Tuesday, September 13, 2011

Volatility 2.0: Timeliner, RegistryAPI, evtlogs and more

Back in July I gave a talk at OMFW about extracting timeline data from a memory sample using the Volatility framework. Now has come the time to release the plugins that came along with that talk.

In addition to the plugins I have included a whitepaper on how these plugins were created and used. It is released more in hopes that people will see how to use the framework and be able to write their own plugins or extend existing ones.

I have included all these plugins in a zip file:

$ unzip -l timeliner_9-2011.zip
Archive: timeliner_9-2011.zip
Length Date Time Name
-------- ---- ---- ----
14455 09-28-11 14:40 volatility/plugins/timeliner.py
10789 09-27-11 09:24 volatility/plugins/evtlogs.py
147458 09-09-11 11:03 volatility/plugins/malware.py
13559 09-22-11 19:09 volatility/plugins/registryapi.py
8554 09-18-11 21:33 volatility/plugins/getsids.py
40993 09-22-11 16:29 volatility/plugins/getservicesids.py
-------- -------
235808 6 files

  • evtlogs.py: plugin to parse Evt logs from XP/2K3
  • registryapi.py: plugin for routine registry actions
  • getservicesids.py: plugin to collect and calculate service SIDs (used with the new getsids and evtlogs
  • timeliner.py: the timeline creating script that pulls everything together

MHL's malware malware plugins (malware.py) are included only for convenience. You can also download them from his repository and check there for updates.

I would like to thank MHL and AW for their valuable feedback and Bertha M for extensive testing of the timeliner plugins. The links to the paper and plugins are below:

Timeliner Release Documentation (PDF)

timeliner plugins (ZIP)

Note: Any updates to these plugins will appear in my github repository first.