Difference between pages "List of Volatility Plugins" and "Adroit Photo Forensics"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Process Enumeration)
 
(Created page with '{{Infobox_Software | name = Adroit Photo Forensics (APF) | company = Digital Assembly | os = {{Windows}} | genre = {{Analysis}} | license = {{Commercial}} | websi…')
 
Line 1: Line 1:
The [[Volatility Framework]] was designed to be expanded by plugins. Here is a list of the published plugins for the framework. Note that these plugins are not hosted on the wiki, but all on external sites.
+
{{Infobox_Software |
 +
  name = Adroit Photo Forensics (APF) |
 +
  company = [[Digital Assembly]] |
 +
  os = {{Windows}} |
 +
  genre = {{Analysis}} |
 +
  license = {{Commercial}} |
 +
  website = [http://www.digital-assembly.com/products digital-assembly.com] |
 +
}}
  
== Command Shell ==
+
'''Adroit Photo Forensics''' ('''APF''') is a commercial forensic software package distributed by [[Digital Assembly]].
* [http://moyix.blogspot.com/2008/08/indroducing-volshell.html volshell] (By [http://moyix.blogspot.com/2008/08/indroducing-volshell.html Moyix])- Creates a python shell can be used with the framework.
+
It specializes in the recovery and analysis of digital photographs.
  
== Malware Detection ==
+
=Features=
* [http://mhl-malware-scripts.googlecode.com/files/malfind.py malfind] (By [http://mnin.blogspot.com/2009/01/malfind-volatility-plug-in.html Michael Hale Ligh]) - Automates the process of finding and extracting (usually malicious) code injected into another process
+
* [http://mhl-malware-scripts.googlecode.com/files/usermode_hooks.py usermode_hooks] (By [http://mnin.blogspot.com/2009/05/volatility-plug-in-for-iateatinline.html Michael Hale Ligh]) - Detect IAT/EAT/Inline rootkit hooks in usermode processes
+
  
== Data Recovery ==
+
Adroit Photo Forensics can parse a number of filesystems, including [[FAT]] 12/16/32, [[NTFS]], [[HFS]], and [[HFS]]. It can
 +
read from [[EnCase]] as well as raw/[[dd]] images.
  
* [http://jessekornblum.com/tools/volatility/cryptoscan.py cryptoscan] (By [[Jesse Kornblum]]) - Finds [[TrueCrypt]] passphrases
+
It is best known for implementing the [[File_Carving:SmartCarving|SmartCarving]] and [[File_Carving:SmartCarving|GuidedCarving]]
* [http://moyix.blogspot.com/2008/10/plugin-post-moddump.html moddump] (By [http://moyix.blogspot.com/2008/10/plugin-post-moddump.html Moyix]) - Dump out a kernel module (aka driver)
+
algorithms to recover fragmented photos.  
* [http://moyix.blogspot.com/2009/01/memory-registry-tools.html Registry tools] (By [http://moyix.blogspot.com/2009/03/regripper-and-volatility-prototype.html Moyix]) - A suite of plugins for accessing data from the registry, including password hashes, LSA secrets, and arbitrary registry keys.
+
* [http://www.cc.gatech.edu/%7Ebrendan/volatility/dl/volrip-0.1.tar.gz Modified Regripper & Glue Code] (By [http://moyix.blogspot.com/2009/03/regripper-and-volatility-prototype.html Moyix]) - Code to run a modified RegRipper against the registry hives embedded in a memory dump. Note that due to a dependency on Inline::Python, this only works on Linux.
+
* [http://moyix.blogspot.com/2008/08/linking-processes-to-users.html getsids] (By [http://moyix.blogspot.com/2008/08/linking-processes-to-users.html Moyix]) - Get information about what user (SID) started a process.
+
* [http://moyix.blogspot.com/2008/08/auditing-system-call-table.html ssdt] (By [http://moyix.blogspot.com/2008/08/auditing-system-call-table.html Moyix]) - List entries in the system call table. Can be used to detect certain rootkits that hook system calls by replacing entries in this table.
+
* [http://kurtz.cs.wesleyan.edu/%7Ebdolangavitt/memory/threadqueues.py threadqueues] (By [http://moyix.blogspot.com/2008/09/window-messages-as-forensic-resource.html Moyix]) - Enumerates window messages pending for each thread on the system. Window messages are the mechanism used to send things like button presses, mouse clicks, and other events to GUI programs.
+
* [http://computer.forensikblog.de/files/volatility_plugins/volatility_objtypescan-current.zip objtypescan] (By [http://computer.forensikblog.de/en/2009/04/scanning_for_file_objects.html Andreas Schuster]) - Enumerates Windows kernel object types. (Note: If running the SVN version of Volatility, just install the plugin file from this archive)
+
* [http://computer.forensikblog.de/files/volatility_plugins/keyboardbuffer.py keyboardbuffer] (By [http://computer.forensikblog.de/en/2009/04/read_password_from_keyboard_buffer.html#more Andreas Schuster]) - Extracts keyboard buffer used by the BIOS, which may contain BIOS or disk encryption passwords.
+
* [http://computer.forensikblog.de/files/volatility_plugins/volatility_mutantscan-current.zip mutantscan] (By [http://computer.forensikblog.de/en/2009/04/searching_for_mutants.html#more Andreas Schuster]) - Extracts mutexes from the Windows kernel.(Note: If running the SVN version of Volatility, just install the plugin file from this archive.)
+
* [http://computer.forensikblog.de/files/volatility_plugins/volatility_symlinkobjscan-current.zip symlinkobjscan] (By [http://computer.forensikblog.de/en/2009/04/symbolic_link_objects.html#more Andreas Schuster]) - Extracts symbolic link objects from the Windows kernel.(Note: If running the SVN version of Volatility, just install the plugin file from this archive.)
+
* [http://computer.forensikblog.de/files/volatility_plugins/volatility_driverscan-current.zip driverscan] (By [http://computer.forensikblog.de/en/2009/04/scanning_for_drivers.html#more Andreas Schuster]) - Scan for kernel _DRIVER_OBJECTs. (Note: If running the SVN version of Volatility, just install the plugin file from this archive.)
+
* [http://computer.forensikblog.de/files/volatility_plugins/volatility_fileobjscan-current.zip fileobjscan] (By [http://computer.forensikblog.de/en/2009/04/linking_file_objects_to_processes.html#more Andreas Schuster]) - File object -> process linkage, including hidden files. (Note: If running the SVN version of Volatility, just install the plugin file from this archive.)
+
  
== Process Enumeration ==
+
== Exif ==
  
* [http://jessekornblum.com/tools/volatility/suspicious.py suspicious] (By [[Jesse Kornblum]]) - Identify "suspicious" processes. This version counts any command line running [[TrueCrypt]] or any command line that starts with a lower case drive letter as suspicious.
+
Adroit Photo Forensics also parses exif data and can be used to view and group files based on exif date stamps instead of
 +
file system date stamps. APF also includes a full zoomable time-line viewer based on exif and file system date stamps.  
  
== Output Formatting ==
+
== Other Features ==
  
* [http://scudette.blogspot.com/2008/10/pstree-volatility-plugin.html pstree] (By [http://scudette.blogspot.com/2008/10/pstree-volatility-plugin.html Scudette]) - Produces a tree-style listing of processes
+
Adroit Photo Forensics interface is optimized for the display of photos. APF also include grouping and sorting options that are
* [http://gleeda.blogspot.com/2009/03/briefly-vol2html-update.html vol2html] (By [http://gleeda.blogspot.com/2008/11/vol2html-perl-script.html Jamie Levy AKA Gleeda]) - Converts volatility output to HTML. Not technically a plugin, but useful nonetheless.
+
photo relevant.
 +
 
 +
== External Links ==
 +
 
 +
[http://digital-assembly.com/products/adroit-photo-forensics/ Adroit Photo Forensics Product Information]

Revision as of 13:57, 26 October 2009

Adroit Photo Forensics (APF)
Maintainer: {{{maintainer}}}
OS: Windows
Genre: Analysis
License: Commercial
Website: digital-assembly.com

Adroit Photo Forensics (APF) is a commercial forensic software package distributed by Digital Assembly. It specializes in the recovery and analysis of digital photographs.

Features

Adroit Photo Forensics can parse a number of filesystems, including FAT 12/16/32, NTFS, HFS, and HFS. It can read from EnCase as well as raw/dd images.

It is best known for implementing the SmartCarving and GuidedCarving algorithms to recover fragmented photos.

Exif

Adroit Photo Forensics also parses exif data and can be used to view and group files based on exif date stamps instead of file system date stamps. APF also includes a full zoomable time-line viewer based on exif and file system date stamps.

Other Features

Adroit Photo Forensics interface is optimized for the display of photos. APF also include grouping and sorting options that are photo relevant.

External Links

Adroit Photo Forensics Product Information