Volatility/plugins

From aldeid
Jump to navigation Jump to search
You are here:
Plugins

Description

This page lists some useful Volatility plugins.

hashdump

Description
Dump password hashes
Installation
Native plugin, no need to install.
Example
$ volatility -f dump --profile=Win7SP1x86 hashdump
Volatility Foundation Volatility Framework 2.6
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HomeGroupUser$:1001:aad3b435b51404eeaad3b435b51404ee:57e82f46aff390080f143c09ab2c5b68:::
info:1002:aad3b435b51404eeaad3b435b51404ee:dc3817f29d2199446639538113064277:::

Clipboard

Description
Extract the contents of the windows clipboard
Installation
Native plugin, no need to install.
Example
$ volatility -f dump --profile=Win7SP1x86 clipboard
Volatility Foundation Volatility Framework 2.6
Session    WindowStation Format                 Handle Object     Data                                              
---------- ------------- ------------------ ---------- ---------- --------------------------------------------------
         1 WinSta0       CF_UNICODETEXT        0xd02d1 0xffbb3fb0 R3sqdl************opFFLe9sAsx                  
         1 WinSta0       CF_LOCALE             0x802d9 0xff9d1af8                                                   
         1 WinSta0       CF_TEXT                   0x1 ----------                                                   
         1 WinSta0       CF_OEMTEXT                0x1 ----------

mimikatz

Description
Installation
Example

Truecrypt

truecryptmaster

Description
Recover TrueCrypt 7.1a Master Keys
Installation
Native plugin (tcaudit.pyc). No install needed.
Example

truecryptpassphrase

Description
TrueCrypt Cached Passphrase Finder
Installation
Native plugin (tcaudit.pyc). No install needed.
Example
$ volatility -f dump --profile=Win7SP1x86 truecryptpassphrase
Volatility Foundation Volatility Framework 2.6
Found at 0x87433e44 length 32: R3sqdl3************FFLe9sAsx

truecryptsummary

Description
TrueCrypt Summary
Installation
Native plugin (tcaudit.pyc). No install needed.
Example
$ volatility -f dump --profile=Win7SP1x86 truecryptsummary
Volatility Foundation Volatility Framework 2.6
Registry Version     TrueCrypt Version 7.0a
Password             R3sqdl***************FLe9sAsx at offset 0x87433e44
Process              TrueCrypt.exe at 0x84e27030 pid 3224
Service              truecrypt state SERVICE_RUNNING
Kernel Module        truecrypt.sys at 0x87400000 - 0x87437000
Symbolic Link        Volume{a4cc2add-7b2c-11e6-b853-0800271fb50b} -> \Device\TrueCryptVolumeF mounted 2016-09-15 10:11:42 UTC+0000
Driver               \Driver\truecrypt at 0x1ee1d700 range 0x87400000 - 0x87436980
Device               TrueCrypt at 0x84e1dc90 type FILE_DEVICE_UNKNOWN

bitlocker

Description
Extract bitlocker key from memory
More info here
Installation
$ wget https://raw.githubusercontent.com/tribalchicken/volatility-bitlocker/master/bitlocker.py -O /opt/volatility/plugins/bitlocker.py
Example
$ volatility -f memory.dmp --profile=Win7SP1x64 memory.dmp bitlocker
Volatility Foundation Volatility Framework 2.6
Address            Cipher                           FVEK                                                             TWEAK Key                                                       
------------------ -------------------------------- ---------------------------------------------------------------- ----------------------------------------------------------------
0x0000fa80018be720 AES 128-bit with Diffuser        e7e57****************e711c778da2                                 b72f4e075edb****************9652

lastpass

Description
Installation
Example
Retrieved from "https://www.aldeid.com/w/index.php?title=Volatility/plugins&oldid=34802"