Volatility SQL Plugins
I modified the Volatility SQL output plugins (download link) slightly. I changed the schema in the dlllist_2.py plugin:
memory_plugins/dlllist_2.py
Table Name: dlls
pname Process name (changed)
pid Process ID
cmdline Command Line text
base Base Address
size Size
path Path of DLL
memimage Memory image information was extracted from
I also removed the Volatility files (vutils.py and commands.py) since there were two patches that address the items I changed in those files. So now all you have to do is download Volatility from the SVN and unzip the plugins like before.
For the more adventurous, the SQL rendering plugins have been incorporated into the experimental branch of Volatility (thank you Scudette!). You can download all branches with the following command:
svn checkout http://volatility.googlecode.com/svn/branches Vol_All
For the experimental branch (located in the experimental folder) you must have Python 2.6 installed.
Volatility User Manual
There is a new Volatility User Manual contributed to the VDP by Mark Morgan. It is a compilation of past VDP articles and blogposts and covers all public plugins to date. Shouts to Mark!
EnCase Enscripts + Volatility = Takahiro Haruyama's Memory Forensics Toolkit
Takahiro Haruyama has released a new version of his Memory Forensics Toolkit. I had played around with his previous version. Now there is no excuse for the EnCase reliant not to get in on memory forensics ;-) Shouts to Takahiro for making it easier for these users!
1 comment:
Awesome, thanks!
Post a Comment