Volatility Plugins for File Use & Knowledge (FU&K) investigations.

This week I talk about my favorite Volatility plugins for File Use & Knowledge investigations to get at the volatile evidence most often targeted during a dead box exam.

Show Notes

 Volatility Plugins for FU&K

mftparser

This plugin scans for potential Master File Table (MFT) entries in memory and prints out information for certain attributes. It is perfect to obtain a list of all files, and their corresponding directories, on a system from memory in order to search for prefetch files (.pf), files in certain directories and files with certain naming formats.

Source: https://github.com/volatilityfoundation/volatility/wiki/Command%20Reference#mftparser

Shimcache

Shimcache data can be used to list out executables on a system. It is useful to show if certain programs exist on a system (even if deleted) and the file path they reside in.

Source: https://github.com/volatilityfoundation/volatility/wiki/Command%20Reference#shimcache

Shellbags

This plugin parses registry information for Shellbag data which can be used to help determine file system traversal activity.

Source: https://github.com/volatilityfoundation/volatility/wiki/Command%20Reference#shellbags

Userassist

UserAssist data displays programs executed on a Windows machine, complete with running count and last execution date and time.

Source: https://github.com/volatilityfoundation/volatility/wiki/Command%20Reference#userassist

https://blog.didierstevens.com/programs/userassist/

Iehistory

This plugin recovers fragments of IE history index.dat cache files and includes Windows Explorer artifacts of files accessed by a user.

Source: https://github.com/volatilityfoundation/volatility/wiki/Command%20Reference#iehistory

USBStor – by James Hall and Kevin Breen

The USBStor plugin scans registries for values relating to USB devices plugged into the system under investigation. Instead of the analyst needing to manually analyze each registry hive (USBSTOR, USB, MountedDevices etc.) the plugin will return all available information about previously connected USB devices in an easy to digest, collated format. This greatly decreases analysis time and ensures no mistakes are made and no information is overlooked. The plugin’s output contains details such as USB serial number, vendor and product info, container ID, mounted volume name, drive letter, USB friendly name, the last connection timestamp, and more.

Source: https://github.com/kevthehermit/volatility_plugins/tree/master/usbstor

Volatility Command Reference: https://github.com/volatilityfoundation/volatility/wiki/Command-Reference

Timeliner

This plugin creates a timeline from various artifacts in memory. Notable artifacts for FU&K include:

  • PE Timestamps (TimeDateStamp)

  • IE History (IEHistory)

  • Embedded registry (filters below)

    • Userassist

    • Shimcache

  • Symbolic links (Symlink)

Source: https://github.com/volatilityfoundation/volatility/wiki/Command%20Reference#timeliner

SDF Training Class of the Week

Learn More

Resolving Attached USBs

Learn how to piece together Windows artifacts to reveal USB devices attached to a system
Learn More