MoVP II – 3.3 – Automated Linux/Android Bash History Scanning
by Volatility | May 31, 2013 | android, forensics, linux, movp, volatility
Recovering bash command history from Linux and Android memory dumps just got a lot easier. In previous releases of Volatility, extracting commands and the associated timestamps was possible, but with one caveat – you needed to know the offset into the /bin/bash...MoVP II – 3.2 – Linux/Android Memory Forensics with Python and Yara
by Volatility | May 30, 2013 | android, forensics, kernel, linux, movp, volatility
In this post we will describe the Linux volshell and yarascan plugins. In previous releases of Volatility, these plugins only supported Windows samples, but starting with 2.3 you can interactively explore your Linux memory dumps (from a Python shell) or scan process...MoVP II – 3.1 – Linux CheckTTY & KeyboardNotifier Plugins
by Volatility | May 29, 2013 | android, forensics, linux, malware, movp, volatility
In this post we will discuss two new plugins in Volatility 2.3 that were contributed by Joe Sylve @jtsylve of 504ensics. These plugins are used to detect the two kernel-level keylogging techniques presented in “Bridging the Semantic Gap to...MoVP II – 2.5 – New and Improved Windows Plugins
by Volatility | May 28, 2013 | forensics, kernel, malware, movp, volatility, windows
The Volatility 2.3 release will include several new and improved Windows plugins. This post will summarize their purpose, point you to additional information if they’ve been mentioned in previous blog posts, and show example usage scenarios for the...MoVP II – 2.4 – Reconstructing Master File Table (MFT) Entries
by Jamie Levy | May 24, 2013 | forensics, grrcon, movp, timelines, volatility, windows
Today’s blogpost will cover the new mftparser plugin for Volatility. As we demonstrated in the GRRCon Challenge writeup, this plugin can come in quite handy in an investigation and also played a small part in the last MoVP blogpost. Why This Plugin Was Created...
You must be logged in to post a comment.