Some Memory Forensic with Forensic Suite (Volatility plugins)

Published: 2014-12-16
Last Updated: 2014-12-16 18:17:15 UTC
by Basil Alawi S.Taher (Version: 1)
0 comment(s)

In previous diaries we have talked about memory forensics and how important it is.

In this diary I will talk about a new volatility plugins called Forensic Suite written by Dave Lasalle.

The suite has 14 plugins and they cover different area of memory forensics

The Forensics Suite can be obtain from: .

In this diary I will talk about some of the plugins

Firefox history:

To test this plugin first I browsed the internet using Firefox then I closed it to see how much data firefoxhistory plugin can obtain from the memory image that I acquired after closing firefox .

The firefoxhistory will parse the places.sqlite from the memory and show the output either on the screen or you can direct to csv file using –output=csv option. If you use the –output=csv option you will be able to play with your data using a spreadsheet software such as MS Excel --plugin=plugins/ --profile=Win7SP1x86 --output=csv  -f sampleimage.raw firefoxhistory > firefoxhistory.csv


Another Firefox forensics plugin is firefoxcookies , firefoxcookies will parse cookies.sqlite from the memory and show output to the screen or to a csv file --plugin=plugins/ --profile=Win7SP1x86 --output=csv  -f sampleimage.raw firefoxcookies > firefoxcookies.csv

Forensics suite support chrome forensics as well, with the same syntax you can parse chrome history, cookies and downloads from the memory.

JAVA IDX Parser:

Many malicious jar files are coming from idx files , Forenscis suite has a plugin that will scan a memory for IDX files and it will parse it: --plugin=plugins/ --profile=Win7SP1x86 -f sampleimage.raw idxparser


And here is the output

Volatility Foundation Volatility Framework 2.4

Scanning for IDX files, this can take a while.............



[*] Section 1 (Metadata) found:

Content length: 1624

Last modified date: Tue, 01 Feb 2005 18:28:24 GMT (epoch: 1107282504)

Section 2 length: 270


[*] Section 2 (Download History) found:



: HTTP/1.1 200 OK

content-length: 1624

last-modified: Tue, 01 Feb 2005 18:28:24 GMT

content-type: application/java-vm

date: Mon, 13 Feb 2012 04:21:28 GMT

server: Sun-Java-System-Web-Server/7.0




0 comment(s)


Diary Archives