最强大的windows取证工具_取证大师资源-CSDN文库

共375个文件

py：359个

txt：6个

makefile：3个

python

windows取证

3星 · 超过75%的资源需积分: 48 26 浏览量 2015-01-09 11:16:43 上传评论 6 收藏 2.53MB ZIP 举报

资源推荐

资源详情

资源评论

收起资源包目录

最强大的windows取证工具（375个子文件）

module.c 15KB

pmem.c 7KB

volatility.ico 51KB

MANIFEST.in 348B

Makefile 384B

Makefile 231B

Makefile 178B

PKG-INFO 264B

win8_sp1_x64_vtypes.py 614KB

win8_sp1_x86_vtypes.py 580KB

win8_sp0_x64_vtypes.py 568KB

win8_sp0_x86_vtypes.py 535KB

win7_sp1_x64_vtypes.py 492KB

win7_sp0_x64_vtypes.py 491KB

win7_sp1_x86_vtypes.py 461KB

win7_sp0_x86_vtypes.py 461KB

vista_sp2_x64_vtypes.py 450KB

vista_sp1_x64_vtypes.py 449KB

vista_sp1_x86_vtypes.py 410KB

vista_sp2_x86_vtypes.py 409KB

vista_sp0_x64_vtypes.py 407KB

vista_sp0_x86_vtypes.py 369KB

win2003_sp2_x64_vtypes.py 330KB

win2003_sp1_x64_vtypes.py 319KB

win2003_sp2_x86_vtypes.py 298KB

win2003_sp1_x86_vtypes.py 289KB

xp_sp3_x86_vtypes.py 285KB

win2003_sp0_x86_vtypes.py 282KB

xp_sp2_x86_vtypes.py 277KB

win7_sp0_x64_vtypes_gui.py 134KB

win7_sp1_x64_vtypes_gui.py 134KB

win7_sp1_x86_vtypes_gui.py 119KB

win7_sp0_x86_vtypes_gui.py 119KB

linux.py 60KB

dumpfiles.py 52KB

win8_sp1_x64_syscalls.py 51KB

win8_sp1_x86_syscalls.py 51KB

win8_sp0_x64_syscalls.py 48KB

win8_sp0_x86_syscalls.py 48KB

windows.py 47KB

obj.py 46KB

win7_sp01_x86_syscalls.py 45KB

mac.py 45KB

apihooks.py 44KB

vista_sp0_x86_syscalls.py 42KB

win7_sp01_x64_syscalls.py 41KB

shellbags.py 41KB

getservicesids.py 40KB

vista_sp0_x64_syscalls.py 39KB

vista_sp12_x64_syscalls.py 39KB

vista_sp12_x86_syscalls.py 39KB

pe_vtypes.py 37KB

timeliner.py 36KB

mftparser.py 35KB

xp_sp2_x86_syscalls.py 34KB

win32k_core.py 33KB

process_stack.py 33KB

cmdhistory.py 33KB

win2003_sp12_x64_syscalls.py 31KB

win2003_sp12_x86_syscalls.py 31KB

win2003_sp0_x86_syscalls.py 31KB

tcaudit.py 30KB

auditpol.py 30KB

crashdump.py 27KB

process_info.py 26KB

elf.py 25KB

apihooks_kernel.py 25KB

lsmod.py 25KB

cache.py 24KB

zeusscan.py 24KB

callbacks.py 23KB

macho.py 23KB

convert.py 21KB

volshell.py 21KB

threads.py 21KB

poisonivy.py 20KB

svcscan.py 20KB

malfind.py 18KB

tcpip_vtypes.py 17KB

mbrparser.py 16KB

xp.py 16KB

userassist.py 16KB

vadinfo.py 16KB

addrspace.py 15KB

conf.py 15KB

impscan.py 15KB

poolscan.py 15KB

psxview.py 14KB

kdbg_vtypes.py 14KB

win8.py 14KB

vad_vtypes.py 14KB

dwarf.py 14KB

registryapi.py 12KB

check_inline_kernel.py 12KB

filescan.py 12KB

evtlogs.py 12KB

hibernate.py 12KB

idt.py 11KB

taskmods.py 11KB

messagehooks.py 11KB

共 375 条

============================================================================ Volatility Framework - Volatile memory extraction utility framework ============================================================================ The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. The extraction techniques are performed completely independent of the system being investigated but offer visibilty into the runtime state of the system. The framework is intended to introduce people to the techniques and complexities associated with extracting digital artifacts from volatile memory samples and provide a platform for further work into this exciting area of research. The Volatility distribution is available from: http://www.volatilityfoundation.org/#!releases/component_71401 Volatility should run on any platform that supports Python (http://www.python.org) Volatility supports investigations of the following memory images: Windows: * 32-bit Windows XP Service Pack 2 and 3 * 32-bit Windows 2003 Server Service Pack 0, 1, 2 * 32-bit Windows Vista Service Pack 0, 1, 2 * 32-bit Windows 2008 Server Service Pack 1, 2 (there is no SP0) * 32-bit Windows 7 Service Pack 0, 1 * 32-bit Windows 8 and 8.1 * 64-bit Windows XP Service Pack 1 and 2 (there is no SP0) * 64-bit Windows 2003 Server Service Pack 1 and 2 (there is no SP0) * 64-bit Windows Vista Service Pack 0, 1, 2 * 64-bit Windows 2008 Server Service Pack 1 and 2 (there is no SP0) * 64-bit Windows 2008 R2 Server Service Pack 0 and 1 * 64-bit Windows 7 Service Pack 0 and 1 * 64-bit Windows 8 and 8.1 * 64-bit Windows Server 2012 and 2012 R2 Linux: * 32-bit Linux kernels 2.6.11 to 3.5 * 64-bit Linux kernels 2.6.11 to 3.5 * OpenSuSE, Ubuntu, Debian, CentOS, Fedora, Mandriva, etc Mac OSX: * 32-bit 10.5.x Leopard (the only 64-bit 10.5 is Server, which isn't supported) * 32-bit 10.6.x Snow Leopard * 64-bit 10.6.x Snow Leopard * 32-bit 10.7.x Lion * 64-bit 10.7.x Lion * 64-bit 10.8.x Mountain Lion (there is no 32-bit version) * 64-bit 10.9.x Mavericks (there is no 32-bit version) Volatility does not provide memory sample acquisition capabilities. For acquisition, there are both free and commercial solutions available. If you would like suggestions about suitable acquisition solutions, please contact us at: volatility (at) volatilityfoundation (dot) org Volatility supports a variety of sample file formats and the ability to convert between these formats: - Raw linear sample (dd) - Hibernation file - Crash dump file - VirtualBox ELF64 core dump - VMware saved state and snapshot files - EWF format (E01) - LiME (Linux Memory Extractor) format - Mach-o file format - QEMU virtual machine dumps - Firewire - HPAK (FDPro) For a more detailed list of capabilities, see the following: https://github.com/volatilityfoundation/volatility/wiki Example Data ============ If you want to give Volatility a try, you can download exemplar memory images from the following url: https://github.com/volatilityfoundation/volatility/wiki/Memory-Samples Mailing Lists ============= Mailing lists to support the users and developers of Volatility can be found at the following address: http://lists.volatilesystems.com/mailman/listinfo Contact ======= For information or requests, contact: Volatility Foundation Web: http://www.volatilityfoundation.org http://volatility-labs.blogspot.com http://volatility.tumblr.com Email: volatility (at) volatilityfoundation (dot) org IRC: #volatility on freenode Twitter: @volatility Requirements ============ - Python 2.6 or later, but not 3.0. http://www.python.org Some plugins may have other requirements which can be found at: https://github.com/volatilityfoundation/volatility/wiki/Installation Quick Start =========== 1. Unpack the latest version of Volatility from volatilityfoundation.org 2. To see available options, run "python vol.py -h" or "python vol.py --info" Example: $ python vol.py --info Volatility Foundation Volatility Framework 2.4 Usage: Volatility - A memory forensics analysis platform. Profiles -------- VistaSP0x64 - A Profile for Windows Vista SP0 x64 VistaSP0x86 - A Profile for Windows Vista SP0 x86 VistaSP1x64 - A Profile for Windows Vista SP1 x64 VistaSP1x86 - A Profile for Windows Vista SP1 x86 VistaSP2x64 - A Profile for Windows Vista SP2 x64 VistaSP2x86 - A Profile for Windows Vista SP2 x86 Win2003SP0x86 - A Profile for Windows 2003 SP0 x86 Win2003SP1x64 - A Profile for Windows 2003 SP1 x64 Win2003SP1x86 - A Profile for Windows 2003 SP1 x86 Win2003SP2x64 - A Profile for Windows 2003 SP2 x64 Win2003SP2x86 - A Profile for Windows 2003 SP2 x86 Win2008R2SP0x64 - A Profile for Windows 2008 R2 SP0 x64 Win2008R2SP1x64 - A Profile for Windows 2008 R2 SP1 x64 Win2008SP1x64 - A Profile for Windows 2008 SP1 x64 Win2008SP1x86 - A Profile for Windows 2008 SP1 x86 Win2008SP2x64 - A Profile for Windows 2008 SP2 x64 Win2008SP2x86 - A Profile for Windows 2008 SP2 x86 Win2012R2x64 - A Profile for Windows Server 2012 R2 x64 Win2012x64 - A Profile for Windows Server 2012 x64 Win7SP0x64 - A Profile for Windows 7 SP0 x64 Win7SP0x86 - A Profile for Windows 7 SP0 x86 Win7SP1x64 - A Profile for Windows 7 SP1 x64 Win7SP1x86 - A Profile for Windows 7 SP1 x86 Win8SP0x64 - A Profile for Windows 8 SP0 x64 Win8SP0x86 - A Profile for Windows 8 SP0 x86 Win8SP1x64 - A Profile for Windows 8.1 x64 Win8SP1x86 - A Profile for Windows 8 SP1 x86 WinXPSP1x64 - A Profile for Windows XP SP1 x64 WinXPSP2x64 - A Profile for Windows XP SP2 x64 WinXPSP2x86 - A Profile for Windows XP SP2 x86 WinXPSP3x86 - A Profile for Windows XP SP3 x86 Address Spaces -------------- AMD64PagedMemory - Standard AMD 64-bit address space. ArmAddressSpace - No docs FileAddressSpace - This is a direct file AS. HPAKAddressSpace - This AS supports the HPAK format IA32PagedMemory - Standard IA-32 paging address space. IA32PagedMemoryPae - This class implements the IA-32 PAE paging address space. It is responsible LimeAddressSpace - Address space for Lime MachOAddressSpace - Address space for mach-o files to support atc-ny memory reader OSXPmemELF - This AS supports VirtualBox ELF64 coredump format QemuCoreDumpElf - This AS supports Qemu ELF32 and ELF64 coredump format VMWareAddressSpace - This AS supports VMware snapshot (VMSS) and saved state (VMSS) files VMWareMetaAddressSpace - This AS supports the VMEM format with VMSN/VMSS metadata VirtualBoxCoreDumpElf64 - This AS supports VirtualBox ELF64 coredump format WindowsCrashDumpSpace32 - This AS supports windows Crash Dump format WindowsCrashDumpSpace64 - This AS supports windows Crash Dump format WindowsCrashDumpSpace64BitMap - This AS supports Windows BitMap Crash Dump format WindowsHiberFileSpace32 - This is a hibernate address space for windows hibernation files. Plugins ------- apihooks - Detect API hooks in process and kernel memory atoms - Print session and window station atom tables atomscan - Pool scanner for atom tables auditpol - Prints out the Audit Policies from HKLM\SECURITY\Policy\PolAdtEv bigpools - Dump the big page pools using BigPagePoolScanner b

评论收藏

内容反馈