Skip to content
Volatility plugins created by the author
Python
Branch: master
Clone or download
Latest commit ca4b269 Oct 2, 2015
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
LICENSE Initial commit Sep 7, 2014
README.md Formatting Oct 2, 2015
baseline.py
indx.py Correct version of the plugin Sep 28, 2015
logfile.py Fixed plugin description Oct 2, 2015
malprocfind.py Bugfixes, restructured output Oct 28, 2014
usnjrnl.py Text output optimisation Oct 2, 2015

README.md

Volatility plugins created by the author

The plugins published here can be used with Volatility v2.4.

BASELINE plugin suite

PROCESSBL A plugin that compares the running processes in 2 memory images - can be used to detect newly started processes - can be used to detect newly loaded DLLs

SERVICESBL A plugin that compares the services in 2 memory images - can be used to detect modification of service configuration - can be used to detect newly installed services

DRIVERBL A plugin that compares the kernel drivers in 2 memory images - can be used to detect newly installed / loaded drivers

MALPROCFIND

A plugin that searches for malicious processes based predefined rules.

Output types: text

INDX

A plugin that carves for and parses INDX ($I30) entries

Output types: text, body

USNJRNL

A plugin that carves for and parses USNJRNL ($J) entries

Output types: text, body

LOGFILE

A plugin that carves for and parses $Logfile entries. It will process the following entry types:

  • UPDATE FILENAME ALLOCATION (Partial FILENAME Attributes)
  • ADD INDEX ENTRY ALLOCATION (INDX Records)
  • DELETE INDEX ENTRY ALLOCATION (INDX Records)
  • INITIALIZE FILE RECORD SEGMENT (MFT FILE0 Records)
  • DEALLOCATE FILE RECORD SEGMENT (MFT FILE0 Records)

Output types: text, body

You can’t perform that action at this time.