MoVP II – 2.5 – New and Improved Windows Plugins
by Volatility | May 28, 2013 | forensics, kernel, malware, movp, volatility, windows
The Volatility 2.3 release will include several new and improved Windows plugins. This post will summarize their purpose, point you to additional information if they’ve been mentioned in previous blog posts, and show example usage scenarios for the...MoVP II – 2.4 – Reconstructing Master File Table (MFT) Entries
by Jamie Levy | May 24, 2013 | forensics, grrcon, movp, timelines, volatility, windows
Today’s blogpost will cover the new mftparser plugin for Volatility. As we demonstrated in the GRRCon Challenge writeup, this plugin can come in quite handy in an investigation and also played a small part in the last MoVP blogpost. Why This Plugin Was Created...MoVP II – 2.3 – Creating Timelines with Volatility
by Jamie Levy | May 23, 2013 | forensics, grrcon, malware, movp, timelines, windows
A common computer forensic investigative methodology is creating timelines. Timelines help establish events that took place on the machine prior to investigation. There are various artifacts in Windows memory that can be used to construct a timeline....MoVP II – 2.2 – Unloaded Windows Kernel Modules
by Volatility | May 22, 2013 | forensics, kernel, malware, movp, volatility, windows
Sometimes knowing which kernel modules recently unloaded can be as valuable as knowing which ones loaded. Windows keeps a record of drivers that unload for debugging purposes – in particular to help analyze failures in the attempt to call unloaded code. If...MoVP II – 2.1 – RSA Private Keys and Certificates
by Volatility | May 21, 2013 | malware, movp, volatility, windows
Those of you who downloaded the Volatility Cheat Sheet v2.3 may have noticed a plugin named dumpcerts, which is a relatively new addition to the plugin scene for Windows. Its based on the work by Tobias Klein called Extracting RSA private keys and certificates from...
You must be logged in to post a comment.