In previous diaries we have talked about memory forensics and how important it is.
In this diary I will talk about a new volatility plugins called Forensic Suite written by Dave Lasalle.
The suite has 14 plugins and they cover different area of memory forensics
The Forensics Suite can be obtain from: http://downloads.volatilityfoundation.org/contest/2014/DaveLasalle_ForensicSuite.zip .
In this diary I will talk about some of the plugins
To test this plugin first I browsed the internet using Firefox then I closed it to see how much data firefoxhistory plugin can obtain from the memory image that I acquired after closing firefox .
The firefoxhistory will parse the places.sqlite from the memory and show the output either on the screen or you can direct to csv file using output=csv option. If you use the output=csv option you will be able to play with your data using a spreadsheet software such as MS Excel”>
vol.py –plugin=plugins/ –profile=Win7SP1x86 –output=csv -f sampleimage.raw firefoxhistory “>
vol.py –plugin=plugins/ –profile=Win7SP1x86 –output=csv -f sampleimage.raw firefoxcookies “>
vol.py –plugin=plugins/ –profile=Win7SP1x86 -f sampleimage.raw idxparser
Volatility Foundation Volatility Framework 2.4
Scanning for IDX files, this can take a while………….
[*] Section 1 (Metadata) found:
Content length: 1624
Last modified date: Tue, 01 Feb 2005 18:28:24 GMT (epoch: 1107282504)
Section 2 length: 270
[*] Section 2 (Download History) found:
: HTTP/1.1 200 OK
last-modified: Tue, 01 Feb 2005 18:28:24 GMT
date: Mon, 13 Feb 2012 04:21:28 GMT
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.