technically a plugin, but useful nonetheless.
forensic purposes.
+
  
 +
== Other Helper Tools ==
  
----
+
Though these are not actual plugins they are helpful tools for obtaining output from the [[Volatility Framework]].
  
'''Memory Analysis:''' Critical computer artifacts are found only in live memory and Responder makes it easy to uncover and take advantage of this search, identify and report on f critical information with easy to use and an intuitive GUI designed to support investigation workflow.
+
* [http://volatility.googlecode.com/files/vol-Report%28win%29.zip VolReport(win)] (By [http://volatility.googlecode.com/files/VolReport%28win%29_%20Simple%20Aggregation%20for%20Volatility%20Output.pdf SAL])
 
+
* [http://forensiczone.blogspot.com/2009/10/volatility-batch-file-maker.html Volatility Batch File Maker] (By [http://forensiczone.blogspot.com/2009/10/walk-through-volatility-batch-file.html Richard McQuown])
 
+
----
+
 
+
'''Malware Detection with Digital DNA™:''' Digital DNA is a revolutionary technology to detect advanced computer security threats within physical memory. All memory is analyzed offline as a file; there is no active code to fool our analysis. We do not rely on the Windows operating system since we assume it is compromised and cannot be trusted. All executable code in memory is scanned, scored and ranked by level of severity based upon programmed software behaviors.
+
 
+
 
+
----
+
 
+
'''Automated Malware Analysis:''' More computer crimes are involving malware as a method of gaining access to confidential information. The new face
+
of malware is designed to never touch the disk and reside only in memory. Important delivery information, rootkit behaviors and malware not detected by AV can be easily found using Professional.
+
 
+
 
+
----
+
 
+
'''Reporting:''' A flexible reporting module is built in for ease of use so you can quickly deliver the information in
+
a succinct manner to attorneys, management or clients.
+

Revision as of 20:18, 17 October 2009

The Volatility Framework was designed to be expanded by plugins. Here is a list of the published plugins for the framework. Note that these plugins are not hosted on the wiki, but all on external sites.

Contents

Command Shell

  • volshell (By Moyix)- Creates a python shell can be used with the framework.

Malware Detection

Data Recovery

  • cryptoscan (By Jesse Kornblum) - Finds TrueCrypt passphrases
  • moddump (By Moyix) - Dump out a kernel module (aka driver)
  • Registry tools (By Moyix) - A suite of plugins for accessing data from the registry, including password hashes, LSA secrets, and arbitrary registry keys.
  • Modified Regripper & Glue Code (By Moyix) - Code to run a modified RegRipper against the registry hives embedded in a memory dump. Note that due to a dependency on Inline::Python, this only works on Linux.
  • getsids (By Moyix) - Get information about what user (SID) started a process.
  • ssdt (By Moyix) - List entries in the system call table. Can be used to detect certain rootkits that hook system calls by replacing entries in this table.
  • threadqueues (By Moyix) - Enumerates window messages pending for each thread on the system. Window messages are the mechanism used to send things like button presses, mouse clicks, and other events to GUI programs.
  • objtypescan (By Andreas Schuster) - Enumerates Windows kernel object types. (Note: If running the SVN version of Volatility, just install the plugin file from this archive)
  • keyboardbuffer (By Andreas Schuster) - Extracts keyboard buffer used by the BIOS, which may contain BIOS or disk encryption passwords.
  • mutantscan (By Andreas Schuster) - Extracts mutexes from the Windows kernel.(Note: If running the SVN version of Volatility, just install the plugin file from this archive.)
  • symlinkobjscan (By Andreas Schuster) - Extracts symbolic link objects from the Windows kernel.(Note: If running the SVN version of Volatility, just install the plugin file from this archive.)
  • driverscan (By Andreas Schuster) - Scan for kernel _DRIVER_OBJECTs. (Note: If running the SVN version of Volatility, just install the plugin file from this archive.)
  • fileobjscan (By Andreas Schuster) - File object -> process linkage, including hidden files. (Note: If running the SVN version of Volatility, just install the plugin file from this archive.)

Process Enumeration

  • suspicious (By Jesse Kornblum) - Identify "suspicious" processes. This version counts any command line running TrueCrypt or any command line that starts with a lower case drive letter as suspicious.

Output Formatting

Other Helper Tools

Though these are not actual plugins they are helpful tools for obtaining output from the Volatility Framework.