List of Volatility Plugins
From Forensics Wiki
Revision as of 09:16, 6 May 2009 by Johnmccash (Talk | contribs)
The Volatility Framework was designed to be expanded by plugins. Here is a list of the published plugins for the framework. Note that these plugins are not hosted on the wiki, but all on external sites.
Contents |
Command Shell
- volshell - Creates a python shell can be used with the framework.
Malware Detection
- malfind (By Michael Hale Ligh) - Automates the process of finding and extracting (usually malicious) code injected into another process
Data Recovery
- cryptoscan (By Jesse Kornblum) - Finds TrueCrypt passphrases
- moddump (By [Moyix) - Dump out a kernel module (aka driver)
- Registry tools (By Moyix) - A suite of plugins for accessing data from the registry, including password hashes, LSA secrets, and arbitrary registry keys.
- getsids (By Moyix) - Get information about what user (SID) started a process.
- ssdt (By Moyix) - List entries in the system call table. Can be used to detect certain rootkits that hook system calls by replacing entries in this table.
- threadqueues (By Moyix) - Enumerates window messages pending for each thread on the system. Window messages are the mechanism used to send things like button presses, mouse clicks, and other events to GUI programs.
- objtypescan (By Andreas Schuster) - Lists open files by enumerating the _FILE_OBJECT structure. (Note: If running the SVN version of Volatility, just install the plugin file from this archive)
- keyboardbuffer (By Andreas Schuster) - Extracts keyboard buffer used by the BIOS, which may contain BIOS or disk encryption passwords.
- mutantscan (By Andreas Schuster) - Extracts mutexs from the Windows kernel
- symlinkobjscan (By Andreas Schuster) - Extracts symbolic link objects from the Windows kernel
- driverscan (By Andreas Schuster) - Scan for kernel _DRIVER_OBJECTs.
- fileobjscan (By Andreas Schuster) - File object -> process linkage, including hidden files.
Process Enumeration
- suspicious (By Jesse Kornblum) - Identify "suspicious" processes. This version counts any command line running TrueCrypt or any command line that starts with a lower case drive letter as suspicious.
