Volatility Plugins for File Use & Knowledge (FU&K) investigations.
This week I talk about my favorite Volatility plugins for File Use & Knowledge investigations to get at the volatile evidence most often targeted during a dead box exam.
Volatility Plugins for FU&K
This plugin scans for potential Master File Table (MFT) entries in memory and prints out information for certain attributes. It is perfect to obtain a list of all files, and their corresponding directories, on a system from memory in order to search for prefetch files (.pf), files in certain directories and files with certain naming formats.
Shimcache data can be used to list out executables on a system. It is useful to show if certain programs exist on a system (even if deleted) and the file path they reside in.
This plugin parses registry information for Shellbag data which can be used to help determine file system traversal activity.
UserAssist data displays programs executed on a Windows machine, complete with running count and last execution date and time.
This plugin recovers fragments of IE history index.dat cache files and includes Windows Explorer artifacts of files accessed by a user.
USBStor – by James Hall and Kevin Breen
The USBStor plugin scans registries for values relating to USB devices plugged into the system under investigation. Instead of the analyst needing to manually analyze each registry hive (USBSTOR, USB, MountedDevices etc.) the plugin will return all available information about previously connected USB devices in an easy to digest, collated format. This greatly decreases analysis time and ensures no mistakes are made and no information is overlooked. The plugin’s output contains details such as USB serial number, vendor and product info, container ID, mounted volume name, drive letter, USB friendly name, the last connection timestamp, and more.
Volatility Command Reference: https://github.com/volatilityfoundation/volatility/wiki/Command-Reference
This plugin creates a timeline from various artifacts in memory. Notable artifacts for FU&K include:
PE Timestamps (TimeDateStamp)
IE History (IEHistory)
Embedded registry (filters below)
Symbolic links (Symlink)