In previous diaries we have talked about memory forensics and how important it is.
In this diary I will talk about a new volatility plugins called Forensic Suite written by Dave Lasalle.
The suite has 14 plugins and they cover different area of memory forensics
The Forensics Suite can be obtain from: http://downloads.volatilityfoundation.org/contest/2014/DaveLasalle_ForensicSuite.zip .
In this diary I will talk about some of the plugins
To test this plugin first I browsed the internet using Firefox then I closed it to see how much data firefoxhistory plugin can obtain from the memory image that I acquired after closing firefox .
The firefoxhistory will parse the places.sqlite from the memory and show the output either on the screen or you can direct to csv file using –output=csv option. If you use the –output=csv option you will be able to play with your data using a spreadsheet software such as MS Excel
Another Firefox forensics plugin is firefoxcookies , firefoxcookies will parse cookies.sqlite from the memory and show output to the screen or to a csv file
Forensics suite support chrome forensics as well, with the same syntax you can parse chrome history, cookies and downloads from the memory.
JAVA IDX Parser:
Many malicious jar files are coming from idx files , Forenscis suite has a plugin that will scan a memory for IDX files and it will parse it:
And here is the output
Dec 16th 2014
4 years ago