Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Some Memory Forensic with Forensic Suite (Volatility plugins)

In previous diaries we have talked about memory forensics and how important it is.

In this diary I will talk about a new volatility plugins called Forensic Suite written by Dave Lasalle.

The suite has 14 plugins and they cover different area of memory forensics

The Forensics Suite can be obtain from: .

In this diary I will talk about some of the plugins

Firefox history:

To test this plugin first I browsed the internet using Firefox then I closed it to see how much data firefoxhistory plugin can obtain from the memory image that I acquired after closing firefox .

The firefoxhistory will parse the places.sqlite from the memory and show the output either on the screen or you can direct to csv file using –output=csv option. If you use the –output=csv option you will be able to play with your data using a spreadsheet software such as MS Excel --plugin=plugins/ --profile=Win7SP1x86 --output=csv  -f sampleimage.raw firefoxhistory > firefoxhistory.csv


Another Firefox forensics plugin is firefoxcookies , firefoxcookies will parse cookies.sqlite from the memory and show output to the screen or to a csv file --plugin=plugins/ --profile=Win7SP1x86 --output=csv  -f sampleimage.raw firefoxcookies > firefoxcookies.csv

Forensics suite support chrome forensics as well, with the same syntax you can parse chrome history, cookies and downloads from the memory.

JAVA IDX Parser:

Many malicious jar files are coming from idx files , Forenscis suite has a plugin that will scan a memory for IDX files and it will parse it: --plugin=plugins/ --profile=Win7SP1x86 -f sampleimage.raw idxparser


And here is the output

Volatility Foundation Volatility Framework 2.4

Scanning for IDX files, this can take a while.............



[*] Section 1 (Metadata) found:

Content length: 1624

Last modified date: Tue, 01 Feb 2005 18:28:24 GMT (epoch: 1107282504)

Section 2 length: 270


[*] Section 2 (Download History) found:



: HTTP/1.1 200 OK

content-length: 1624

last-modified: Tue, 01 Feb 2005 18:28:24 GMT

content-type: application/java-vm

date: Mon, 13 Feb 2012 04:21:28 GMT

server: Sun-Java-System-Web-Server/7.0





60 Posts
ISC Handler
Dec 16th 2014

Sign Up for Free or Log In to start participating in the conversation!