MoVP 3.4: Recovering tagCLIPDATA: What’s In Your Clipboard?
by Volatility | Sep 27, 2012 | forensics, kernel, malware, movp, volatility, windows
Month of Volatility Plugins Determining what’s in a computer’s clipboard can be a valuable resource. If you remember from MoVP 1.1 Logon Sessions, Processes, and Images, we traced an RDP user’s actions by dumping his command history and making note of the FTP...MoVP 3.3 Analyzing USER Handles and the Win32k.sys Gahti
by Volatility | Sep 26, 2012 | forensics, kernel, malware, movp, volatility, windows
Month of Volatility Plugins Since the early days of memory forensics, tools have analyzed kernel/executive objects such as processes, threads, mutexes, open files, and registry keys. In fact, I would consider that a basic capability of any framework. One thing that...MoVP 3.2 Shellbags in Memory, SetRegTime, and TrueCrypt Volumes
by Jamie Levy | Sep 25, 2012 | forensics, movp, registry, volatility, windows
HowTo: Scan for Internet Cache/History and URLs
by Volatility | Sep 24, 2012 | forensics, malware, volatility, windows
This post will describe how you can leverage the flexibility of the Volatility framework to locate IE history from Windows memory dumps. Such artifacts have traditionally not been a priority, because the data is in user-mode (i.e. index.dat mappings) and...
You must be logged in to post a comment.