Difference between pages "List of Volatility Plugins" and "Napatech"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
(Process Enumeration)
 
(Updated company information (Napatech is not UK based))
 
Line 1: Line 1:
The [[Volatility Framework]] was designed to be expanded by plugins. Here is a list of the published plugins for the framework. Note that these plugins are not hosted on the wiki, but all on external sites.
+
Napatech is a leading OEM supplier of multi-port 10 GbE and 1 GbE intelligent adapters for real-time network analysis with over 40,000 Ethernet ports deployed. Napatech network adapters provide real-time packet capture and transmission with full line-rate throughput and zero packet loss no matter the packet size. Intelligent features enable off-load of data traffic processing and packet analysis normally performed in the CPU. This results in more processing power for the network monitoring, analysis, management, test, measurement, security or optimization application being supported. Napatech has sales, marketing and R&D offices in Mountain View, California, Andover, Massachusetts, and Copenhagen, Denmark.
 +
 +
Napatech network adapters can be synchronized with a variety of time sources, such as Global Positioning System (GPS), IEEE 1588v2, CDMA and Pulse Per Second (PPS) sources. This allows packets to be time-stamped with an accuracy of 50 nanoseconds. The time synchronization solution also allows Napatech adapters to be daisy-chained allowing a single time synchronization source for multiple adapters.
 +
 +
Napatech intelligent adapters can be used for performance monitoring, test & measurement, security and optimization markets. The boards provide interception from 1 Gbps to 10 Gbps. Software is available for Linux, FreeBSD and Windows.
 +
 +
==See Also==
 +
* www.napatech.com
  
== Command Shell ==
+
[[Category:Vendors]]
* [http://moyix.blogspot.com/2008/08/indroducing-volshell.html volshell] (By [http://moyix.blogspot.com/2008/08/indroducing-volshell.html Moyix])- Creates a python shell can be used with the framework.
+
 
+
== Malware Detection ==
+
* [http://mhl-malware-scripts.googlecode.com/files/malfind.py malfind] (By [http://mnin.blogspot.com/2009/01/malfind-volatility-plug-in.html Michael Hale Ligh]) - Automates the process of finding and extracting (usually malicious) code injected into another process
+
* [http://mhl-malware-scripts.googlecode.com/files/usermode_hooks.py usermode_hooks] (By [http://mnin.blogspot.com/2009/05/volatility-plug-in-for-iateatinline.html Michael Hale Ligh]) - Detect IAT/EAT/Inline rootkit hooks in usermode processes
+
 
+
== Data Recovery ==
+
 
+
* [http://jessekornblum.com/tools/volatility/cryptoscan.py cryptoscan] (By [[Jesse Kornblum]]) - Finds [[TrueCrypt]] passphrases
+
* [http://moyix.blogspot.com/2008/10/plugin-post-moddump.html moddump] (By [http://moyix.blogspot.com/2008/10/plugin-post-moddump.html Moyix]) - Dump out a kernel module (aka driver)
+
* [http://moyix.blogspot.com/2009/01/memory-registry-tools.html Registry tools] (By [http://moyix.blogspot.com/2009/03/regripper-and-volatility-prototype.html Moyix]) - A suite of plugins for accessing data from the registry, including password hashes, LSA secrets, and arbitrary registry keys.
+
* [http://www.cc.gatech.edu/%7Ebrendan/volatility/dl/volrip-0.1.tar.gz Modified Regripper & Glue Code] (By [http://moyix.blogspot.com/2009/03/regripper-and-volatility-prototype.html Moyix]) - Code to run a modified RegRipper against the registry hives embedded in a memory dump. Note that due to a dependency on Inline::Python, this only works on Linux.
+
* [http://moyix.blogspot.com/2008/08/linking-processes-to-users.html getsids] (By [http://moyix.blogspot.com/2008/08/linking-processes-to-users.html Moyix]) - Get information about what user (SID) started a process.
+
* [http://moyix.blogspot.com/2008/08/auditing-system-call-table.html ssdt] (By [http://moyix.blogspot.com/2008/08/auditing-system-call-table.html Moyix]) - List entries in the system call table. Can be used to detect certain rootkits that hook system calls by replacing entries in this table.
+
* [http://kurtz.cs.wesleyan.edu/%7Ebdolangavitt/memory/threadqueues.py threadqueues] (By [http://moyix.blogspot.com/2008/09/window-messages-as-forensic-resource.html Moyix]) - Enumerates window messages pending for each thread on the system. Window messages are the mechanism used to send things like button presses, mouse clicks, and other events to GUI programs.
+
* [http://computer.forensikblog.de/files/volatility_plugins/volatility_objtypescan-current.zip objtypescan] (By [http://computer.forensikblog.de/en/2009/04/scanning_for_file_objects.html Andreas Schuster]) - Enumerates Windows kernel object types. (Note: If running the SVN version of Volatility, just install the plugin file from this archive)
+
* [http://computer.forensikblog.de/files/volatility_plugins/keyboardbuffer.py keyboardbuffer] (By [http://computer.forensikblog.de/en/2009/04/read_password_from_keyboard_buffer.html#more Andreas Schuster]) - Extracts keyboard buffer used by the BIOS, which may contain BIOS or disk encryption passwords.
+
* [http://computer.forensikblog.de/files/volatility_plugins/volatility_mutantscan-current.zip mutantscan] (By [http://computer.forensikblog.de/en/2009/04/searching_for_mutants.html#more Andreas Schuster]) - Extracts mutexes from the Windows kernel.(Note: If running the SVN version of Volatility, just install the plugin file from this archive.)
+
* [http://computer.forensikblog.de/files/volatility_plugins/volatility_symlinkobjscan-current.zip symlinkobjscan] (By [http://computer.forensikblog.de/en/2009/04/symbolic_link_objects.html#more Andreas Schuster]) - Extracts symbolic link objects from the Windows kernel.(Note: If running the SVN version of Volatility, just install the plugin file from this archive.)
+
* [http://computer.forensikblog.de/files/volatility_plugins/volatility_driverscan-current.zip driverscan] (By [http://computer.forensikblog.de/en/2009/04/scanning_for_drivers.html#more Andreas Schuster]) - Scan for kernel _DRIVER_OBJECTs. (Note: If running the SVN version of Volatility, just install the plugin file from this archive.)
+
* [http://computer.forensikblog.de/files/volatility_plugins/volatility_fileobjscan-current.zip fileobjscan] (By [http://computer.forensikblog.de/en/2009/04/linking_file_objects_to_processes.html#more Andreas Schuster]) - File object -> process linkage, including hidden files. (Note: If running the SVN version of Volatility, just install the plugin file from this archive.)
+
 
+
== Process Enumeration ==
+
 
+
* [http://jessekornblum.com/tools/volatility/suspicious.py suspicious] (By [[Jesse Kornblum]]) - Identify "suspicious" processes. This version counts any command line running [[TrueCrypt]] or any command line that starts with a lower case drive letter as suspicious.
+
 
+
== Output Formatting ==
+
 
+
* [http://scudette.blogspot.com/2008/10/pstree-volatility-plugin.html pstree] (By [http://scudette.blogspot.com/2008/10/pstree-volatility-plugin.html Scudette]) - Produces a tree-style listing of processes
+
* [http://gleeda.blogspot.com/2009/03/briefly-vol2html-update.html vol2html] (By [http://gleeda.blogspot.com/2008/11/vol2html-perl-script.html Jamie Levy AKA Gleeda]) - Converts volatility output to HTML. Not technically a plugin, but useful nonetheless.
+

Latest revision as of 02:55, 6 October 2009

Napatech is a leading OEM supplier of multi-port 10 GbE and 1 GbE intelligent adapters for real-time network analysis with over 40,000 Ethernet ports deployed. Napatech network adapters provide real-time packet capture and transmission with full line-rate throughput and zero packet loss no matter the packet size. Intelligent features enable off-load of data traffic processing and packet analysis normally performed in the CPU. This results in more processing power for the network monitoring, analysis, management, test, measurement, security or optimization application being supported. Napatech has sales, marketing and R&D offices in Mountain View, California, Andover, Massachusetts, and Copenhagen, Denmark.

Napatech network adapters can be synchronized with a variety of time sources, such as Global Positioning System (GPS), IEEE 1588v2, CDMA and Pulse Per Second (PPS) sources. This allows packets to be time-stamped with an accuracy of 50 nanoseconds. The time synchronization solution also allows Napatech adapters to be daisy-chained allowing a single time synchronization source for multiple adapters.

Napatech intelligent adapters can be used for performance monitoring, test & measurement, security and optimization markets. The boards provide interception from 1 Gbps to 10 Gbps. Software is available for Linux, FreeBSD and Windows.

See Also

  • www.napatech.com