Volatility Modules from the SANS Memory Forensics Poster


Posted on March 26, 2015 by

If you’re like me, you LOVE Volatility, the open source memory forensics tool.  One of the best features of Volatility is that it can be extended with user created plugins.  SANS recently released an amazing Memory Forensics Poster that listed some great plugins.  Many thanks to Alissa Torres and Jake Williams for created it.  Unfortunately, the poster didn’t give the exact location of the plugins.  Below is the list of plugins used in the poster, where to download them, and any prerequisites.

Mimikatz by Francesco Picasso

Blog Post: http://blog.digital-forensics.it/2014/03/mimikatz-offline-addendum_28.html

Download: https://github.com/dfirfpi/hotoloti/blob/master/volatility/mimikatz.py



Ethscan by Jamaal Speights

Blog Post: http://jamaaldev.blogspot.com/2013/07/ethscan-volatility-memory-forensics.html

Download: https://code.google.com/p/jamaal-re-tools/source/browse/volplugins/ethscan.py

USNParser by Tom Spencer

Download: https://github.com/tomspencer/volatility/tree/master/usnparser

AutoRuns by Thomas Chopitea

Blog Post: http://tomchop.me/volatility-autoruns-plugin/

Download: https://github.com/tomchop/volatility-autoruns

Chrome/Mozilla Browser History by John Lassalle (superponible)

Blog Post for Chrome Plugin: http://blog.superponible.com/2014/08/31/volatility-plugin-chrome-history/

Blog Post for Firefox Plugin: http://blog.superponible.com/2014/08/31/volatility-plugin-firefox-history/

Download (lots of interesting plugins here): https://github.com/superponible/volatility-plugins


Leave a Reply

Your email address will not be published. Required fields are marked *