Skip to content
Volatility memory forensics plugin for extracting Windows DNS Cache
Python
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
tools added tool to extract pdb info from command line Feb 12, 2017
.gitignore Initial checkin. Feb 2, 2017
BUGS.md
CONTRIBUTING.md Update CONTRIBUTING.md Feb 15, 2017
LICENSE fixed some email addresses. Feb 15, 2017
README.md doc update (BUGS.md) Feb 15, 2017
dnscache.py Fixed a retry on GUID in lower case when symbols servers serves the f… Mar 13, 2017

README.md

dnscache

dnscache is a plugin for the Volatility Memory Forensics Platform to extract the Windows DNS Resolver Cache.

The plugin will try to download the .pdb file from microsoft for the dnsrslvr.dll. This behavior can be avoided by providing the file your self.

Usage

  Options:
      --proxy_server=PROXY_SERVER
                          Use this proxy to download .PDB file
      -D DUMP_DIR, --dump_dir=DUMP_DIR
                          Dump directory for .PDB file
      --symbols=http://msdl.microsoft.com/download/symbols
                          Server to download .PDB file from
      --pdb_file=PDB_FILE
                          Allows you to download the .PDB file off system and
                          provide the reference on the command line
      --cabextract=cabextract
                          Provide path to the cabextract system utility
      --dll_file=DLL_FILE
                          Provide dnsrslvr.dll from the file system.

The plugin will provide more information if the volatility --verbose flag is set (among other things, this will output the download link for the .pdb file if the dnsrslvr.dll is not paged)

% vol.py --verbose dnscache -D dump/

Installation

Copy the dnscache.py to your plugins directory or point volatility to your checkout directory

e.g.

% vol.py --plugins=/home/geir/src/dnscache dnscache

Requirements

  • construct (pdbparse dependency) (Feb. 12 2017, see BUGS.md)
  • pefile
  • pdbparse
  • requests
  • cabextract (system utility)

Known issues

See the BUGS.md file.

Contributing

See the CONTRIBUTING.md file.

Credits

REFERENCES:

  1. Cohen, M. (2014). The Windows User mode heap and the DNS resolver cache. Retrieved from: http://www.rekall-forensic.com/posts/2014-12-20-usermode-heap.html
  2. Cohen, M. (2014). Source code for Module rekall.plugins.windows.dns Retrieved from: http://www.rekall-forensic.com/epydocs/rekall.plugins.windows.dns-pysrc.html
  3. Pulley, C. (2013). Source code for Module symbols.py (volatility community plugins) Retrieved from: https://github.com/carlpulley/volatility/blob/master/symbols.py
  4. Ligh, M., Case, A., Levy, J. & Walters, A. (2014). The Art of Memory Forensics.
  5. Levy, J. (2015). dns cache plugin #201 (Volatility Issiues) Retrieved from: https://github.com/volatilityfoundation/volatility/issues/201

License

dnscache is released under the ISC License. See the bundled LICENSE file for details.

You can’t perform that action at this time.