ForensicsWiki will continue to operate as it has before and will not be shutting down. Thank you for your continued support of ForensicsWiki.

Difference between pages "List of Volatility Plugins" and "Compression"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Process Enumeration)
 
(Deflate/Inflate)
 
Line 1: Line 1:
The [[Volatility Framework]] was designed to be expanded by plugins. Here is a list of the published plugins for the framework. Note that these plugins are not hosted on the wiki, but all on external sites.
+
{{Expand}}
  
== Command Shell ==
+
== LZ-based ==
* [http://moyix.blogspot.com/2008/08/indroducing-volshell.html volshell] - Creates a python shell can be used with the framework.
+
  
== Malware Detection ==
+
=== Deflate/Inflate ===
* [http://mnin.blogspot.com/2009/01/malfind-volatility-plug-in.html malfind] - Automates the process of finding and extracting (usually malicious) code injected into another process
+
Used in:
 +
* [[Encase image file format|Expert Witness (Compression) Format (EWF)]]
 +
* [[Gzip|gzip]]
  
== Data Recovery ==
+
=== LZNT1 ===
 +
Used in:
 +
* [[NTFS]]
 +
* [[Windows SuperFetch Format]]
  
* [http://jessekornblum.com/tools/volatility/cryptoscan.py cryptoscan] (By [http://jessekornblum.livejournal.com/246616.html Jesse Kornblum]) - Finds [[TrueCrypt]] passphrases
+
=== LZXPRESS ===
* [http://moyix.blogspot.com/2008/10/plugin-post-moddump.html moddump] (By [[http://moyix.blogspot.com/2008/10/plugin-post-moddump.html Moyix]) - Dump out a kernel module (aka driver)
+
Used in:
* [http://moyix.blogspot.com/2009/01/memory-registry-tools.html Registry tools] (By [http://moyix.blogspot.com/2009/03/regripper-and-volatility-prototype.html Moyix]) - A suite of plugins for accessing data from the registry, including password hashes, LSA secrets, and arbitrary registry keys.
+
* [[Extensible Storage Engine (ESE) Database File (EDB) format]]
* [http://moyix.blogspot.com/2008/08/linking-processes-to-users.html getsids] (By [http://moyix.blogspot.com/2008/08/linking-processes-to-users.html Moyix]) - Get information about what user (SID) started a process.
+
* [http://moyix.blogspot.com/2008/08/auditing-system-call-table.html ssdt] (By [http://moyix.blogspot.com/2008/08/auditing-system-call-table.html Moyix]) - List entries in the system call table. Can be used to detect certain rootkits that hook system calls by replacing entries in this table.
+
* [http://moyix.blogspot.com/2008/09/window-messages-as-forensic-resource.html threadqueues] (By [http://moyix.blogspot.com/2008/09/window-messages-as-forensic-resource.html Moyix]) - Enumerates window messages pending for each thread on the system. Window messages are the mechanism used to send things like button presses, mouse clicks, and other events to GUI programs.
+
* [http://computer.forensikblog.de/files/volatility_plugins/volatility_objtypescan-current.zip objtypescan] (By [http://computer.forensikblog.de/en/2009/04/scanning_for_file_objects.html Andreas Schuster]) - Lists open files by enumerating the _FILE_OBJECT structure. (Note: If running the SVN version of Volatility, just install the plugin file from this archive)
+
* [http://computer.forensikblog.de/files/volatility_plugins/keyboardbuffer.py keyboardbuffer] (By [http://computer.forensikblog.de/en/2009/04/read_password_from_keyboard_buffer.html#more Andreas Schuster]) - Extracts keyboard buffer used by the BIOS, which may contain BIOS or disk encryption passwords.
+
* [http://computer.forensikblog.de/files/volatility_plugins/volatility_mutantscan-current.zip mutantscan] (By [http://computer.forensikblog.de/en/2009/04/searching_for_mutants.html#more Andreas Schuster]) - Extracts mutexs from the Windows kernel
+
* [http://computer.forensikblog.de/en/2009/04/symbolic_link_objects.html#more symlinkobjscan] (By [http://computer.forensikblog.de/en/2009/04/symbolic_link_objects.html#more Andreas Schuster]) - Extracts symbolic link objects from the Windows kernel
+
* [http://computer.forensikblog.de/files/volatility_plugins/volatility_driverscan-current.zip driverscan] (By [http://computer.forensikblog.de/en/2009/04/scanning_for_drivers.html#more Andreas Schuster]) - Scan for kernel _DRIVER_OBJECTs.
+
* [http://computer.forensikblog.de/files/volatility_plugins/volatility_fileobjscan-current.zip fileobjscan] (By [http://computer.forensikblog.de/en/2009/04/linking_file_objects_to_processes.html#more Andreas Schuster]) - File object -> process linkage, including hidden files.
+
  
== Process Enumeration ==
+
=== LZXPRESS Huffman ===
 +
Used in:
 +
* [[Windows SuperFetch Format]]
  
* [http://jessekornblum.com/tools/volatility/suspicious.py suspicious] (By [http://jessekornblum.livejournal.com/246616.html Jesse Kornblum]) - Identify "suspicious" processes. This version counts any command line running [[TrueCrypt]] or any command line that starts with a lower case drive letter as suspicious.
+
== External Links ==
 +
* [http://en.wikipedia.org/wiki/Lempel-Ziv Wikipedia: Lempel-Ziv]
 +
* [http://www.coderforlife.com/microsoft-compression-formats/ Microsoft Compression Formats]
  
== Output Formatting ==
+
=== Deflate/Inflate ===
 +
* [http://en.wikipedia.org/wiki/DEFLATE Wikipedia: DEFLATE]
 +
* [https://tools.ietf.org/html/rfc1950 RFC1950 - ZLIB Compressed Data Format Specification], by [[IETF]]
 +
* [https://tools.ietf.org/html/rfc1951 RFC1951 - DEFLATE Compressed Data Format Specification], by [[IETF]]
  
* [http://scudette.blogspot.com/2008/10/pstree-volatility-plugin.html pstree] - Produces a tree-style listing of processes
+
=== LZ1 ===
* [http://gleeda.blogspot.com/2009/03/briefly-vol2html-update.html vol2html] - Converts volatility output to HTML. Not technically a plugin, but useful nonetheless.
+
* [http://andyh.org/LZ1.html LZ1]

Revision as of 13:58, 21 June 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

LZ-based

Deflate/Inflate

Used in:

LZNT1

Used in:

LZXPRESS

Used in:

LZXPRESS Huffman

Used in:

External Links

Deflate/Inflate

LZ1