Difference between pages "File Format Identification" and "List of Volatility Plugins"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m (Bibliography)
 
(Malware Detection)
 
Line 1: Line 1:
File Format Identification is the process of figuring out the format of a sequence of bytes. Operating systems typically do this by file extension or by embedded MIME information. Forensic applications need to identify file types by content.
+
The [[Volatility Framework]] was designed to be expanded by plugins. Here is a list of the published plugins for the framework. Note that these plugins are not hosted on the wiki, but all on external sites.
  
=Tools=
+
== Command Shell ==
==libmagic==
+
* [http://moyix.blogspot.com/2008/08/indroducing-volshell.html volshell] - Creates a python shell can be used with the framework.
* Written in C.  
+
* Rules in /usr/share/file/magic and compiled at runtime.
+
* Powers the Unix “file” command, but you can also call the library directly from a C program.
+
* http://sourceforge.net/projects/libmagic
+
  
==DROID==
+
== Malware Detection ==
* Writen in Java
+
* [http://mnin.blogspot.com/2009/01/malfind-volatility-plug-in.html malfind] (By [http://mnin.blogspot.com/2009/01/malfind-volatility-plug-in.html Michael Hale Ligh]) - Automates the process of finding and extracting (usually malicious) code injected into another process
* Developed by National Archives of the United Kingdom.
+
* http://droid.sourceforge.net
+
  
==TrID==
+
== Data Recovery ==
* XML config file
+
* Closed source; free for non-commercial use
+
* http://mark0.net/soft-trid-e.html
+
  
==Stellent/Oracle Outside-In==
+
* [http://jessekornblum.com/tools/volatility/cryptoscan.py cryptoscan] (By [http://jessekornblum.livejournal.com/246616.html Jesse Kornblum]) - Finds [[TrueCrypt]] passphrases
* Proprietary but free demo.
+
* [http://moyix.blogspot.com/2008/10/plugin-post-moddump.html moddump] (By [[http://moyix.blogspot.com/2008/10/plugin-post-moddump.html Moyix]) - Dump out a kernel module (aka driver)
* http://www.oracle.com/technology/products/content-management/oit/oit_all.html
+
* [http://moyix.blogspot.com/2009/01/memory-registry-tools.html Registry tools] (By [http://moyix.blogspot.com/2009/03/regripper-and-volatility-prototype.html Moyix]) - A suite of plugins for accessing data from the registry, including password hashes, LSA secrets, and arbitrary registry keys.
 +
* [http://moyix.blogspot.com/2008/08/linking-processes-to-users.html getsids] (By [http://moyix.blogspot.com/2008/08/linking-processes-to-users.html Moyix]) - Get information about what user (SID) started a process.
 +
* [http://moyix.blogspot.com/2008/08/auditing-system-call-table.html ssdt] (By [http://moyix.blogspot.com/2008/08/auditing-system-call-table.html Moyix]) - List entries in the system call table. Can be used to detect certain rootkits that hook system calls by replacing entries in this table.
 +
* [http://moyix.blogspot.com/2008/09/window-messages-as-forensic-resource.html threadqueues] (By [http://moyix.blogspot.com/2008/09/window-messages-as-forensic-resource.html Moyix]) - Enumerates window messages pending for each thread on the system. Window messages are the mechanism used to send things like button presses, mouse clicks, and other events to GUI programs.
 +
* [http://computer.forensikblog.de/files/volatility_plugins/volatility_objtypescan-current.zip objtypescan] (By [http://computer.forensikblog.de/en/2009/04/scanning_for_file_objects.html Andreas Schuster]) - Lists open files by enumerating the _FILE_OBJECT structure. (Note: If running the SVN version of Volatility, just install the plugin file from this archive)
 +
* [http://computer.forensikblog.de/files/volatility_plugins/keyboardbuffer.py keyboardbuffer] (By [http://computer.forensikblog.de/en/2009/04/read_password_from_keyboard_buffer.html#more Andreas Schuster]) - Extracts keyboard buffer used by the BIOS, which may contain BIOS or disk encryption passwords.
 +
* [http://computer.forensikblog.de/files/volatility_plugins/volatility_mutantscan-current.zip mutantscan] (By [http://computer.forensikblog.de/en/2009/04/searching_for_mutants.html#more Andreas Schuster]) - Extracts mutexs from the Windows kernel
 +
* [http://computer.forensikblog.de/en/2009/04/symbolic_link_objects.html#more symlinkobjscan] (By [http://computer.forensikblog.de/en/2009/04/symbolic_link_objects.html#more Andreas Schuster]) - Extracts symbolic link objects from the Windows kernel
 +
* [http://computer.forensikblog.de/files/volatility_plugins/volatility_driverscan-current.zip driverscan] (By [http://computer.forensikblog.de/en/2009/04/scanning_for_drivers.html#more Andreas Schuster]) - Scan for kernel _DRIVER_OBJECTs.
 +
* [http://computer.forensikblog.de/files/volatility_plugins/volatility_fileobjscan-current.zip fileobjscan] (By [http://computer.forensikblog.de/en/2009/04/linking_file_objects_to_processes.html#more Andreas Schuster]) - File object -> process linkage, including hidden files.
  
[[Category:Tools]]
+
== Process Enumeration ==
  
=Bibliography=
+
* [http://jessekornblum.com/tools/volatility/suspicious.py suspicious] (By [http://jessekornblum.livejournal.com/246616.html Jesse Kornblum]) - Identify "suspicious" processes. This version counts any command line running [[TrueCrypt]] or any command line that starts with a lower case drive letter as suspicious.
Current research papers on the file format identification problem. Most of these papers concern themselves with identifying file format of a few file sectors, rather than an entire file.
+
  
* Mason McDaniel, Automatic File Type Detection Algorithm, Masters Thesis, James Madison University,2001
+
== Output Formatting ==
  
* [http://www2.computer.org/portal/web/csdl/abs/proceedings/hicss/2003/1874/09/187490332a.pdf Content Based File Type Detection Algorithms], Mason McDaniel and M. Hossain Heydari, 36th Annual Hawaii International Conference on System Sciences (HICSS'03) - Track 9, 2003.
+
* [http://scudette.blogspot.com/2008/10/pstree-volatility-plugin.html pstree] - Produces a tree-style listing of processes
 
+
* [http://gleeda.blogspot.com/2009/03/briefly-vol2html-update.html vol2html] - Converts volatility output to HTML. Not technically a plugin, but useful nonetheless.
* [http://www1.cs.columbia.edu/ids/publications/FilePrintPaper-revised.pdf Fileprints: identifying file types by n-gram analysis], LiWei-Jen, Wang Ke, Stolfo SJ, Herzog B..,  IProceeding of the 2005 IEEE workshop on information assurance; 2005 [http://www.itoc.usma.edu/workshop/2005/Papers/Follow%20ups/FilePrintPresentation-final.pdf [slides]]
+
 
+
* [http://ieeexplore.ieee.org/iel5/10992/34632/01652088.pdf  File type identification of data fragments by their binary structure. ], Karresand Martin, Shahmehri Nahid. Proceedings of the IEEE workshop on information assurance; 2006b. p. 140–7. [http://www.itoc.usma.edu/workshop/2006/Program/Presentations/IAW2006-07-3.pdf [slides]]
+
 
+
* [https://www.cerias.purdue.edu/tools_and_resources/bibtex_archive/archive/2007-19.pdf Using Artificial Neural Networks for Forensic File Type Identification], Ryan M. Harris, Master's Thesis, Purdue University, May 2007
+
 
+
* [http://www.dfrws.org/2008/proceedings/p14-calhoun.pdf Predicting the Types of File Fragments], William Calhoun, Drue Coles, DFRWS 2008 [http://www.dfrws.org/2008/proceedings/p14-calhoun_pres.pdf [slides]]
+
 
+
[[Category:Bibliography]]
+

Revision as of 09:16, 6 May 2009

The Volatility Framework was designed to be expanded by plugins. Here is a list of the published plugins for the framework. Note that these plugins are not hosted on the wiki, but all on external sites.

Command Shell

  • volshell - Creates a python shell can be used with the framework.

Malware Detection

  • malfind (By Michael Hale Ligh) - Automates the process of finding and extracting (usually malicious) code injected into another process

Data Recovery

  • cryptoscan (By Jesse Kornblum) - Finds TrueCrypt passphrases
  • moddump (By [Moyix) - Dump out a kernel module (aka driver)
  • Registry tools (By Moyix) - A suite of plugins for accessing data from the registry, including password hashes, LSA secrets, and arbitrary registry keys.
  • getsids (By Moyix) - Get information about what user (SID) started a process.
  • ssdt (By Moyix) - List entries in the system call table. Can be used to detect certain rootkits that hook system calls by replacing entries in this table.
  • threadqueues (By Moyix) - Enumerates window messages pending for each thread on the system. Window messages are the mechanism used to send things like button presses, mouse clicks, and other events to GUI programs.
  • objtypescan (By Andreas Schuster) - Lists open files by enumerating the _FILE_OBJECT structure. (Note: If running the SVN version of Volatility, just install the plugin file from this archive)
  • keyboardbuffer (By Andreas Schuster) - Extracts keyboard buffer used by the BIOS, which may contain BIOS or disk encryption passwords.
  • mutantscan (By Andreas Schuster) - Extracts mutexs from the Windows kernel
  • symlinkobjscan (By Andreas Schuster) - Extracts symbolic link objects from the Windows kernel
  • driverscan (By Andreas Schuster) - Scan for kernel _DRIVER_OBJECTs.
  • fileobjscan (By Andreas Schuster) - File object -> process linkage, including hidden files.

Process Enumeration

  • suspicious (By Jesse Kornblum) - Identify "suspicious" processes. This version counts any command line running TrueCrypt or any command line that starts with a lower case drive letter as suspicious.

Output Formatting

  • pstree - Produces a tree-style listing of processes
  • vol2html - Converts volatility output to HTML. Not technically a plugin, but useful nonetheless.