diff --git a/Core/build.xml b/Core/build.xml index e75c217d15..1d6a180be9 100644 --- a/Core/build.xml +++ b/Core/build.xml @@ -30,7 +30,12 @@ - + + + + + + diff --git a/Core/src/org/sleuthkit/autopsy/casemodule/AddImageWizardSelectDspVisual.java b/Core/src/org/sleuthkit/autopsy/casemodule/AddImageWizardSelectDspVisual.java index 9c66184b47..cdb5ab3f75 100644 --- a/Core/src/org/sleuthkit/autopsy/casemodule/AddImageWizardSelectDspVisual.java +++ b/Core/src/org/sleuthkit/autopsy/casemodule/AddImageWizardSelectDspVisual.java @@ -41,6 +41,7 @@ import org.openide.util.NbBundle; import org.sleuthkit.autopsy.corecomponentinterfaces.DataSourceProcessor; import org.sleuthkit.autopsy.datasourceprocessors.RawDSProcessor; import org.sleuthkit.autopsy.coreutils.Logger; +import org.sleuthkit.autopsy.datasourceprocessors.MemoryDSProcessor; /** * Panel which displays the available DataSourceProcessors and allows selection @@ -190,6 +191,7 @@ final class AddImageWizardSelectDspVisual extends JPanel { dspList.add(LocalDiskDSProcessor.getType()); dspList.add(LocalFilesDSProcessor.getType()); dspList.add(RawDSProcessor.getType()); + dspList.add(MemoryDSProcessor.getType()); // now add any addtional DSPs that haven't already been added for (String dspType : datasourceProcessorsMap.keySet()) { if (!dspList.contains(dspType)) { diff --git a/Core/src/org/sleuthkit/autopsy/datasourceprocessors/AddMemoryImageTask.java b/Core/src/org/sleuthkit/autopsy/datasourceprocessors/AddMemoryImageTask.java new file mode 100644 index 0000000000..4f4b4a0964 --- /dev/null +++ b/Core/src/org/sleuthkit/autopsy/datasourceprocessors/AddMemoryImageTask.java @@ -0,0 +1,168 @@ +package org.sleuthkit.autopsy.datasourceprocessors; + +/* + * Autopsy Forensic Browser + * + * Copyright 2011-2016 Basis Technology Corp. + * Contact: carrier sleuthkit org + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + + +import java.io.File; +import java.nio.file.Paths; +import java.util.ArrayList; +import java.util.List; +import org.sleuthkit.autopsy.casemodule.Case; +import org.sleuthkit.autopsy.corecomponentinterfaces.DataSourceProcessorCallback; +import org.sleuthkit.autopsy.corecomponentinterfaces.DataSourceProcessorProgressMonitor; +import org.sleuthkit.autopsy.casemodule.LocalFilesDSProcessor; +import org.sleuthkit.autopsy.coreutils.Logger; +import org.sleuthkit.datamodel.Content; +import org.sleuthkit.datamodel.Image; +import org.sleuthkit.datamodel.SleuthkitCase; +import org.sleuthkit.datamodel.TskCoreException; +import org.openide.util.NbBundle.Messages; +import org.sleuthkit.autopsy.datasourceprocessors.VolatilityProcessor; + +/* + * A runnable that adds a raw data source to a case database. + */ +final class AddMemoryImageTask implements Runnable { + + private static final Logger logger = Logger.getLogger(AddMemoryImageTask.class.getName()); + private final String deviceId; + private final String imageFilePath; + private final String timeZone; + private final List PluginsToRun; + private final long chunkSize; + private final DataSourceProcessorProgressMonitor progressMonitor; + private final DataSourceProcessorCallback callback; + private boolean criticalErrorOccurred; + private static final long TWO_GB = 2000000000L; + + /** + * Constructs a runnable that adds a raw data source to a case database. + * + * @param deviceId An ASCII-printable identifier for the + * device associated with the data source + * that is intended to be unique across + * multiple cases (e.g., a UUID). + * @param imageFilePath Path to a Raw data source file. + * @param timeZone The time zone to use when processing dates + * and times for the image, obtained from + * java.util.TimeZone.getID. + * @param breakupChunks 2GB or not breakup. + * @param progressMonitor Progress monitor for reporting + * progressMonitor during processing. + * @param callback Callback to call when processing is done. + */ + AddMemoryImageTask(String deviceId, String imageFilePath, List PluginsToRun, String timeZone, long chunkSize, DataSourceProcessorProgressMonitor progressMonitor, DataSourceProcessorCallback callback) { + this.deviceId = deviceId; + this.imageFilePath = imageFilePath; + this.PluginsToRun = PluginsToRun; + this.timeZone = timeZone; + this.chunkSize = chunkSize; + this.callback = callback; + this.progressMonitor = progressMonitor; + } + + /** + * Adds a raw data source to a case database. + */ + @Override + public void run() { + /* + * Process the input image file. + */ + progressMonitor.setIndeterminate(true); + progressMonitor.setProgress(0); + List newDataSources = new ArrayList<>(); + List errorMessages = new ArrayList<>(); + addImageToCase(newDataSources, errorMessages); + + progressMonitor.setProgress(100); + + /** + * Return the results via the callback passed to the constructor. + */ + DataSourceProcessorCallback.DataSourceProcessorResult result; + if (criticalErrorOccurred) { + result = DataSourceProcessorCallback.DataSourceProcessorResult.CRITICAL_ERRORS; + } else if (!errorMessages.isEmpty()) { + result = DataSourceProcessorCallback.DataSourceProcessorResult.NONCRITICAL_ERRORS; + } else { + result = DataSourceProcessorCallback.DataSourceProcessorResult.NO_ERRORS; + } + callback.done(result, errorMessages, newDataSources); + criticalErrorOccurred = false; + } + + /** + * Attempts to add the input image to the case. + * + * @param newDataSources If the image is added, a data source is added to + * this list for eventual return to the caller via the + * callback. + * @param errorMessages If there are any error messages, the error messages + * are added to this list for eventual return to the + * caller via the callback. + */ + @Messages({"AddMemoryImageTask.progress.add.text=Adding memory image: ", + "AddMemoryImageTask.image.critical.error.adding=Critical error adding ", + "AddMemoryImageTask.for.device=for device ", + "AddMemoryImageTask.image.notExisting=is not existing.", + "AddMemoryImageTask.image.noncritical.error.adding=Non-critical error adding "}) + private void addImageToCase(List dataSources, List errorMessages) { + progressMonitor.setProgressText(Bundle.AddMemoryImageTask_progress_add_text() + imageFilePath); + List imageFilePaths = new ArrayList<>(); + SleuthkitCase caseDatabase = Case.getCurrentCase().getSleuthkitCase(); + caseDatabase.acquireExclusiveLock(); + + File imageFile = Paths.get(imageFilePath).toFile(); + if (!imageFile.exists()) { + errorMessages.add(Bundle.AddMemoryImageTask_image_critical_error_adding() + imageFilePath + Bundle.AddMemoryImageTask_for_device() + + deviceId + Bundle.AddMemoryImageTask_image_notExisting()); + criticalErrorOccurred = true; + return; + } + + imageFilePaths.add(imageFilePath); + + try { + /* + * Get Image that will be added to case + */ + Image dataSource = caseDatabase.addImageInfo(0, imageFilePaths, timeZone); //TODO: change hard coded deviceId. + dataSources.add(dataSource); + + } catch (TskCoreException ex) { + errorMessages.add(Bundle.AddMemoryImageTask_image_critical_error_adding() + imageFilePaths + Bundle.AddMemoryImageTask_for_device() + deviceId + ":" + ex.getLocalizedMessage()); + criticalErrorOccurred = true; + } finally { + caseDatabase.releaseExclusiveLock(); + } + + try { + /** call Volatility to process the image **/ + VolatilityProcessor vp = new VolatilityProcessor(imageFilePath, PluginsToRun, deviceId); + vp.run(); + //LocalFilesDSProcessor localFilesDSP = new LocalFilesDSProcessor(); + //localFilesDSP.run(deviceId, archiveFileName, pathsList, progressMonitor, internalArchiveDspCallBack); + } catch (Exception e) { + + } + + } +} diff --git a/Core/src/org/sleuthkit/autopsy/datasourceprocessors/Bundle.properties b/Core/src/org/sleuthkit/autopsy/datasourceprocessors/Bundle.properties index ad62c83c2f..1a02e13fa2 100644 --- a/Core/src/org/sleuthkit/autopsy/datasourceprocessors/Bundle.properties +++ b/Core/src/org/sleuthkit/autopsy/datasourceprocessors/Bundle.properties @@ -10,4 +10,11 @@ RawDSInputPanel.jBreakFileUpLabel.text=Break image up into: RawDSInputPanel.jNoBreakupRadioButton.text=Do not break up RawDSInputPanel.j2GBBreakupRadioButton.text=2GB chunks RawDSInputPanel.timeZoneLabel.text=Please select the input timezone: - +MemoryDSInputPanel.pathLabel.text=Browse for a memory image file: +MemoryDSInputPanel.pathLabel.AccessibleContext.accessibleName=Browse for a memory image file: +MemoryDSInputPanel.errorLabel.text=Error Label +MemoryDSInputPanel.browseButton.text=Browse +MemoryDSImputPanel.pathTextField.text= +MemoryDSInputPanel.timeZoneLabel.text=Please select the input timezone: +MemoryDSInputPanel.volExecutableLabel.text=Version of Volatility to Run: +MemoryDSInputPanel.PluginsToRunLabel.text=Available plugins to run: diff --git a/Core/src/org/sleuthkit/autopsy/datasourceprocessors/MemoryDSInputPanel.form b/Core/src/org/sleuthkit/autopsy/datasourceprocessors/MemoryDSInputPanel.form new file mode 100644 index 0000000000..43da3a1d98 --- /dev/null +++ b/Core/src/org/sleuthkit/autopsy/datasourceprocessors/MemoryDSInputPanel.form @@ -0,0 +1,192 @@ + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/Core/src/org/sleuthkit/autopsy/datasourceprocessors/MemoryDSInputPanel.java b/Core/src/org/sleuthkit/autopsy/datasourceprocessors/MemoryDSInputPanel.java new file mode 100644 index 0000000000..45a3fefc16 --- /dev/null +++ b/Core/src/org/sleuthkit/autopsy/datasourceprocessors/MemoryDSInputPanel.java @@ -0,0 +1,459 @@ +/* + * Autopsy Forensic Browser + * + * Copyright 2011-2016 Basis Technology Corp. + * Contact: carrier sleuthkit org + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.sleuthkit.autopsy.datasourceprocessors; + +import java.io.File; +import java.util.ArrayList; +import java.util.Calendar; +import java.util.HashMap; +import java.util.List; +import java.util.Map; +import java.util.SimpleTimeZone; +import java.util.TimeZone; +import javax.swing.JFileChooser; +import javax.swing.JPanel; +import javax.swing.JTable; +import javax.swing.ListSelectionModel; +import javax.swing.event.DocumentEvent; +import javax.swing.event.DocumentListener; +import javax.swing.table.AbstractTableModel; +import javax.swing.table.TableColumn; +import org.openide.util.NbBundle.Messages; +import org.sleuthkit.autopsy.casemodule.Case; +import org.sleuthkit.autopsy.corecomponentinterfaces.DataSourceProcessor; +import org.sleuthkit.autopsy.coreutils.ModuleSettings; +import org.sleuthkit.autopsy.coreutils.PathValidator; + +final class MemoryDSInputPanel extends JPanel implements DocumentListener { + private static final long serialVersionUID = 1L; //default + private final String PROP_LASTINPUT_PATH = "LBL_LastInputFile_PATH"; + private final JFileChooser fc = new JFileChooser(); + // Externally supplied name is used to store settings + private final String contextName; + private final String[] pluginList; + private final PluginListTableModel tableModel = new PluginListTableModel(); + private final List PluginListNames = new ArrayList<>(); + private final Map pluginListStates = new HashMap<>(); + private final Boolean isEnabled = true; + /** + * Creates new form RawDSInputPanel + */ + private MemoryDSInputPanel(String context) { + this.pluginList = new String[]{"amcache","cmdline","cmdscan","consoles","malfind","netscan","notepad","pslist","psxview","shellbags","shimcache","shutdown","userassist", "apihooks","connscan","devicetree","dlllist","envars","filescan","gahti","getservicesids","getsids","handles","hashdump","hivelist","hivescan","impscan","ldrmodules","lsadump","modules","mutantscan","privs","psscan","pstree","sockets","svcscan","shimcache","timeliner","unloadedmodules","userhandles","vadinfo","verinfo"}; + //this.tableModel = new AbstractTableModel(); + initComponents(); + + errorLabel.setVisible(false); + + fc.setDragEnabled(false); + fc.setFileSelectionMode(JFileChooser.FILES_ONLY); + fc.setMultiSelectionEnabled(false); + + this.contextName = context; + } + + /** + * Creates and returns an instance of a RawDSInputPanel. + */ + static synchronized MemoryDSInputPanel createInstance(String context) { + MemoryDSInputPanel instance = new MemoryDSInputPanel(context); + + instance.postInit(); + instance.customizePluginListTable(); + instance.createTimeZoneList(); + instance.createVolatilityVersionList(); + instance.createPluginList(); + + return instance; + } + + //post-constructor initialization to properly initialize listener support + //without leaking references of uninitialized objects + private void postInit() { + pathTextField.getDocument().addDocumentListener(this); + } + + private void customizePluginListTable() { + PluginList.setModel(tableModel); + PluginList.setTableHeader(null); + PluginList.setSelectionMode(ListSelectionModel.SINGLE_SELECTION); + final int width = listsScrollPane.getPreferredSize().width; + PluginList.setAutoResizeMode(JTable.AUTO_RESIZE_NEXT_COLUMN); + TableColumn column; + for (int i = 0; i < PluginList.getColumnCount(); i++) { + column = PluginList.getColumnModel().getColumn(i); + if (i == 0) { + column.setPreferredWidth(((int) (width * 0.07))); + } else { + column.setPreferredWidth(((int) (width * 0.92))); + } + } + } + + /** + * Creates the drop down list for the time zones and then makes the local + * machine time zone to be selected. + */ + private void createTimeZoneList() { + // load and add all timezone + String[] ids = SimpleTimeZone.getAvailableIDs(); + for (String id : ids) { + TimeZone zone = TimeZone.getTimeZone(id); + int offset = zone.getRawOffset() / 1000; + int hour = offset / 3600; + int minutes = (offset % 3600) / 60; + String item = String.format("(GMT%+d:%02d) %s", hour, minutes, id); + + timeZoneComboBox.addItem(item); + } + // get the current timezone + TimeZone thisTimeZone = Calendar.getInstance().getTimeZone(); + int thisOffset = thisTimeZone.getRawOffset() / 1000; + int thisHour = thisOffset / 3600; + int thisMinutes = (thisOffset % 3600) / 60; + String formatted = String.format("(GMT%+d:%02d) %s", thisHour, thisMinutes, thisTimeZone.getID()); + + // set the selected timezone + timeZoneComboBox.setSelectedItem(formatted); + } + + private void createVolatilityVersionList() { + + volExecutableComboBox.addItem("2.6"); + volExecutableComboBox.addItem("2.5"); + + } + + private void createPluginList() { + PluginListNames.clear(); + pluginListStates.clear(); + + String[] pluginList = { "amcache","cmdline","cmdscan","consoles","malfind","netscan","notepad","pslist","psxview","shellbags","shimcache","shutdown","userassist", "apihooks","connscan","devicetree","dlllist","envars","filescan","gahti","getservicesids","getsids","handles","hashdump","hivelist","hivescan","impscan","ldrmodules","lsadump","modules","mutantscan","privs","psscan","pstree","sockets","svcscan","shimcache","timeliner","unloadedmodules","userhandles","vadinfo","verinfo"}; + for (String plugin : pluginList) { + PluginListNames.add(plugin); + pluginListStates.put(plugin, isEnabled); + } + tableModel.fireTableDataChanged(); + //this.tableModel = pluginsToRun.getModel(); + } + + + /** + * This method is called from within the constructor to initialize the form. + * WARNING: Do NOT modify this code. The content of this method is always + * regenerated by the Form Editor. + */ + @SuppressWarnings("unchecked") + // //GEN-BEGIN:initComponents + private void initComponents() { + + infileTypeButtonGroup = new javax.swing.ButtonGroup(); + pathLabel = new javax.swing.JLabel(); + pathTextField = new javax.swing.JTextField(); + browseButton = new javax.swing.JButton(); + errorLabel = new javax.swing.JLabel(); + timeZoneLabel = new javax.swing.JLabel(); + timeZoneComboBox = new javax.swing.JComboBox<>(); + volExecutableLabel = new javax.swing.JLabel(); + volExecutableComboBox = new javax.swing.JComboBox<>(); + PluginsToRunLabel = new javax.swing.JLabel(); + listsScrollPane = new javax.swing.JScrollPane(); + PluginList = new javax.swing.JTable(); + + org.openide.awt.Mnemonics.setLocalizedText(pathLabel, org.openide.util.NbBundle.getMessage(MemoryDSInputPanel.class, "RawDSInputPanel.pathLabel.text")); // NOI18N + + pathTextField.setText(org.openide.util.NbBundle.getMessage(MemoryDSInputPanel.class, "RawDSInputPanel.pathTextField.text")); // NOI18N + + org.openide.awt.Mnemonics.setLocalizedText(browseButton, org.openide.util.NbBundle.getMessage(MemoryDSInputPanel.class, "RawDSInputPanel.browseButton.text")); // NOI18N + browseButton.addActionListener(new java.awt.event.ActionListener() { + public void actionPerformed(java.awt.event.ActionEvent evt) { + browseButtonActionPerformed(evt); + } + }); + + errorLabel.setForeground(new java.awt.Color(255, 0, 0)); + org.openide.awt.Mnemonics.setLocalizedText(errorLabel, org.openide.util.NbBundle.getMessage(MemoryDSInputPanel.class, "RawDSInputPanel.errorLabel.text")); // NOI18N + + org.openide.awt.Mnemonics.setLocalizedText(timeZoneLabel, org.openide.util.NbBundle.getMessage(MemoryDSInputPanel.class, "RawDSInputPanel.timeZoneLabel.text")); // NOI18N + + timeZoneComboBox.setMaximumRowCount(30); + + org.openide.awt.Mnemonics.setLocalizedText(volExecutableLabel, org.openide.util.NbBundle.getMessage(MemoryDSInputPanel.class, "MemoryDSInputPanel.volExecutableLabel.text")); // NOI18N + + volExecutableComboBox.addActionListener(new java.awt.event.ActionListener() { + public void actionPerformed(java.awt.event.ActionEvent evt) { + volExecutableComboBoxActionPerformed(evt); + } + }); + + org.openide.awt.Mnemonics.setLocalizedText(PluginsToRunLabel, org.openide.util.NbBundle.getMessage(MemoryDSInputPanel.class, "MemoryDSInputPanel.PluginsToRunLabel.text")); // NOI18N + + PluginList.setModel(new javax.swing.table.DefaultTableModel( + new Object [][] { + {}, + {}, + {}, + {} + }, + new String [] { + + } + )); + listsScrollPane.setViewportView(PluginList); + + javax.swing.GroupLayout layout = new javax.swing.GroupLayout(this); + this.setLayout(layout); + layout.setHorizontalGroup( + layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING) + .addGroup(layout.createSequentialGroup() + .addComponent(pathTextField) + .addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.UNRELATED) + .addComponent(browseButton, javax.swing.GroupLayout.PREFERRED_SIZE, 77, javax.swing.GroupLayout.PREFERRED_SIZE)) + .addGroup(layout.createSequentialGroup() + .addGroup(layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING) + .addComponent(pathLabel, javax.swing.GroupLayout.PREFERRED_SIZE, 218, javax.swing.GroupLayout.PREFERRED_SIZE) + .addGroup(layout.createSequentialGroup() + .addComponent(timeZoneLabel, javax.swing.GroupLayout.PREFERRED_SIZE, 168, javax.swing.GroupLayout.PREFERRED_SIZE) + .addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.RELATED) + .addGroup(layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING) + .addComponent(volExecutableComboBox, javax.swing.GroupLayout.PREFERRED_SIZE, javax.swing.GroupLayout.DEFAULT_SIZE, javax.swing.GroupLayout.PREFERRED_SIZE) + .addComponent(timeZoneComboBox, javax.swing.GroupLayout.PREFERRED_SIZE, 199, javax.swing.GroupLayout.PREFERRED_SIZE) + .addComponent(listsScrollPane, javax.swing.GroupLayout.PREFERRED_SIZE, 248, javax.swing.GroupLayout.PREFERRED_SIZE)))) + .addGap(0, 163, Short.MAX_VALUE)) + .addGroup(layout.createSequentialGroup() + .addGroup(layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING) + .addComponent(errorLabel) + .addComponent(volExecutableLabel) + .addComponent(PluginsToRunLabel)) + .addContainerGap(javax.swing.GroupLayout.DEFAULT_SIZE, Short.MAX_VALUE)) + ); + layout.setVerticalGroup( + layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING) + .addGroup(layout.createSequentialGroup() + .addComponent(pathLabel) + .addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.RELATED) + .addGroup(layout.createParallelGroup(javax.swing.GroupLayout.Alignment.BASELINE) + .addComponent(pathTextField, javax.swing.GroupLayout.PREFERRED_SIZE, javax.swing.GroupLayout.DEFAULT_SIZE, javax.swing.GroupLayout.PREFERRED_SIZE) + .addComponent(browseButton)) + .addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.RELATED) + .addGroup(layout.createParallelGroup(javax.swing.GroupLayout.Alignment.BASELINE) + .addComponent(timeZoneLabel) + .addComponent(timeZoneComboBox, javax.swing.GroupLayout.PREFERRED_SIZE, javax.swing.GroupLayout.DEFAULT_SIZE, javax.swing.GroupLayout.PREFERRED_SIZE)) + .addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.RELATED) + .addComponent(errorLabel) + .addGap(18, 18, 18) + .addGroup(layout.createParallelGroup(javax.swing.GroupLayout.Alignment.BASELINE) + .addComponent(volExecutableLabel) + .addComponent(volExecutableComboBox, javax.swing.GroupLayout.PREFERRED_SIZE, javax.swing.GroupLayout.DEFAULT_SIZE, javax.swing.GroupLayout.PREFERRED_SIZE)) + .addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.UNRELATED) + .addGroup(layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING) + .addComponent(PluginsToRunLabel) + .addComponent(listsScrollPane, javax.swing.GroupLayout.PREFERRED_SIZE, 132, javax.swing.GroupLayout.PREFERRED_SIZE)) + .addContainerGap(30, Short.MAX_VALUE)) + ); + + pathLabel.getAccessibleContext().setAccessibleName(org.openide.util.NbBundle.getMessage(MemoryDSInputPanel.class, "MemoryDSInputPanel.pathLabel.AccessibleContext.accessibleName")); // NOI18N + }// //GEN-END:initComponents + @SuppressWarnings("deprecation") + private void browseButtonActionPerformed(java.awt.event.ActionEvent evt) {//GEN-FIRST:event_browseButtonActionPerformed + String oldText = pathTextField.getText(); + // set the current directory of the FileChooser if the ImagePath Field is valid + File currentDir = new File(oldText); + if (currentDir.exists()) { + fc.setCurrentDirectory(currentDir); + } + + int retval = fc.showOpenDialog(this); + if (retval == JFileChooser.APPROVE_OPTION) { + String path = fc.getSelectedFile().getPath(); + pathTextField.setText(path); + } + }//GEN-LAST:event_browseButtonActionPerformed + + private void volExecutableComboBoxActionPerformed(java.awt.event.ActionEvent evt) {//GEN-FIRST:event_volExecutableComboBoxActionPerformed + // TODO add your handling code here: + }//GEN-LAST:event_volExecutableComboBoxActionPerformed + + // Variables declaration - do not modify//GEN-BEGIN:variables + private javax.swing.JTable PluginList; + private javax.swing.JLabel PluginsToRunLabel; + private javax.swing.JButton browseButton; + private javax.swing.JLabel errorLabel; + private javax.swing.ButtonGroup infileTypeButtonGroup; + private javax.swing.JScrollPane listsScrollPane; + private javax.swing.JLabel pathLabel; + private javax.swing.JTextField pathTextField; + private javax.swing.JComboBox timeZoneComboBox; + private javax.swing.JLabel timeZoneLabel; + private javax.swing.JComboBox volExecutableComboBox; + private javax.swing.JLabel volExecutableLabel; + // End of variables declaration//GEN-END:variables + /** + * Get the path of the user selected image. + * + * @return the image path + */ + String getImageFilePath() { + return pathTextField.getText(); + } + + List getPluginsToRun() { + List enabledPlugins = new ArrayList<>(); + for (String plugin : PluginListNames) { + if (pluginListStates.get(plugin)) { + enabledPlugins.add(plugin); + } + } + return enabledPlugins; + } + + void reset() { + //reset the UI elements to default + pathTextField.setText(null); + } + + String getTimeZone() { + String tz = timeZoneComboBox.getSelectedItem().toString(); + return tz.substring(tz.indexOf(")") + 2).trim(); + } + + /** + * Should we enable the next button of the wizard? + * + * @return true if a proper image has been selected, false otherwise + */ + boolean validatePanel() { + errorLabel.setVisible(false); + String path = getImageFilePath(); + if (path == null || path.isEmpty()) { + return false; + } + + // display warning if there is one (but don't disable "next" button) + warnIfPathIsInvalid(path); + + boolean isExist = new File(path).exists(); + + return (isExist); + } + + /** + * Validates path to selected data source and displays warning if it is + * invalid. + * + * @param path Absolute path to the selected data source + */ + @Messages({"MemoryDSInputPanel.error.text=Path to multi-user data source is on \"C:\" drive"}) + private void warnIfPathIsInvalid(String path) { + if (!PathValidator.isValid(path, Case.getCurrentCase().getCaseType())) { + errorLabel.setVisible(true); + errorLabel.setText(Bundle.MemoryDSInputPanel_error_text()); + } + } + + void storeSettings() { + String inFilePath = getImageFilePath(); + //String inPlugins = + if (null != inFilePath) { + String imagePath = inFilePath.substring(0, inFilePath.lastIndexOf(File.separator) + 1); + ModuleSettings.setConfigSetting(contextName, PROP_LASTINPUT_PATH, imagePath); + } + } + + void readSettings() { + String inFilePath = ModuleSettings.getConfigSetting(contextName, PROP_LASTINPUT_PATH); + if (null != inFilePath) { + if (!inFilePath.isEmpty()) { + pathTextField.setText(inFilePath); + } + } + } + + /** + * Update functions are called by the pathTextField which has this set as + * it's DocumentEventListener. Each update function fires a property change + * to be caught by the parent panel. + * + * @param e the event, which is ignored + */ + @Override + public void insertUpdate(DocumentEvent e) { + firePropertyChange(DataSourceProcessor.DSP_PANEL_EVENT.UPDATE_UI.toString(), false, true); + } + + @Override + public void removeUpdate(DocumentEvent e) { + firePropertyChange(DataSourceProcessor.DSP_PANEL_EVENT.UPDATE_UI.toString(), false, true); + } + + @Override + public void changedUpdate(DocumentEvent e) { + firePropertyChange(DataSourceProcessor.DSP_PANEL_EVENT.UPDATE_UI.toString(), false, true); + } + + /** + * Set the focus to the pathTextField. + */ + void select() { + pathTextField.requestFocusInWindow(); + } + + private class PluginListTableModel extends AbstractTableModel { + + @Override + public int getRowCount() { + return MemoryDSInputPanel.this.PluginListNames.size(); + } + + @Override + public int getColumnCount() { + return 2; + } + + @Override + public Object getValueAt(int rowIndex, int columnIndex) { + String listName = MemoryDSInputPanel.this.PluginListNames.get(rowIndex); + if (columnIndex == 0) { + return pluginListStates.get(listName); + } else { + return listName; + } + } + + @Override + public boolean isCellEditable(int rowIndex, int columnIndex) { + return columnIndex == 0; + } + + @Override + public void setValueAt(Object aValue, int rowIndex, int columnIndex) { + String listName = MemoryDSInputPanel.this.PluginListNames.get(rowIndex); + if (columnIndex == 0) { + pluginListStates.put(listName, (Boolean) aValue); + } + } + + @Override + public Class getColumnClass(int c) { + return getValueAt(0, c).getClass(); + } + } + + +} diff --git a/Core/src/org/sleuthkit/autopsy/datasourceprocessors/MemoryDSProcessor.java b/Core/src/org/sleuthkit/autopsy/datasourceprocessors/MemoryDSProcessor.java new file mode 100644 index 0000000000..ce0d2e1c34 --- /dev/null +++ b/Core/src/org/sleuthkit/autopsy/datasourceprocessors/MemoryDSProcessor.java @@ -0,0 +1,165 @@ +/* + * Autopsy Forensic Browser + * + * Copyright 2011-2016 Basis Technology Corp. + * Contact: carrier sleuthkit org + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.sleuthkit.autopsy.datasourceprocessors; + +import java.util.UUID; +import java.util.List; +import javax.swing.JPanel; +import org.openide.util.NbBundle.Messages; +import org.openide.util.lookup.ServiceProvider; +import org.sleuthkit.autopsy.corecomponentinterfaces.DataSourceProcessorProgressMonitor; +import org.sleuthkit.autopsy.corecomponentinterfaces.DataSourceProcessorCallback; +import org.sleuthkit.autopsy.corecomponentinterfaces.DataSourceProcessor; + +/** + * A MEmory data source processor that implements the DataSourceProcessor service + * provider interface to allow integration with the add data source wizard. It + * also provides a run method overload to allow it to be used independently of + * the wizard. + */ +@ServiceProvider(service = DataSourceProcessor.class) +public class MemoryDSProcessor implements DataSourceProcessor { + + private final MemoryDSInputPanel configPanel; + private AddMemoryImageTask addImageTask; + + /* + * Constructs a Memory data source processor that implements the + * DataSourceProcessor service provider interface to allow integration with + * the add data source wizard. It also provides a run method overload to + * allow it to be used independently of the wizard. + */ + public MemoryDSProcessor() { + configPanel = MemoryDSInputPanel.createInstance(MemoryDSProcessor.class.getName()); + } + + /** + * Gets a string that describes the type of data sources this processor is + * able to add to the case database. The string is suitable for display in a + * type selection UI component (e.g., a combo box). + * + * @return A data source type display string for this data source processor. + */ + @Messages({"MemoryDSProcessor.dataSourceType=Memory Image File"}) + public static String getType() { + return Bundle.MemoryDSProcessor_dataSourceType(); + } + + /** + * Gets a string that describes the type of data sources this processor is + * able to add to the case database. The string is suitable for display in a + * type selection UI component (e.g., a combo box). + * + * @return A data source type display string for this data source processor. + */ + @Override + public String getDataSourceType() { + return Bundle.MemoryDSProcessor_dataSourceType(); + } + + /** + * Gets the panel that allows a user to select a data source and do any + * configuration required by the data source. The panel is less than 544 + * pixels wide and less than 173 pixels high. + * + * @return A selection and configuration panel for this data source + * processor. + */ + @Override + public JPanel getPanel() { + configPanel.readSettings(); + configPanel.select(); + return configPanel; + } + + /** + * Indicates whether the settings in the selection and configuration panel + * are valid and complete. + * + * @return True if the settings are valid and complete and the processor is + * ready to have its run method called, false otherwise. + */ + @Override + public boolean isPanelValid() { + return configPanel.validatePanel(); + } + + /** + * Adds a data source to the case database using a background task in a + * separate thread and the settings provided by the selection and + * configuration panel. Returns as soon as the background task is started. + * The background task uses a callback object to signal task completion and + * return results. + * + * This method should not be called unless isPanelValid returns true. + * + * @param progressMonitor Progress monitor that will be used by the + * background task to report progress. + * @param callback Callback that will be used by the background task + * to return results. + */ + @Override + public void run(DataSourceProcessorProgressMonitor progressMonitor, DataSourceProcessorCallback callback) { + configPanel.storeSettings(); + run(UUID.randomUUID().toString(), configPanel.getImageFilePath(), configPanel.getPluginsToRun(), configPanel.getTimeZone(), 0, progressMonitor, callback); + } + + /** + * Adds a "memory" data source to the case database using a background task in + * a separate thread and the given settings instead of those provided by the + * selection and configuration panel. Returns as soon as the background task + * is started and uses the callback object to signal task completion and + * return results. + * + * @param deviceId An ASCII-printable identifier for the device + * associated with the data source that is + * intended to be unique across multiple cases + * (e.g., a UUID). + * @param imageFilePath Path to the image file. + * @param timeZone The time zone to use when processing dates + * and times for the image, obtained from + * java.util.TimeZone.getID. + * @param chunkSize The maximum size of each chunk of the raw + * data source as it is divided up into virtual + * unallocated space files. + * @param progressMonitor Progress monitor for reporting progress + * during processing. + * @param callback Callback to call when processing is done. + */ + private void run(String deviceId, String imageFilePath, List pluginsToRun, String timeZone, long chunkSize, DataSourceProcessorProgressMonitor progressMonitor, DataSourceProcessorCallback callback) { + addImageTask = new AddMemoryImageTask(deviceId, imageFilePath, pluginsToRun, timeZone, 0, progressMonitor, callback); + new Thread(addImageTask).start(); + //new Thread(new AddLocalFilesTask(deviceId, rootVirtualDirectoryName, localFilePaths, progressMonitor, callback)).start(); + } + + @Override + public void cancel() { + } + + /** + * Resets the selection and configuration panel for this data source + * processor. + */ + @Override + public void reset() { + configPanel.reset(); + } + +} + diff --git a/Core/src/org/sleuthkit/autopsy/datasourceprocessors/VolatilityProcessor.java b/Core/src/org/sleuthkit/autopsy/datasourceprocessors/VolatilityProcessor.java new file mode 100644 index 0000000000..7fbb4d6325 --- /dev/null +++ b/Core/src/org/sleuthkit/autopsy/datasourceprocessors/VolatilityProcessor.java @@ -0,0 +1,283 @@ +/* + * To change this license header, choose License Headers in Project Properties. + * To change this template file, choose Tools | Templates + * and open the template in the editor. + */ +package org.sleuthkit.autopsy.datasourceprocessors; + +import java.io.BufferedReader; +import java.io.FileReader; +import java.io.File; +import java.io.FileNotFoundException; +import java.io.IOException; +import java.nio.file.Path; +import java.nio.file.Paths; +import java.util.ArrayList; +import java.util.List; +import java.util.logging.Level; +import java.util.regex.Matcher; +import java.util.regex.Pattern; +import org.openide.modules.InstalledFileLocator; +import org.openide.util.Exceptions; +import org.sleuthkit.autopsy.casemodule.Case; +import org.sleuthkit.autopsy.casemodule.services.Blackboard; +import org.sleuthkit.autopsy.casemodule.services.FileManager; +import org.sleuthkit.autopsy.corecomponentinterfaces.DataSourceProcessorProgressMonitor; +import org.sleuthkit.autopsy.coreutils.ExecUtil; +import org.sleuthkit.autopsy.coreutils.Logger; +import org.sleuthkit.autopsy.coreutils.PlatformUtil; +import org.sleuthkit.autopsy.ingest.IngestServices; +import org.sleuthkit.autopsy.ingest.ModuleDataEvent; +import org.sleuthkit.datamodel.AbstractFile; +import org.sleuthkit.datamodel.BlackboardArtifact; +import org.sleuthkit.datamodel.BlackboardAttribute; +import org.sleuthkit.datamodel.Content; +import org.sleuthkit.datamodel.DerivedFile; +import org.sleuthkit.datamodel.TskCoreException; +import org.sleuthkit.datamodel.TskData; + +//@NbBundle.Messages({ +// "VolatilityProcessor.PermissionsNotSufficient=Insufficient permissions accessing", +// "VolatilityProcessor.PermissionsNotSufficientSeeReference=See 'Shared Drive Authentication' in Autopsy help.", +// "# {0} - output directory name", "cannotCreateOutputDir.message=Unable to create output directory: {0}.", +// "unsupportedOS.message=PhotoRec module is supported on Windows platforms only.", +// "missingExecutable.message=Unable to locate PhotoRec executable.", +// "cannotRunExecutable.message=Unable to execute PhotoRec." +//}) + +/** + * + * @author mark + */ +public class VolatilityProcessor implements Runnable{ + private static final String VOLATILITY_DIRECTORY = "Volatility"; //NON-NLS + private static final String VOLATILITY_EXECUTABLE = "volatility_2.6_win64_standalone.exe"; //NON-NLS + private static final String TEMP_DIR_NAME = "temp"; // NON-NLS + private final String MemoryImage; + private final List PluginsToRun; + private final String deviceId; + // private final Content dataSource; + //private final DataSourceProcessorProgressMonitor progressMonitor; + private static final String SEP = System.getProperty("line.separator"); + private static final Logger logger = Logger.getLogger(VolatilityProcessor.class.getName()); + private static Object Bundle; + private String moduleOutputPath; + private File executableFile; + private final Boolean isFile = true; + private final IngestServices services = IngestServices.getInstance(); + + public VolatilityProcessor(String ImagePath, List PlugInToRuns, String deviceId) { +// public VolatilityProcessor(String ImagePath, List PlugInToRuns, String deviceId, DataSourceProcessorProgressMonitor progressMonitor) { +// public VolatilityProcessor(String ImagePath) { + this.MemoryImage = ImagePath; + this.PluginsToRun = PlugInToRuns; + this.deviceId = deviceId; +// this.dataSource = dataSource; + //this.progressMonitor = progressMonitor; + } + + @Override + public void run() { + + Path execName = Paths.get(VOLATILITY_DIRECTORY, VOLATILITY_EXECUTABLE); + executableFile = locateExecutable(execName.toString()); + final Case currentCase = Case.getCurrentCase(); + final FileManager fileManager = currentCase.getServices().getFileManager(); + + moduleOutputPath = currentCase.getModulesOutputDirAbsPath() + File.separator + "Volatility"; + + File directory = new File(String.valueOf(moduleOutputPath)); + if(!directory.exists()){ + directory.mkdir(); + executeVolatility(executableFile, MemoryImage, "", "imageinfo", "", fileManager); + } + + PluginsToRun.forEach((pluginToRun) -> { + executeVolatility(executableFile, MemoryImage, "", pluginToRun, "", fileManager); + }); + } + + private void executeVolatility(File VolatilityPath, String MemoryImage, String OutputPath, String PluginToRun, String MemoryProfile, FileManager fileManager) { + try { + + List commandLine = new ArrayList<>(); + commandLine.add("\"" + VolatilityPath + "\""); + File memoryImage = new File(MemoryImage); + commandLine.add("--filename=" + memoryImage.getName()); //NON-NLS + File memoryProfile = new File(moduleOutputPath + "\\imageinfo.txt"); + if (memoryProfile.exists()) { + MemoryProfile = parseProfile(memoryProfile); + commandLine.add("--profile=" + MemoryProfile); + } + commandLine.add(PluginToRun); //NON-NLS + + ProcessBuilder processBuilder = new ProcessBuilder(commandLine); + // Add environment variable to force Volatility to run with the same permissions Autopsy uses + processBuilder.environment().put("__COMPAT_LAYER", "RunAsInvoker"); //NON-NLS + processBuilder.redirectOutput(new File(moduleOutputPath + "\\" + PluginToRun + ".txt")); + processBuilder.redirectError(new File(moduleOutputPath + "\\Volatility_Run.err")); + processBuilder.directory(new File(memoryImage.getParent())); + + int exitVal = ExecUtil.execute(processBuilder); +// int exitVal = 0; + if (exitVal == 0) { + ScanOutputFile(fileManager, PluginToRun, new File(moduleOutputPath + "\\" + PluginToRun + ".txt")); + } else { + logger.log(Level.INFO, "Exit Value is ", exitVal); + } + } catch (Exception ex) { + logger.log(Level.SEVERE, "Unable to run Volatility", ex); //NON-NLS + //this.addErrorMessage(NbBundle.getMessage(this.getClass(), "ExtractRegistry.execRegRip.errMsg.failedAnalyzeRegFile", this.getName())); + } + } + + /** + * Finds and returns the path to the executable, if able. + * + * @param executableToFindName The name of the executable to find + * + * @return A File reference or throws an exception + * + * @throws IngestModuleException + */ +// public static File locateExecutable(String executableToFindName) throws IngestModule.IngestModuleException { + public static File locateExecutable(String executableToFindName) { + // Must be running under a Windows operating system. + if (!PlatformUtil.isWindowsOS()) { + // throw new IngestModule.IngestModuleException(Bundle.unsupportedOS_message()); + } + + File exeFile = InstalledFileLocator.getDefault().locate(executableToFindName, VolatilityProcessor.class.getPackage().getName(), false); + if (null == exeFile) { + //throw new IngestModule.IngestModuleException(Bundle.missingExecutable_message()); + } + + if (!exeFile.canExecute()) { + //throw new IngestModule.IngestModuleException(Bundle.cannotRunExecutable_message()); + } + + return exeFile; + } + + private String parseProfile(File memoryProfile) throws FileNotFoundException { + // create a Buffered Reader object instance with a FileReader + try ( + BufferedReader br = new BufferedReader(new FileReader(memoryProfile))) { + // read the first line from the text file + String fileRead = br.readLine(); + br.close(); + String[] profileLine = fileRead.split(":"); + String[] memProfile = profileLine[1].split(",|\\("); + return memProfile[0].replaceAll("\\s+",""); + } catch (IOException ex) { + Exceptions.printStackTrace(ex); + } + + return null; + } + + private void ScanOutputFile(FileManager fileManager, String pluginName, File PluginOutput) { + List fileNames = new ArrayList<>(); + + Blackboard blackboard = Case.getCurrentCase().getServices().getBlackboard(); + + try { + fileNames = parsePluginOutput(PluginOutput); + } catch (Exception ex) { + logger.log(Level.SEVERE, "Unable to run RegRipper", ex); //NON-NLS + //this.addErrorMessage(NbBundle.getMessage(this.getClass(), "ExtractRegistry.execRegRip.errMsg.failedAnalyzeRegFile", this.getName())); + } + try { + fileNames.forEach((String fileName) -> { + List volFiles = new ArrayList<>(); + File volfile = new File(fileName); + String filename = volfile.getName(); + String path = volfile.getParent(); + //Path path = Paths.get("/", fileName).normalize(); + //String path = fileName.substring(0, fileName.lastIndexOf("\\")+1); +// String filename = fileName.substring(fileName.lastIndexOf("\\")+1); + if (path != null && !path.isEmpty()) { +// if ("".equals(path)) { + path = path.replaceAll("\\\\", "%"); + path = path + "%"; +// path = "%"; + } else { +// path = path.replaceAll("\\\\", "%"); +// path = path + "%"; + path = "%"; + // path = path.substring(0, path.length()-1); + } + try { + volFiles = fileManager.findFiles(filename, path); //NON-NLS + } catch (TskCoreException ex) { + //String msg = NbBundle.getMessage(this.getClass(), "Chrome.getHistory.errMsg.errGettingFiles"); + logger.log(Level.SEVERE, "Error in Finding FIles", ex); + return; + } + volFiles.forEach((volFile) -> { + try { + String MODULE_NAME = "VOLATILITY"; + BlackboardArtifact volArtifact = volFile.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT); + BlackboardAttribute att1 = new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME, MODULE_NAME, + "Volatility Plugin " + pluginName); + BlackboardAttribute att2 = new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_COMMENT, MODULE_NAME, + "Volatility Plugin " + pluginName); + volArtifact.addAttribute(att1); + volArtifact.addAttribute(att2); + + try { + // index the artifact for keyword search + blackboard.indexArtifact(volArtifact); + } catch (Blackboard.BlackboardException ex) { + logger.log(Level.SEVERE, "Unable to index blackboard artifact " + volArtifact.getArtifactID(), ex); //NON-NLS + } + + // fire event to notify UI of this new artifact + services.fireModuleDataEvent(new ModuleDataEvent(MODULE_NAME, BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT)); + } catch (TskCoreException ex) { + logger.log(Level.SEVERE, "Failed to create BlackboardArtifact.", ex); // NON-NLS + } catch (IllegalStateException ex) { + logger.log(Level.SEVERE, "Failed to create BlackboardAttribute.", ex); // NON-NLS + } + }); + }); + } catch (Exception ex) { + logger.log(Level.SEVERE, "Error in processing List of FIles", ex); //NON-NLS + } + } + + private List parsePluginOutput(File pluginFile) throws FileNotFoundException { + // create a Buffered Reader object instance with a FileReader + List fileNames = new ArrayList<>(); + String line; + Pattern filePathPattern = Pattern.compile("(\\\\[.-\\\\\\w\\\\s]+)+"); + Pattern fileName1Pattern = Pattern.compile("(\\s)([^!()\\,:][\\w-._]+)([^\\s()!:\\]]+)"); + Pattern fileName2Pattern = Pattern.compile("([^!()\\,:][\\w-._]+)([^\\s()!:\\]]+)"); + try { + BufferedReader br = new BufferedReader(new FileReader(pluginFile)); + // read the first line from the text file + while ((line = br.readLine()) != null) { + Matcher matcher = filePathPattern.matcher(line); + if (matcher.find()) { + fileNames.add(matcher.group()); + } else { + Matcher matcher1 = fileName1Pattern.matcher(line); + if (matcher1.find()) { + fileNames.add(matcher1.group()); + } else { + Matcher matcher2 = fileName2Pattern.matcher(line); + if (matcher2.find()) { + fileNames.add(matcher2.group()); + } + } + } + } + br.close(); + } catch (IOException ex) { + Exceptions.printStackTrace(ex); + } + + return fileNames; + } + +} diff --git a/branding/core/core.jar/org/netbeans/core/startup/Bundle.properties b/branding/core/core.jar/org/netbeans/core/startup/Bundle.properties index 8da9daefe4..f364b4b33b 100644 --- a/branding/core/core.jar/org/netbeans/core/startup/Bundle.properties +++ b/branding/core/core.jar/org/netbeans/core/startup/Bundle.properties @@ -1,5 +1,5 @@ #Updated by build script -#Tue, 23 Jan 2018 11:28:07 -0500 +#Sun, 25 Feb 2018 18:02:16 -0800 LBL_splash_window_title=Starting Autopsy SPLASH_HEIGHT=314 SPLASH_WIDTH=538 diff --git a/branding/modules/org-netbeans-core-windows.jar/org/netbeans/core/windows/view/ui/Bundle.properties b/branding/modules/org-netbeans-core-windows.jar/org/netbeans/core/windows/view/ui/Bundle.properties index 5daf2c9d7e..4bd2ae0e48 100644 --- a/branding/modules/org-netbeans-core-windows.jar/org/netbeans/core/windows/view/ui/Bundle.properties +++ b/branding/modules/org-netbeans-core-windows.jar/org/netbeans/core/windows/view/ui/Bundle.properties @@ -1,4 +1,4 @@ #Updated by build script -#Tue, 23 Jan 2018 11:28:07 -0500 +#Sun, 25 Feb 2018 18:02:16 -0800 CTL_MainWindow_Title=Autopsy 4.5.0 CTL_MainWindow_Title_No_Project=Autopsy 4.5.0 diff --git a/thirdparty/Volatility/AUTHORS-2.5.txt b/thirdparty/Volatility/AUTHORS-2.5.txt new file mode 100644 index 0000000000..d01f09405f --- /dev/null +++ b/thirdparty/Volatility/AUTHORS-2.5.txt @@ -0,0 +1,42 @@ +=============================================== +This file identifies core Volatility authors. + +All lists are alphabetical. +=============================================== + +Volatility 2.4, 2.5: +------------ + +Mike Auty +Andrew Case +Michael Hale Ligh +Jamie Levy +AAron Walters + +Volatility 2.0, 2.1, 2.2, 2.3: +------------ + +Mike Auty +Andrew Case +Michael Cohen +Brendan Dolan-Gavitt +Michael Hale Ligh +Jamie Levy +AAron Walters + +Volatility 1.3: +------------ + +AAron Walters +Volatile Systems LLC + +Brendan Dolan-Gavitt + +Volatools Basic authors: +------------ + +AAron Walters +Komoku, Inc. + +Nick L. Petroni, Jr. +Komoku, Inc. diff --git a/thirdparty/Volatility/AUTHORS-2.6.txt b/thirdparty/Volatility/AUTHORS-2.6.txt new file mode 100644 index 0000000000..8066ebe13f --- /dev/null +++ b/thirdparty/Volatility/AUTHORS-2.6.txt @@ -0,0 +1,53 @@ +=============================================== +This file identifies core Volatility authors. + +All lists are alphabetical. +=============================================== + +Volatility 2.6: +------------ + +Mike Auty +Andrew Case +Michael Hale Ligh +Jamie Levy +AAron Walters +Nick L. Petroni, Jr. + + +Volatility 2.4, 2.5: +------------ + +Mike Auty +Andrew Case +Michael Hale Ligh +Jamie Levy +AAron Walters + +Volatility 2.0, 2.1, 2.2, 2.3: +------------ + +Mike Auty +Andrew Case +Michael Cohen +Brendan Dolan-Gavitt +Michael Hale Ligh +Jamie Levy +AAron Walters + +Volatility 1.3: +------------ + +AAron Walters +Volatile Systems LLC + +Brendan Dolan-Gavitt + +Volatools Basic authors: +------------ + +AAron Walters +Komoku, Inc. + +Nick L. Petroni, Jr. +Komoku, Inc. diff --git a/thirdparty/Volatility/CREDITS-2.5.txt b/thirdparty/Volatility/CREDITS-2.5.txt new file mode 100644 index 0000000000..26082de49d --- /dev/null +++ b/thirdparty/Volatility/CREDITS-2.5.txt @@ -0,0 +1,105 @@ +=============================================== +We would like to acknowledge individuals that +have made significant contributions, code, or +ideas toward the respective volatility releases. + +All lists are alphabetical. + +These lists exclude the core Volatility authors, +who are identified in AUTHORS.txt. + +If you believe you've been left off, it is not +intentional. Please bring it to our attention! +=============================================== + +Volatility 2.5: + +Adam Bridge for adding a --count option (humanly readable byte stats) to imagecopy/raw2dmp +Sebastien Bourdon-Richard for various patches and bug fixes +Bruno Constanzo for various patches to enhance performance/optimization +Glenn P. Edwards, Jr for adding combined user/kernel scans, --case, and ascii/unicode options to yarascan +@f-s-p for converting some plugins to unfied output format +Cem Gurkok for submitting the mac_threads plugin +Takahiro Haruyama for noticing and fixing a bug in impscan +@masdif for contributing a fix for kernel 3.7+ in linux/module.c +Wyatt Roersma for converting a large number of plugins to the unified output format +Karl Vogel for pointing out an issue with IPv4 addresses on big endian systems + +Volatility 2.4: + +Steven Adair for assistance identifying a large memory PAE bug +Sebastien Bourdon-Richard for his work on the VMware vmem/vmss split (with meta) AS +Justin Capella and Espen Olsen for their work on the Qemu ELF core dumps +Cem Gurkok for help updating Mac OS X support for 10.9 +Matt McCormack for supplying a patch to rebase dumped PE files +Stewart McIntyre for extending apihooks for detecting JMP FAR instructions +Kevin Marker for contributing over 160 standard build Linux profiles +synack33 for creating various Mac OS X profiles, including initial ones for 10.10 +Raphaël Vinot for his patch to fix IPython within volshell + +Volatility 2.3: + +Cem Gurkok for his work on the privileges plugin for Windows +Nir Izraeli for his work on the VMware snapshot address space (see also the vmsnparser project) +@osxmem of the volafox project (Mac OS X & BSD Memory Analysis Toolkit) +@osxreverser of reverse.put.as for his help with OSX memory analysis +Carl Pulley for numerous bug reports, example patches, and plugin testing +Andreas Schuster for his work on poison ivy plugins for Windows +Joe Sylve for his work on the ARM address space and significant contributions to linux and mac capabilities +Philippe Teuwen for his work on the virtual box address space +Santiago Vicente for his work on the citadel plugins for Windows + +Volatility 2.2: +------------ + +Joe Sylve + +Volatility 2.1: +------------ + +--- + +Volatility 2.0: +------------ + +Frank Boldewin +Carl Pulley +Andreas Schuster +Bradley Schatz + +Volatility 1.3: +------------ + +Harlan Carvey +Michael Cohen +David Collett +Brendan Dolan-Gavitt +Andreas Schuster +Matthieu Suiche + +We would also like to acknowledge those who have provided valuable +feedback, bug reports, and testing: + +Jide Abu +Joseph Ayo Akinyele +Tommaso Assandri +Richard Austin +Cameron C Caffee +Eoghan Casey +Angelo Cavallini +Andre' DiMino +Jon Evans +Robert Guess +Christian Herndler +jeremie0 +Eugene Libster +Erik Ligda +Robert Lowe +Tony Martin +Timothy Morgan +Bryan D. Payne +Golden G. Richard III +Wyatt Roersma +RB +Sam F. Stover +Marko Thure diff --git a/thirdparty/Volatility/CREDITS-2.6.txt b/thirdparty/Volatility/CREDITS-2.6.txt new file mode 100644 index 0000000000..46714be5dd --- /dev/null +++ b/thirdparty/Volatility/CREDITS-2.6.txt @@ -0,0 +1,119 @@ +=============================================== +We would like to acknowledge individuals that +have made significant contributions, code, or +ideas toward the respective volatility releases. + +All lists are alphabetical. + +These lists exclude the core Volatility authors, +who are identified in AUTHORS.txt. + +If you believe you've been left off, it is not +intentional. Please bring it to our attention! +=============================================== + +Volatility 2.6: + +jie-lin for fixing a pyinstaller NameError issue +gcmoreira for fixing a recursive property issue in Linux plugins +Adam Bridge for updating the EditBox plugin +jie-lin for preventing a backtrace in the MBR parser plugin +haco20292 for fixing a bug in linux_dmesg +williamshowalter for updating mac_get_profile and convert.py for El Capitan support +robbyFux for fixing a bug in the svcscan plugin +f-s-p for adding unified output to the threads plugin +Binary_Raider for adding the powershell empire plugins +ozylol for updating create_all_profiles.py for Mac 10.11 +JamesHabben for adjusting sqlite inserts to allow for more columns to exist in table + +Volatility 2.5: + +Adam Bridge for adding a --count option (humanly readable byte stats) to imagecopy/raw2dmp +Sebastien Bourdon-Richard for various patches and bug fixes +Bruno Constanzo for various patches to enhance performance/optimization +Glenn P. Edwards, Jr for adding combined user/kernel scans, --case, and ascii/unicode options to yarascan +@f-s-p for converting some plugins to unfied output format +Cem Gurkok for submitting the mac_threads plugin +Takahiro Haruyama for noticing and fixing a bug in impscan +@masdif for contributing a fix for kernel 3.7+ in linux/module.c +Wyatt Roersma for converting a large number of plugins to the unified output format +Karl Vogel for pointing out an issue with IPv4 addresses on big endian systems + +Volatility 2.4: + +Steven Adair for assistance identifying a large memory PAE bug +Sebastien Bourdon-Richard for his work on the VMware vmem/vmss split (with meta) AS +Justin Capella and Espen Olsen for their work on the Qemu ELF core dumps +Cem Gurkok for help updating Mac OS X support for 10.9 +Matt McCormack for supplying a patch to rebase dumped PE files +Stewart McIntyre for extending apihooks for detecting JMP FAR instructions +Kevin Marker for contributing over 160 standard build Linux profiles +synack33 for creating various Mac OS X profiles, including initial ones for 10.10 +Raphaël Vinot for his patch to fix IPython within volshell + +Volatility 2.3: + +Cem Gurkok for his work on the privileges plugin for Windows +Nir Izraeli for his work on the VMware snapshot address space (see also the vmsnparser project) +@osxmem of the volafox project (Mac OS X & BSD Memory Analysis Toolkit) +@osxreverser of reverse.put.as for his help with OSX memory analysis +Carl Pulley for numerous bug reports, example patches, and plugin testing +Andreas Schuster for his work on poison ivy plugins for Windows +Joe Sylve for his work on the ARM address space and significant contributions to linux and mac capabilities +Philippe Teuwen for his work on the virtual box address space +Santiago Vicente for his work on the citadel plugins for Windows + +Volatility 2.2: +------------ + +Joe Sylve + +Volatility 2.1: +------------ + +--- + +Volatility 2.0: +------------ + +Frank Boldewin +Carl Pulley +Andreas Schuster +Bradley Schatz + +Volatility 1.3: +------------ + +Harlan Carvey +Michael Cohen +David Collett +Brendan Dolan-Gavitt +Andreas Schuster +Matthieu Suiche + +We would also like to acknowledge those who have provided valuable +feedback, bug reports, and testing: + +Jide Abu +Joseph Ayo Akinyele +Tommaso Assandri +Richard Austin +Cameron C Caffee +Eoghan Casey +Angelo Cavallini +Andre' DiMino +Jon Evans +Robert Guess +Christian Herndler +jeremie0 +Eugene Libster +Erik Ligda +Robert Lowe +Tony Martin +Timothy Morgan +Bryan D. Payne +Golden G. Richard III +Wyatt Roersma +RB +Sam F. Stover +Marko Thure diff --git a/thirdparty/Volatility/LEGAL-2.5.txt b/thirdparty/Volatility/LEGAL-2.5.txt new file mode 100644 index 0000000000..69924bcab3 --- /dev/null +++ b/thirdparty/Volatility/LEGAL-2.5.txt @@ -0,0 +1,20 @@ +Volatility +=============== + +License +------- + +Copyright (C) 2007-2013 Volatility Foundation + +Volatility is free software; you can redistribute it and/or modify +it under the terms of the GNU General Public License as published by +the Free Software Foundation; either version 2 of the License, or +(at your option) any later version. + +Volatility is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU General Public License for more details. + +You should have received a copy of the GNU General Public License +along with Volatility. If not, see . diff --git a/thirdparty/Volatility/LEGAL2.6.txt b/thirdparty/Volatility/LEGAL2.6.txt new file mode 100644 index 0000000000..69924bcab3 --- /dev/null +++ b/thirdparty/Volatility/LEGAL2.6.txt @@ -0,0 +1,20 @@ +Volatility +=============== + +License +------- + +Copyright (C) 2007-2013 Volatility Foundation + +Volatility is free software; you can redistribute it and/or modify +it under the terms of the GNU General Public License as published by +the Free Software Foundation; either version 2 of the License, or +(at your option) any later version. + +Volatility is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU General Public License for more details. + +You should have received a copy of the GNU General Public License +along with Volatility. If not, see . diff --git a/thirdparty/Volatility/LICENSE-2.5.txt b/thirdparty/Volatility/LICENSE-2.5.txt new file mode 100644 index 0000000000..fa6a77d4a4 --- /dev/null +++ b/thirdparty/Volatility/LICENSE-2.5.txt @@ -0,0 +1,281 @@ + GNU GENERAL PUBLIC LICENSE + Version 2, June 1991 + + Copyright (C) 1989, 1991 Free Software Foundation, Inc. + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The licenses for most software are designed to take away your +freedom to share and change it. By contrast, the GNU General Public +License is intended to guarantee your freedom to share and change free +software--to make sure the software is free for all its users. This +General Public License applies to most of the Free Software +Foundation's software and to any other program whose authors commit to +using it. (Some other Free Software Foundation software is covered by +the GNU Library General Public License instead.) You can apply it to +your programs, too. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +this service if you wish), that you receive source code or can get it +if you want it, that you can change the software or use pieces of it +in new free programs; and that you know you can do these things. + + To protect your rights, we need to make restrictions that forbid +anyone to deny you these rights or to ask you to surrender the rights. +These restrictions translate to certain responsibilities for you if you +distribute copies of the software, or if you modify it. + + For example, if you distribute copies of such a program, whether +gratis or for a fee, you must give the recipients all the rights that +you have. You must make sure that they, too, receive or can get the +source code. And you must show them these terms so they know their +rights. + + We protect your rights with two steps: (1) copyright the software, and +(2) offer you this license which gives you legal permission to copy, +distribute and/or modify the software. + + Also, for each author's protection and ours, we want to make certain +that everyone understands that there is no warranty for this free +software. If the software is modified by someone else and passed on, we +want its recipients to know that what they have is not the original, so +that any problems introduced by others will not reflect on the original +authors' reputations. + + Finally, any free program is threatened constantly by software +patents. We wish to avoid the danger that redistributors of a free +program will individually obtain patent licenses, in effect making the +program proprietary. To prevent this, we have made it clear that any +patent must be licensed for everyone's free use or not licensed at all. + + The precise terms and conditions for copying, distribution and +modification follow. + + GNU GENERAL PUBLIC LICENSE + TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION + + 0. This License applies to any program or other work which contains +a notice placed by the copyright holder saying it may be distributed +under the terms of this General Public License. The "Program", below, +refers to any such program or work, and a "work based on the Program" +means either the Program or any derivative work under copyright law: +that is to say, a work containing the Program or a portion of it, +either verbatim or with modifications and/or translated into another +language. (Hereinafter, translation is included without limitation in +the term "modification".) Each licensee is addressed as "you". + +Activities other than copying, distribution and modification are not +covered by this License; they are outside its scope. The act of +running the Program is not restricted, and the output from the Program +is covered only if its contents constitute a work based on the +Program (independent of having been made by running the Program). +Whether that is true depends on what the Program does. + + 1. You may copy and distribute verbatim copies of the Program's +source code as you receive it, in any medium, provided that you +conspicuously and appropriately publish on each copy an appropriate +copyright notice and disclaimer of warranty; keep intact all the +notices that refer to this License and to the absence of any warranty; +and give any other recipients of the Program a copy of this License +along with the Program. + +You may charge a fee for the physical act of transferring a copy, and +you may at your option offer warranty protection in exchange for a fee. + + 2. You may modify your copy or copies of the Program or any portion +of it, thus forming a work based on the Program, and copy and +distribute such modifications or work under the terms of Section 1 +above, provided that you also meet all of these conditions: + + a) You must cause the modified files to carry prominent notices + stating that you changed the files and the date of any change. + + b) You must cause any work that you distribute or publish, that in + whole or in part contains or is derived from the Program or any + part thereof, to be licensed as a whole at no charge to all third + parties under the terms of this License. + + c) If the modified program normally reads commands interactively + when run, you must cause it, when started running for such + interactive use in the most ordinary way, to print or display an + announcement including an appropriate copyright notice and a + notice that there is no warranty (or else, saying that you provide + a warranty) and that users may redistribute the program under + these conditions, and telling the user how to view a copy of this + License. (Exception: if the Program itself is interactive but + does not normally print such an announcement, your work based on + the Program is not required to print an announcement.) + +These requirements apply to the modified work as a whole. If +identifiable sections of that work are not derived from the Program, +and can be reasonably considered independent and separate works in +themselves, then this License, and its terms, do not apply to those +sections when you distribute them as separate works. But when you +distribute the same sections as part of a whole which is a work based +on the Program, the distribution of the whole must be on the terms of +this License, whose permissions for other licensees extend to the +entire whole, and thus to each and every part regardless of who wrote it. + +Thus, it is not the intent of this section to claim rights or contest +your rights to work written entirely by you; rather, the intent is to +exercise the right to control the distribution of derivative or +collective works based on the Program. + +In addition, mere aggregation of another work not based on the Program +with the Program (or with a work based on the Program) on a volume of +a storage or distribution medium does not bring the other work under +the scope of this License. + + 3. You may copy and distribute the Program (or a work based on it, +under Section 2) in object code or executable form under the terms of +Sections 1 and 2 above provided that you also do one of the following: + + a) Accompany it with the complete corresponding machine-readable + source code, which must be distributed under the terms of Sections + 1 and 2 above on a medium customarily used for software interchange; or, + + b) Accompany it with a written offer, valid for at least three + years, to give any third party, for a charge no more than your + cost of physically performing source distribution, a complete + machine-readable copy of the corresponding source code, to be + distributed under the terms of Sections 1 and 2 above on a medium + customarily used for software interchange; or, + + c) Accompany it with the information you received as to the offer + to distribute corresponding source code. (This alternative is + allowed only for noncommercial distribution and only if you + received the program in object code or executable form with such + an offer, in accord with Subsection b above.) + +The source code for a work means the preferred form of the work for +making modifications to it. For an executable work, complete source +code means all the source code for all modules it contains, plus any +associated interface definition files, plus the scripts used to +control compilation and installation of the executable. However, as a +special exception, the source code distributed need not include +anything that is normally distributed (in either source or binary +form) with the major components (compiler, kernel, and so on) of the +operating system on which the executable runs, unless that component +itself accompanies the executable. + +If distribution of executable or object code is made by offering +access to copy from a designated place, then offering equivalent +access to copy the source code from the same place counts as +distribution of the source code, even though third parties are not +compelled to copy the source along with the object code. + + 4. You may not copy, modify, sublicense, or distribute the Program +except as expressly provided under this License. Any attempt +otherwise to copy, modify, sublicense or distribute the Program is +void, and will automatically terminate your rights under this License. +However, parties who have received copies, or rights, from you under +this License will not have their licenses terminated so long as such +parties remain in full compliance. + + 5. You are not required to accept this License, since you have not +signed it. However, nothing else grants you permission to modify or +distribute the Program or its derivative works. These actions are +prohibited by law if you do not accept this License. Therefore, by +modifying or distributing the Program (or any work based on the +Program), you indicate your acceptance of this License to do so, and +all its terms and conditions for copying, distributing or modifying +the Program or works based on it. + + 6. Each time you redistribute the Program (or any work based on the +Program), the recipient automatically receives a license from the +original licensor to copy, distribute or modify the Program subject to +these terms and conditions. You may not impose any further +restrictions on the recipients' exercise of the rights granted herein. +You are not responsible for enforcing compliance by third parties to +this License. + + 7. If, as a consequence of a court judgment or allegation of patent +infringement or for any other reason (not limited to patent issues), +conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot +distribute so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you +may not distribute the Program at all. For example, if a patent +license would not permit royalty-free redistribution of the Program by +all those who receive copies directly or indirectly through you, then +the only way you could satisfy both it and this License would be to +refrain entirely from distribution of the Program. + +If any portion of this section is held invalid or unenforceable under +any particular circumstance, the balance of the section is intended to +apply and the section as a whole is intended to apply in other +circumstances. + +It is not the purpose of this section to induce you to infringe any +patents or other property right claims or to contest validity of any +such claims; this section has the sole purpose of protecting the +integrity of the free software distribution system, which is +implemented by public license practices. Many people have made +generous contributions to the wide range of software distributed +through that system in reliance on consistent application of that +system; it is up to the author/donor to decide if he or she is willing +to distribute software through any other system and a licensee cannot +impose that choice. + +This section is intended to make thoroughly clear what is believed to +be a consequence of the rest of this License. + + 8. If the distribution and/or use of the Program is restricted in +certain countries either by patents or by copyrighted interfaces, the +original copyright holder who places the Program under this License +may add an explicit geographical distribution limitation excluding +those countries, so that distribution is permitted only in or among +countries not thus excluded. In such case, this License incorporates +the limitation as if written in the body of this License. + + 9. The Free Software Foundation may publish revised and/or new versions +of the General Public License from time to time. Such new versions will +be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + +Each version is given a distinguishing version number. If the Program +specifies a version number of this License which applies to it and "any +later version", you have the option of following the terms and conditions +either of that version or of any later version published by the Free +Software Foundation. If the Program does not specify a version number of +this License, you may choose any version ever published by the Free Software +Foundation. + + 10. If you wish to incorporate parts of the Program into other free +programs whose distribution conditions are different, write to the author +to ask for permission. For software which is copyrighted by the Free +Software Foundation, write to the Free Software Foundation; we sometimes +make exceptions for this. Our decision will be guided by the two goals +of preserving the free status of all derivatives of our free software and +of promoting the sharing and reuse of software generally. + + NO WARRANTY + + 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY +FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN +OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES +PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED +OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS +TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE +PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, +REPAIR OR CORRECTION. + + 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR +REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, +INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING +OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED +TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY +YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER +PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE +POSSIBILITY OF SUCH DAMAGES. + + END OF TERMS AND CONDITIONS + diff --git a/thirdparty/Volatility/LICENSE2.6.txt b/thirdparty/Volatility/LICENSE2.6.txt new file mode 100644 index 0000000000..fa6a77d4a4 --- /dev/null +++ b/thirdparty/Volatility/LICENSE2.6.txt @@ -0,0 +1,281 @@ + GNU GENERAL PUBLIC LICENSE + Version 2, June 1991 + + Copyright (C) 1989, 1991 Free Software Foundation, Inc. + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The licenses for most software are designed to take away your +freedom to share and change it. By contrast, the GNU General Public +License is intended to guarantee your freedom to share and change free +software--to make sure the software is free for all its users. This +General Public License applies to most of the Free Software +Foundation's software and to any other program whose authors commit to +using it. (Some other Free Software Foundation software is covered by +the GNU Library General Public License instead.) You can apply it to +your programs, too. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +this service if you wish), that you receive source code or can get it +if you want it, that you can change the software or use pieces of it +in new free programs; and that you know you can do these things. + + To protect your rights, we need to make restrictions that forbid +anyone to deny you these rights or to ask you to surrender the rights. +These restrictions translate to certain responsibilities for you if you +distribute copies of the software, or if you modify it. + + For example, if you distribute copies of such a program, whether +gratis or for a fee, you must give the recipients all the rights that +you have. You must make sure that they, too, receive or can get the +source code. And you must show them these terms so they know their +rights. + + We protect your rights with two steps: (1) copyright the software, and +(2) offer you this license which gives you legal permission to copy, +distribute and/or modify the software. + + Also, for each author's protection and ours, we want to make certain +that everyone understands that there is no warranty for this free +software. If the software is modified by someone else and passed on, we +want its recipients to know that what they have is not the original, so +that any problems introduced by others will not reflect on the original +authors' reputations. + + Finally, any free program is threatened constantly by software +patents. We wish to avoid the danger that redistributors of a free +program will individually obtain patent licenses, in effect making the +program proprietary. To prevent this, we have made it clear that any +patent must be licensed for everyone's free use or not licensed at all. + + The precise terms and conditions for copying, distribution and +modification follow. + + GNU GENERAL PUBLIC LICENSE + TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION + + 0. This License applies to any program or other work which contains +a notice placed by the copyright holder saying it may be distributed +under the terms of this General Public License. The "Program", below, +refers to any such program or work, and a "work based on the Program" +means either the Program or any derivative work under copyright law: +that is to say, a work containing the Program or a portion of it, +either verbatim or with modifications and/or translated into another +language. (Hereinafter, translation is included without limitation in +the term "modification".) Each licensee is addressed as "you". + +Activities other than copying, distribution and modification are not +covered by this License; they are outside its scope. The act of +running the Program is not restricted, and the output from the Program +is covered only if its contents constitute a work based on the +Program (independent of having been made by running the Program). +Whether that is true depends on what the Program does. + + 1. You may copy and distribute verbatim copies of the Program's +source code as you receive it, in any medium, provided that you +conspicuously and appropriately publish on each copy an appropriate +copyright notice and disclaimer of warranty; keep intact all the +notices that refer to this License and to the absence of any warranty; +and give any other recipients of the Program a copy of this License +along with the Program. + +You may charge a fee for the physical act of transferring a copy, and +you may at your option offer warranty protection in exchange for a fee. + + 2. You may modify your copy or copies of the Program or any portion +of it, thus forming a work based on the Program, and copy and +distribute such modifications or work under the terms of Section 1 +above, provided that you also meet all of these conditions: + + a) You must cause the modified files to carry prominent notices + stating that you changed the files and the date of any change. + + b) You must cause any work that you distribute or publish, that in + whole or in part contains or is derived from the Program or any + part thereof, to be licensed as a whole at no charge to all third + parties under the terms of this License. + + c) If the modified program normally reads commands interactively + when run, you must cause it, when started running for such + interactive use in the most ordinary way, to print or display an + announcement including an appropriate copyright notice and a + notice that there is no warranty (or else, saying that you provide + a warranty) and that users may redistribute the program under + these conditions, and telling the user how to view a copy of this + License. (Exception: if the Program itself is interactive but + does not normally print such an announcement, your work based on + the Program is not required to print an announcement.) + +These requirements apply to the modified work as a whole. If +identifiable sections of that work are not derived from the Program, +and can be reasonably considered independent and separate works in +themselves, then this License, and its terms, do not apply to those +sections when you distribute them as separate works. But when you +distribute the same sections as part of a whole which is a work based +on the Program, the distribution of the whole must be on the terms of +this License, whose permissions for other licensees extend to the +entire whole, and thus to each and every part regardless of who wrote it. + +Thus, it is not the intent of this section to claim rights or contest +your rights to work written entirely by you; rather, the intent is to +exercise the right to control the distribution of derivative or +collective works based on the Program. + +In addition, mere aggregation of another work not based on the Program +with the Program (or with a work based on the Program) on a volume of +a storage or distribution medium does not bring the other work under +the scope of this License. + + 3. You may copy and distribute the Program (or a work based on it, +under Section 2) in object code or executable form under the terms of +Sections 1 and 2 above provided that you also do one of the following: + + a) Accompany it with the complete corresponding machine-readable + source code, which must be distributed under the terms of Sections + 1 and 2 above on a medium customarily used for software interchange; or, + + b) Accompany it with a written offer, valid for at least three + years, to give any third party, for a charge no more than your + cost of physically performing source distribution, a complete + machine-readable copy of the corresponding source code, to be + distributed under the terms of Sections 1 and 2 above on a medium + customarily used for software interchange; or, + + c) Accompany it with the information you received as to the offer + to distribute corresponding source code. (This alternative is + allowed only for noncommercial distribution and only if you + received the program in object code or executable form with such + an offer, in accord with Subsection b above.) + +The source code for a work means the preferred form of the work for +making modifications to it. For an executable work, complete source +code means all the source code for all modules it contains, plus any +associated interface definition files, plus the scripts used to +control compilation and installation of the executable. However, as a +special exception, the source code distributed need not include +anything that is normally distributed (in either source or binary +form) with the major components (compiler, kernel, and so on) of the +operating system on which the executable runs, unless that component +itself accompanies the executable. + +If distribution of executable or object code is made by offering +access to copy from a designated place, then offering equivalent +access to copy the source code from the same place counts as +distribution of the source code, even though third parties are not +compelled to copy the source along with the object code. + + 4. You may not copy, modify, sublicense, or distribute the Program +except as expressly provided under this License. Any attempt +otherwise to copy, modify, sublicense or distribute the Program is +void, and will automatically terminate your rights under this License. +However, parties who have received copies, or rights, from you under +this License will not have their licenses terminated so long as such +parties remain in full compliance. + + 5. You are not required to accept this License, since you have not +signed it. However, nothing else grants you permission to modify or +distribute the Program or its derivative works. These actions are +prohibited by law if you do not accept this License. Therefore, by +modifying or distributing the Program (or any work based on the +Program), you indicate your acceptance of this License to do so, and +all its terms and conditions for copying, distributing or modifying +the Program or works based on it. + + 6. Each time you redistribute the Program (or any work based on the +Program), the recipient automatically receives a license from the +original licensor to copy, distribute or modify the Program subject to +these terms and conditions. You may not impose any further +restrictions on the recipients' exercise of the rights granted herein. +You are not responsible for enforcing compliance by third parties to +this License. + + 7. If, as a consequence of a court judgment or allegation of patent +infringement or for any other reason (not limited to patent issues), +conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot +distribute so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you +may not distribute the Program at all. For example, if a patent +license would not permit royalty-free redistribution of the Program by +all those who receive copies directly or indirectly through you, then +the only way you could satisfy both it and this License would be to +refrain entirely from distribution of the Program. + +If any portion of this section is held invalid or unenforceable under +any particular circumstance, the balance of the section is intended to +apply and the section as a whole is intended to apply in other +circumstances. + +It is not the purpose of this section to induce you to infringe any +patents or other property right claims or to contest validity of any +such claims; this section has the sole purpose of protecting the +integrity of the free software distribution system, which is +implemented by public license practices. Many people have made +generous contributions to the wide range of software distributed +through that system in reliance on consistent application of that +system; it is up to the author/donor to decide if he or she is willing +to distribute software through any other system and a licensee cannot +impose that choice. + +This section is intended to make thoroughly clear what is believed to +be a consequence of the rest of this License. + + 8. If the distribution and/or use of the Program is restricted in +certain countries either by patents or by copyrighted interfaces, the +original copyright holder who places the Program under this License +may add an explicit geographical distribution limitation excluding +those countries, so that distribution is permitted only in or among +countries not thus excluded. In such case, this License incorporates +the limitation as if written in the body of this License. + + 9. The Free Software Foundation may publish revised and/or new versions +of the General Public License from time to time. Such new versions will +be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + +Each version is given a distinguishing version number. If the Program +specifies a version number of this License which applies to it and "any +later version", you have the option of following the terms and conditions +either of that version or of any later version published by the Free +Software Foundation. If the Program does not specify a version number of +this License, you may choose any version ever published by the Free Software +Foundation. + + 10. If you wish to incorporate parts of the Program into other free +programs whose distribution conditions are different, write to the author +to ask for permission. For software which is copyrighted by the Free +Software Foundation, write to the Free Software Foundation; we sometimes +make exceptions for this. Our decision will be guided by the two goals +of preserving the free status of all derivatives of our free software and +of promoting the sharing and reuse of software generally. + + NO WARRANTY + + 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY +FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN +OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES +PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED +OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS +TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE +PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, +REPAIR OR CORRECTION. + + 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR +REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, +INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING +OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED +TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY +YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER +PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE +POSSIBILITY OF SUCH DAMAGES. + + END OF TERMS AND CONDITIONS + diff --git a/thirdparty/Volatility/README-2.5.txt b/thirdparty/Volatility/README-2.5.txt new file mode 100644 index 0000000000..dc4e57db12 --- /dev/null +++ b/thirdparty/Volatility/README-2.5.txt @@ -0,0 +1,553 @@ +============================================================================ +Volatility Framework - Volatile memory extraction utility framework +============================================================================ + +The Volatility Framework is a completely open collection of tools, +implemented in Python under the GNU General Public License, for the +extraction of digital artifacts from volatile memory (RAM) samples. +The extraction techniques are performed completely independent of the +system being investigated but offer visibilty into the runtime state +of the system. The framework is intended to introduce people to the +techniques and complexities associated with extracting digital artifacts +from volatile memory samples and provide a platform for further work into +this exciting area of research. + +The Volatility distribution is available from: +http://www.volatilityfoundation.org/#!releases/component_71401 + +Volatility should run on any platform that supports +Python (http://www.python.org) + +Volatility supports investigations of the following memory images: + +Windows: +* 32-bit Windows XP Service Pack 2 and 3 +* 32-bit Windows 2003 Server Service Pack 0, 1, 2 +* 32-bit Windows Vista Service Pack 0, 1, 2 +* 32-bit Windows 2008 Server Service Pack 1, 2 (there is no SP0) +* 32-bit Windows 7 Service Pack 0, 1 +* 32-bit Windows 8, 8.1, and 8.1 Update 1 +* 32-bit Windows 10 (initial support) +* 64-bit Windows XP Service Pack 1 and 2 (there is no SP0) +* 64-bit Windows 2003 Server Service Pack 1 and 2 (there is no SP0) +* 64-bit Windows Vista Service Pack 0, 1, 2 +* 64-bit Windows 2008 Server Service Pack 1 and 2 (there is no SP0) +* 64-bit Windows 2008 R2 Server Service Pack 0 and 1 +* 64-bit Windows 7 Service Pack 0 and 1 +* 64-bit Windows 8, 8.1, and 8.1 Update 1 +* 64-bit Windows Server 2012 and 2012 R2 +* 64-bit Windows 10 (initial support) + +Linux: +* 32-bit Linux kernels 2.6.11 to 4.2.3 +* 64-bit Linux kernels 2.6.11 to 4.2.3 +* OpenSuSE, Ubuntu, Debian, CentOS, Fedora, Mandriva, etc + +Mac OSX: +* 32-bit 10.5.x Leopard (the only 64-bit 10.5 is Server, which isn't supported) +* 32-bit 10.6.x Snow Leopard +* 64-bit 10.6.x Snow Leopard +* 32-bit 10.7.x Lion +* 64-bit 10.7.x Lion +* 64-bit 10.8.x Mountain Lion (there is no 32-bit version) +* 64-bit 10.9.x Mavericks (there is no 32-bit version) +* 64-bit 10.10.x Yosemite (there is no 32-bit version) +* 64-bit 10.11.x El Capitan (there is no 32-bit version) + +Volatility does not provide memory sample acquisition +capabilities. For acquisition, there are both free and commercial +solutions available. If you would like suggestions about suitable +acquisition solutions, please contact us at: + +volatility (at) volatilityfoundation (dot) org + +Volatility supports a variety of sample file formats and the +ability to convert between these formats: + + - Raw linear sample (dd) + - Hibernation file + - Crash dump file + - VirtualBox ELF64 core dump + - VMware saved state and snapshot files + - EWF format (E01) + - LiME (Linux Memory Extractor) format + - Mach-o file format + - QEMU virtual machine dumps + - Firewire + - HPAK (FDPro) + +For a more detailed list of capabilities, see the following: + + https://github.com/volatilityfoundation/volatility/wiki + +Also see the community plugins repository: + + https://github.com/volatilityfoundation/community + +Example Data +============ + +If you want to give Volatility a try, you can download exemplar +memory images from the following url: + + https://github.com/volatilityfoundation/volatility/wiki/Memory-Samples + +Mailing Lists +============= + +Mailing lists to support the users and developers of Volatility +can be found at the following address: + + http://lists.volatilesystems.com/mailman/listinfo + +Contact +======= +For information or requests, contact: + +Volatility Foundation + +Web: http://www.volatilityfoundation.org + http://volatility-labs.blogspot.com + http://volatility.tumblr.com + +Email: volatility (at) volatilityfoundation (dot) org + +IRC: #volatility on freenode + +Twitter: @volatility + +Requirements +============ +- Python 2.6 or later, but not 3.0. http://www.python.org + +Some plugins may have other requirements which can be found at: + https://github.com/volatilityfoundation/volatility/wiki/Installation + +Quick Start +=========== +1. Unpack the latest version of Volatility from + volatilityfoundation.org + +2. To see available options, run "python vol.py -h" or "python vol.py --info" + + Example: + +$ python vol.py --info +Volatility Foundation Volatility Framework 2.5 + +Profiles +-------- +VistaSP0x64 - A Profile for Windows Vista SP0 x64 +VistaSP0x86 - A Profile for Windows Vista SP0 x86 +VistaSP1x64 - A Profile for Windows Vista SP1 x64 +VistaSP1x86 - A Profile for Windows Vista SP1 x86 +VistaSP2x64 - A Profile for Windows Vista SP2 x64 +VistaSP2x86 - A Profile for Windows Vista SP2 x86 +Win10x64 - A Profile for Windows 10 x64 +Win10x86 - A Profile for Windows 10 x86 +Win2003SP0x86 - A Profile for Windows 2003 SP0 x86 +Win2003SP1x64 - A Profile for Windows 2003 SP1 x64 +Win2003SP1x86 - A Profile for Windows 2003 SP1 x86 +Win2003SP2x64 - A Profile for Windows 2003 SP2 x64 +Win2003SP2x86 - A Profile for Windows 2003 SP2 x86 +Win2008R2SP0x64 - A Profile for Windows 2008 R2 SP0 x64 +Win2008R2SP1x64 - A Profile for Windows 2008 R2 SP1 x64 +Win2008SP1x64 - A Profile for Windows 2008 SP1 x64 +Win2008SP1x86 - A Profile for Windows 2008 SP1 x86 +Win2008SP2x64 - A Profile for Windows 2008 SP2 x64 +Win2008SP2x86 - A Profile for Windows 2008 SP2 x86 +Win2012R2x64 - A Profile for Windows Server 2012 R2 x64 +Win2012x64 - A Profile for Windows Server 2012 x64 +Win7SP0x64 - A Profile for Windows 7 SP0 x64 +Win7SP0x86 - A Profile for Windows 7 SP0 x86 +Win7SP1x64 - A Profile for Windows 7 SP1 x64 +Win7SP1x86 - A Profile for Windows 7 SP1 x86 +Win81U1x64 - A Profile for Windows 8.1 Update 1 x64 +Win81U1x86 - A Profile for Windows 8.1 Update 1 x86 +Win8SP0x64 - A Profile for Windows 8 x64 +Win8SP0x86 - A Profile for Windows 8 x86 +Win8SP1x64 - A Profile for Windows 8.1 x64 +Win8SP1x86 - A Profile for Windows 8.1 x86 +WinXPSP1x64 - A Profile for Windows XP SP1 x64 +WinXPSP2x64 - A Profile for Windows XP SP2 x64 +WinXPSP2x86 - A Profile for Windows XP SP2 x86 +WinXPSP3x86 - A Profile for Windows XP SP3 x86 + +Address Spaces +-------------- +AMD64PagedMemory - Standard AMD 64-bit address space. +ArmAddressSpace - Address space for ARM processors +FileAddressSpace - This is a direct file AS. +HPAKAddressSpace - This AS supports the HPAK format +IA32PagedMemory - Standard IA-32 paging address space. +IA32PagedMemoryPae - This class implements the IA-32 PAE paging address space. It is responsible +LimeAddressSpace - Address space for Lime +MachOAddressSpace - Address space for mach-o files to support atc-ny memory reader +OSXPmemELF - This AS supports VirtualBox ELF64 coredump format +QemuCoreDumpElf - This AS supports Qemu ELF32 and ELF64 coredump format +VMWareAddressSpace - This AS supports VMware snapshot (VMSS) and saved state (VMSS) files +VMWareMetaAddressSpace - This AS supports the VMEM format with VMSN/VMSS metadata +VirtualBoxCoreDumpElf64 - This AS supports VirtualBox ELF64 coredump format +WindowsCrashDumpSpace32 - This AS supports windows Crash Dump format +WindowsCrashDumpSpace64 - This AS supports windows Crash Dump format +WindowsCrashDumpSpace64BitMap - This AS supports Windows BitMap Crash Dump format +WindowsHiberFileSpace32 - This is a hibernate address space for windows hibernation files. + +Plugins +------- +amcache - Print AmCache information +apihooks - Detect API hooks in process and kernel memory +atoms - Print session and window station atom tables +atomscan - Pool scanner for atom tables +auditpol - Prints out the Audit Policies from HKLM\SECURITY\Policy\PolAdtEv +bigpools - Dump the big page pools using BigPagePoolScanner +bioskbd - Reads the keyboard buffer from Real Mode memory +cachedump - Dumps cached domain hashes from memory +callbacks - Print system-wide notification routines +clipboard - Extract the contents of the windows clipboard +cmdline - Display process command-line arguments +cmdscan - Extract command history by scanning for _COMMAND_HISTORY +connections - Print list of open connections [Windows XP and 2003 Only] +connscan - Pool scanner for tcp connections +consoles - Extract command history by scanning for _CONSOLE_INFORMATION +crashinfo - Dump crash-dump information +deskscan - Poolscaner for tagDESKTOP (desktops) +devicetree - Show device tree +dlldump - Dump DLLs from a process address space +dlllist - Print list of loaded dlls for each process +driverirp - Driver IRP hook detection +drivermodule - Associate driver objects to kernel modules +driverscan - Pool scanner for driver objects +dumpcerts - Dump RSA private and public SSL keys +dumpfiles - Extract memory mapped and cached files +dumpregistry - Dumps registry files out to disk +envars - Display process environment variables +eventhooks - Print details on windows event hooks +evtlogs - Extract Windows Event Logs (XP/2003 only) +filescan - Pool scanner for file objects +gahti - Dump the USER handle type information +gditimers - Print installed GDI timers and callbacks +gdt - Display Global Descriptor Table +getservicesids - Get the names of services in the Registry and return Calculated SID +getsids - Print the SIDs owning each process +handles - Print list of open handles for each process +hashdump - Dumps passwords hashes (LM/NTLM) from memory +hibinfo - Dump hibernation file information +hivedump - Prints out a hive +hivelist - Print list of registry hives. +hivescan - Pool scanner for registry hives +hpakextract - Extract physical memory from an HPAK file +hpakinfo - Info on an HPAK file +idt - Display Interrupt Descriptor Table +iehistory - Reconstruct Internet Explorer cache / history +imagecopy - Copies a physical address space out as a raw DD image +imageinfo - Identify information for the image +impscan - Scan for calls to imported functions +joblinks - Print process job link information +kdbgscan - Search for and dump potential KDBG values +kpcrscan - Search for and dump potential KPCR values +ldrmodules - Detect unlinked DLLs +limeinfo - Dump Lime file format information +linux_apihooks - Checks for userland apihooks +linux_arp - Print the ARP table +linux_banner - Prints the Linux banner information +linux_bash - Recover bash history from bash process memory +linux_bash_env - Recover a process' dynamic environment variables +linux_bash_hash - Recover bash hash table from bash process memory +linux_check_afinfo - Verifies the operation function pointers of network protocols +linux_check_creds - Checks if any processes are sharing credential structures +linux_check_evt_arm - Checks the Exception Vector Table to look for syscall table hooking +linux_check_fop - Check file operation structures for rootkit modifications +linux_check_idt - Checks if the IDT has been altered +linux_check_inline_kernel - Check for inline kernel hooks +linux_check_modules - Compares module list to sysfs info, if available +linux_check_syscall - Checks if the system call table has been altered +linux_check_syscall_arm - Checks if the system call table has been altered +linux_check_tty - Checks tty devices for hooks +linux_cpuinfo - Prints info about each active processor +linux_dentry_cache - Gather files from the dentry cache +linux_dmesg - Gather dmesg buffer +linux_dump_map - Writes selected memory mappings to disk +linux_dynamic_env - Recover a process' dynamic environment variables +linux_elfs - Find ELF binaries in process mappings +linux_enumerate_files - Lists files referenced by the filesystem cache +linux_find_file - Lists and recovers files from memory +linux_getcwd - Lists current working directory of each process +linux_hidden_modules - Carves memory to find hidden kernel modules +linux_ifconfig - Gathers active interfaces +linux_info_regs - It's like 'info registers' in GDB. It prints out all the +linux_iomem - Provides output similar to /proc/iomem +linux_kernel_opened_files - Lists files that are opened from within the kernel +linux_keyboard_notifiers - Parses the keyboard notifier call chain +linux_ldrmodules - Compares the output of proc maps with the list of libraries from libdl +linux_library_list - Lists libraries loaded into a process +linux_librarydump - Dumps shared libraries in process memory to disk +linux_list_raw - List applications with promiscuous sockets +linux_lsmod - Gather loaded kernel modules +linux_lsof - Lists file descriptors and their path +linux_malfind - Looks for suspicious process mappings +linux_memmap - Dumps the memory map for linux tasks +linux_moddump - Extract loaded kernel modules +linux_mount - Gather mounted fs/devices +linux_mount_cache - Gather mounted fs/devices from kmem_cache +linux_netfilter - Lists Netfilter hooks +linux_netscan - Carves for network connection structures +linux_netstat - Lists open sockets +linux_pidhashtable - Enumerates processes through the PID hash table +linux_pkt_queues - Writes per-process packet queues out to disk +linux_plthook - Scan ELF binaries' PLT for hooks to non-NEEDED images +linux_proc_maps - Gathers process memory maps +linux_proc_maps_rb - Gathers process maps for linux through the mappings red-black tree +linux_procdump - Dumps a process's executable image to disk +linux_process_hollow - Checks for signs of process hollowing +linux_psaux - Gathers processes along with full command line and start time +linux_psenv - Gathers processes along with their static environment variables +linux_pslist - Gather active tasks by walking the task_struct->task list +linux_pslist_cache - Gather tasks from the kmem_cache +linux_pstree - Shows the parent/child relationship between processes +linux_psxview - Find hidden processes with various process listings +linux_recover_filesystem - Recovers the entire cached file system from memory +linux_route_cache - Recovers the routing cache from memory +linux_sk_buff_cache - Recovers packets from the sk_buff kmem_cache +linux_slabinfo - Mimics /proc/slabinfo on a running machine +linux_strings - Match physical offsets to virtual addresses (may take a while, VERY verbose) +linux_threads - Prints threads of processes +linux_tmpfs - Recovers tmpfs filesystems from memory +linux_truecrypt_passphrase - Recovers cached Truecrypt passphrases +linux_vma_cache - Gather VMAs from the vm_area_struct cache +linux_volshell - Shell in the memory image +linux_yarascan - A shell in the Linux memory image +lsadump - Dump (decrypted) LSA secrets from the registry +mac_adium - Lists Adium messages +mac_apihooks - Checks for API hooks in processes +mac_apihooks_kernel - Checks to see if system call and kernel functions are hooked +mac_arp - Prints the arp table +mac_bash - Recover bash history from bash process memory +mac_bash_env - Recover bash's environment variables +mac_bash_hash - Recover bash hash table from bash process memory +mac_calendar - Gets calendar events from Calendar.app +mac_check_mig_table - Lists entires in the kernel's MIG table +mac_check_syscall_shadow - Looks for shadow system call tables +mac_check_syscalls - Checks to see if system call table entries are hooked +mac_check_sysctl - Checks for unknown sysctl handlers +mac_check_trap_table - Checks to see if mach trap table entries are hooked +mac_compressed_swap - Prints Mac OS X VM compressor stats and dumps all compressed pages +mac_contacts - Gets contact names from Contacts.app +mac_dead_procs - Prints terminated/de-allocated processes +mac_dead_sockets - Prints terminated/de-allocated network sockets +mac_dead_vnodes - Lists freed vnode structures +mac_dmesg - Prints the kernel debug buffer +mac_dump_file - Dumps a specified file +mac_dump_maps - Dumps memory ranges of process(es), optionally including pages in compressed swap +mac_dyld_maps - Gets memory maps of processes from dyld data structures +mac_find_aslr_shift - Find the ASLR shift value for 10.8+ images +mac_get_profile - Automatically detect Mac profiles +mac_ifconfig - Lists network interface information for all devices +mac_ip_filters - Reports any hooked IP filters +mac_keychaindump - Recovers possbile keychain keys. Use chainbreaker to open related keychain files +mac_ldrmodules - Compares the output of proc maps with the list of libraries from libdl +mac_librarydump - Dumps the executable of a process +mac_list_files - Lists files in the file cache +mac_list_kauth_listeners - Lists Kauth Scope listeners +mac_list_kauth_scopes - Lists Kauth Scopes and their status +mac_list_raw - List applications with promiscuous sockets +mac_list_sessions - Enumerates sessions +mac_list_zones - Prints active zones +mac_lsmod - Lists loaded kernel modules +mac_lsmod_iokit - Lists loaded kernel modules through IOkit +mac_lsmod_kext_map - Lists loaded kernel modules +mac_lsof - Lists per-process opened files +mac_machine_info - Prints machine information about the sample +mac_malfind - Looks for suspicious process mappings +mac_memdump - Dump addressable memory pages to a file +mac_moddump - Writes the specified kernel extension to disk +mac_mount - Prints mounted device information +mac_netstat - Lists active per-process network connections +mac_network_conns - Lists network connections from kernel network structures +mac_notesapp - Finds contents of Notes messages +mac_notifiers - Detects rootkits that add hooks into I/O Kit (e.g. LogKext) +mac_orphan_threads - Lists threads that don't map back to known modules/processes +mac_pgrp_hash_table - Walks the process group hash table +mac_pid_hash_table - Walks the pid hash table +mac_print_boot_cmdline - Prints kernel boot arguments +mac_proc_maps - Gets memory maps of processes +mac_procdump - Dumps the executable of a process +mac_psaux - Prints processes with arguments in user land (**argv) +mac_psenv - Prints processes with environment in user land (**envp) +mac_pslist - List Running Processes +mac_pstree - Show parent/child relationship of processes +mac_psxview - Find hidden processes with various process listings +mac_recover_filesystem - Recover the cached filesystem +mac_route - Prints the routing table +mac_socket_filters - Reports socket filters +mac_strings - Match physical offsets to virtual addresses (may take a while, VERY verbose) +mac_tasks - List Active Tasks +mac_threads - List Process Threads +mac_threads_simple - Lists threads along with their start time and priority +mac_trustedbsd - Lists malicious trustedbsd policies +mac_version - Prints the Mac version +mac_volshell - Shell in the memory image +mac_yarascan - Scan memory for yara signatures +machoinfo - Dump Mach-O file format information +malfind - Find hidden and injected code +mbrparser - Scans for and parses potential Master Boot Records (MBRs) +memdump - Dump the addressable memory for a process +memmap - Print the memory map +messagehooks - List desktop and thread window message hooks +mftparser - Scans for and parses potential MFT entries +moddump - Dump a kernel driver to an executable file sample +modscan - Pool scanner for kernel modules +modules - Print list of loaded modules +multiscan - Scan for various objects at once +mutantscan - Pool scanner for mutex objects +netscan - Scan a Vista (or later) image for connections and sockets +notepad - List currently displayed notepad text +objtypescan - Scan for Windows object type objects +patcher - Patches memory based on page scans +poolpeek - Configurable pool scanner plugin +pooltracker - Show a summary of pool tag usage +printkey - Print a registry key, and its subkeys and values +privs - Display process privileges +procdump - Dump a process to an executable file sample +pslist - Print all running processes by following the EPROCESS lists +psscan - Pool scanner for process objects +pstree - Print process list as a tree +psxview - Find hidden processes with various process listings +qemuinfo - Dump Qemu information +raw2dmp - Converts a physical memory sample to a windbg crash dump +screenshot - Save a pseudo-screenshot based on GDI windows +servicediff - List Windows services (ala Plugx) +sessions - List details on _MM_SESSION_SPACE (user logon sessions) +shellbags - Prints ShellBags info +shimcache - Parses the Application Compatibility Shim Cache registry key +shutdowntime - Print ShutdownTime of machine from registry +sockets - Print list of open sockets +sockscan - Pool scanner for tcp socket objects +ssdt - Display SSDT entries +strings - Match physical offsets to virtual addresses (may take a while, VERY verbose) +svcscan - Scan for Windows services +symlinkscan - Pool scanner for symlink objects +thrdscan - Pool scanner for thread objects +threads - Investigate _ETHREAD and _KTHREADs +timeliner - Creates a timeline from various artifacts in memory +timers - Print kernel timers and associated module DPCs +truecryptmaster - Recover TrueCrypt 7.1a Master Keys +truecryptpassphrase - TrueCrypt Cached Passphrase Finder +truecryptsummary - TrueCrypt Summary +unloadedmodules - Print list of unloaded modules +userassist - Print userassist registry keys and information +userhandles - Dump the USER handle tables +vaddump - Dumps out the vad sections to a file +vadinfo - Dump the VAD info +vadtree - Walk the VAD tree and display in tree format +vadwalk - Walk the VAD tree +vboxinfo - Dump virtualbox information +verinfo - Prints out the version information from PE images +vmwareinfo - Dump VMware VMSS/VMSN information +volshell - Shell in the memory image +win10cookie - Find the ObHeaderCookie value for Windows 10 +windows - Print Desktop Windows (verbose details) +wintree - Print Z-Order Desktop Windows Tree +wndscan - Pool scanner for window stations +yarascan - Scan process or kernel memory with Yara signatures + +3. To get more information on a Windows memory sample and to make sure Volatility + supports that sample type, run 'python vol.py imageinfo -f ' or 'python vol.py kdbgscan -f ' + + Example: + + $ python vol.py imageinfo -f WIN-II7VOJTUNGL-20120324-193051.raw + Volatility Foundation Volatility Framework 2.5 + Determining profile based on KDBG search... + + Suggested Profile(s) : Win2008R2SP0x64, Win7SP1x64, Win7SP0x64, Win2008R2SP1x64 (Instantiated with Win7SP0x64) + AS Layer1 : AMD64PagedMemory (Kernel AS) + AS Layer2 : FileAddressSpace (/Path/to/WIN-II7VOJTUNGL-20120324-193051.raw) + PAE type : PAE + DTB : 0x187000L + KDBG : 0xf800016460a0 + Number of Processors : 1 + Image Type (Service Pack) : 1 + KPCR for CPU 0 : 0xfffff80001647d00L + KUSER_SHARED_DATA : 0xfffff78000000000L + Image date and time : 2012-03-24 19:30:53 UTC+0000 + Image local date and time : 2012-03-25 03:30:53 +0800 + +4. Run some other plugins. -f is a required option for all plugins. Some + also require/accept other options. Run "python vol.py -h" for + more information on a particular command. A Command Reference wiki + is also available on the Google Code site: + + https://github.com/volatilityfoundation/volatility/wiki + + as well as Basic Usage: + + https://github.com/volatilityfoundation/volatility/wiki/Volatility-Usage + +Licensing and Copyright +======================= + +Copyright (C) 2007-2015 Volatility Foundation + +All Rights Reserved + +Volatility is free software; you can redistribute it and/or modify +it under the terms of the GNU General Public License as published by +the Free Software Foundation; either version 2 of the License, or +(at your option) any later version. + +Volatility is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU General Public License for more details. + +You should have received a copy of the GNU General Public License +along with Volatility. If not, see . + +Bugs and Support +================ +There is no support provided with Volatility. There is NO +warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR +PURPOSE. + +If you think you've found a bug, please report it at: + + https://github.com/volatilityfoundation/volatility/issues + +In order to help us solve your issues as quickly as possible, +please include the following information when filing a bug: + +* The version of volatility you're using +* The operating system used to run volatility +* The version of python used to run volatility +* The suspected operating system of the memory image +* The complete command line you used to run volatility + +Depending on the operating system of the memory image, you may need to provide +additional information, such as: + +For Windows: +* The suspected Service Pack of the memory image + +For Linux: +* The suspected kernel version of the memory image + +Other options for communicaton can be found at: + https://github.com/volatilityfoundation/volatility/wiki + +Missing or Truncated Information +================================ +Volatility Foundation makes no claims about the validity or correctness of the +output of Volatility. Many factors may contribute to the +incorrectness of output from Volatility including, but not +limited to, malicious modifications to the operating system, +incomplete information due to swapping, and information corruption on +image acquisition. + +Command Reference +==================== +The following url contains a reference of all commands supported by +Volatility. + + https://github.com/volatilityfoundation/volatility/wiki + diff --git a/thirdparty/Volatility/README2.6.txt b/thirdparty/Volatility/README2.6.txt new file mode 100644 index 0000000000..bc09fbe8f8 --- /dev/null +++ b/thirdparty/Volatility/README2.6.txt @@ -0,0 +1,588 @@ +============================================================================ +Volatility Framework - Volatile memory extraction utility framework +============================================================================ + +The Volatility Framework is a completely open collection of tools, +implemented in Python under the GNU General Public License, for the +extraction of digital artifacts from volatile memory (RAM) samples. +The extraction techniques are performed completely independent of the +system being investigated but offer visibilty into the runtime state +of the system. The framework is intended to introduce people to the +techniques and complexities associated with extracting digital artifacts +from volatile memory samples and provide a platform for further work into +this exciting area of research. + +The Volatility distribution is available from: +http://www.volatilityfoundation.org/#!releases/component_71401 + +Volatility should run on any platform that supports +Python (http://www.python.org) + +Volatility supports investigations of the following memory images: + +Windows: +* 32-bit Windows XP Service Pack 2 and 3 +* 32-bit Windows 2003 Server Service Pack 0, 1, 2 +* 32-bit Windows Vista Service Pack 0, 1, 2 +* 32-bit Windows 2008 Server Service Pack 1, 2 (there is no SP0) +* 32-bit Windows 7 Service Pack 0, 1 +* 32-bit Windows 8, 8.1, and 8.1 Update 1 +* 32-bit Windows 10 (initial support) +* 64-bit Windows XP Service Pack 1 and 2 (there is no SP0) +* 64-bit Windows 2003 Server Service Pack 1 and 2 (there is no SP0) +* 64-bit Windows Vista Service Pack 0, 1, 2 +* 64-bit Windows 2008 Server Service Pack 1 and 2 (there is no SP0) +* 64-bit Windows 2008 R2 Server Service Pack 0 and 1 +* 64-bit Windows 7 Service Pack 0 and 1 +* 64-bit Windows 8, 8.1, and 8.1 Update 1 +* 64-bit Windows Server 2012 and 2012 R2 +* 64-bit Windows 10 (including at least 10.0.14393) +* 64-bit Windows Server 2016 (including at least 10.0.14393.0) + +Note: Please see the guidelines at the following link for notes on +compatibility with recently patched Windows 7 (or later) memory samples: + + https://github.com/volatilityfoundation/volatility/wiki/2.6-Win-Profiles + +Linux: +* 32-bit Linux kernels 2.6.11 to 4.2.3 +* 64-bit Linux kernels 2.6.11 to 4.2.3 +* OpenSuSE, Ubuntu, Debian, CentOS, Fedora, Mandriva, etc + +Mac OSX: +* 32-bit 10.5.x Leopard (the only 64-bit 10.5 is Server, which isn't supported) +* 32-bit 10.6.x Snow Leopard +* 64-bit 10.6.x Snow Leopard +* 32-bit 10.7.x Lion +* 64-bit 10.7.x Lion +* 64-bit 10.8.x Mountain Lion (there is no 32-bit version) +* 64-bit 10.9.x Mavericks (there is no 32-bit version) +* 64-bit 10.10.x Yosemite (there is no 32-bit version) +* 64-bit 10.11.x El Capitan (there is no 32-bit version) +* 64-bit 10.12.x Sierra (there is no 32-bit version) + +Volatility does not provide memory sample acquisition +capabilities. For acquisition, there are both free and commercial +solutions available. If you would like suggestions about suitable +acquisition solutions, please contact us at: + +volatility (at) volatilityfoundation (dot) org + +Volatility supports a variety of sample file formats and the +ability to convert between these formats: + + - Raw linear sample (dd) + - Hibernation file (from Windows 7 and earlier) + - Crash dump file + - VirtualBox ELF64 core dump + - VMware saved state and snapshot files + - EWF format (E01) + - LiME format + - Mach-O file format + - QEMU virtual machine dumps + - Firewire + - HPAK (FDPro) + +For a more detailed list of capabilities, see the following: + + https://github.com/volatilityfoundation/volatility/wiki + +Also see the community plugins repository: + + https://github.com/volatilityfoundation/community + +Example Data +============ + +If you want to give Volatility a try, you can download exemplar +memory images from the following url: + + https://github.com/volatilityfoundation/volatility/wiki/Memory-Samples + +Mailing Lists +============= + +Mailing lists to support the users and developers of Volatility +can be found at the following address: + + http://lists.volatilesystems.com/mailman/listinfo + +Contact +======= +For information or requests, contact: + +Volatility Foundation + +Web: http://www.volatilityfoundation.org + http://volatility-labs.blogspot.com + http://volatility.tumblr.com + +Email: volatility (at) volatilityfoundation (dot) org + +IRC: #volatility on freenode + +Twitter: @volatility + +Requirements +============ +- Python 2.6 or later, but not 3.0. http://www.python.org + +Some plugins may have other requirements which can be found at: + https://github.com/volatilityfoundation/volatility/wiki/Installation + +Quick Start +=========== +1. Unpack the latest version of Volatility from + volatilityfoundation.org + +2. To see available options, run "python vol.py -h" or "python vol.py --info" + + Example: + +$ python vol.py --info +Volatility Foundation Volatility Framework 2.6 + +Address Spaces +-------------- +AMD64PagedMemory - Standard AMD 64-bit address space. +ArmAddressSpace - Address space for ARM processors +FileAddressSpace - This is a direct file AS. +HPAKAddressSpace - This AS supports the HPAK format +IA32PagedMemory - Standard IA-32 paging address space. +IA32PagedMemoryPae - This class implements the IA-32 PAE paging address space. It is responsible +LimeAddressSpace - Address space for Lime +LinuxAMD64PagedMemory - Linux-specific AMD 64-bit address space. +MachOAddressSpace - Address space for mach-o files to support atc-ny memory reader +OSXPmemELF - This AS supports VirtualBox ELF64 coredump format +QemuCoreDumpElf - This AS supports Qemu ELF32 and ELF64 coredump format +VMWareAddressSpace - This AS supports VMware snapshot (VMSS) and saved state (VMSS) files +VMWareMetaAddressSpace - This AS supports the VMEM format with VMSN/VMSS metadata +VirtualBoxCoreDumpElf64 - This AS supports VirtualBox ELF64 coredump format +Win10AMD64PagedMemory - Windows 10-specific AMD 64-bit address space. +WindowsAMD64PagedMemory - Windows-specific AMD 64-bit address space. +WindowsCrashDumpSpace32 - This AS supports windows Crash Dump format +WindowsCrashDumpSpace64 - This AS supports windows Crash Dump format +WindowsCrashDumpSpace64BitMap - This AS supports Windows BitMap Crash Dump format +WindowsHiberFileSpace32 - This is a hibernate address space for windows hibernation files. + +Profiles +-------- +VistaSP0x64 - A Profile for Windows Vista SP0 x64 +VistaSP0x86 - A Profile for Windows Vista SP0 x86 +VistaSP1x64 - A Profile for Windows Vista SP1 x64 +VistaSP1x86 - A Profile for Windows Vista SP1 x86 +VistaSP2x64 - A Profile for Windows Vista SP2 x64 +VistaSP2x86 - A Profile for Windows Vista SP2 x86 +Win10x64 - A Profile for Windows 10 x64 +Win10x64_10586 - A Profile for Windows 10 x64 (10.0.10586.306 / 2016-04-23) +Win10x64_14393 - A Profile for Windows 10 x64 (10.0.14393.0 / 2016-07-16) +Win10x86 - A Profile for Windows 10 x86 +Win10x86_10586 - A Profile for Windows 10 x86 (10.0.10586.420 / 2016-05-28) +Win10x86_14393 - A Profile for Windows 10 x86 (10.0.14393.0 / 2016-07-16) +Win2003SP0x86 - A Profile for Windows 2003 SP0 x86 +Win2003SP1x64 - A Profile for Windows 2003 SP1 x64 +Win2003SP1x86 - A Profile for Windows 2003 SP1 x86 +Win2003SP2x64 - A Profile for Windows 2003 SP2 x64 +Win2003SP2x86 - A Profile for Windows 2003 SP2 x86 +Win2008R2SP0x64 - A Profile for Windows 2008 R2 SP0 x64 +Win2008R2SP1x64 - A Profile for Windows 2008 R2 SP1 x64 +Win2008R2SP1x64_23418 - A Profile for Windows 2008 R2 SP1 x64 (6.1.7601.23418 / 2016-04-09) +Win2008SP1x64 - A Profile for Windows 2008 SP1 x64 +Win2008SP1x86 - A Profile for Windows 2008 SP1 x86 +Win2008SP2x64 - A Profile for Windows 2008 SP2 x64 +Win2008SP2x86 - A Profile for Windows 2008 SP2 x86 +Win2012R2x64 - A Profile for Windows Server 2012 R2 x64 +Win2012R2x64_18340 - A Profile for Windows Server 2012 R2 x64 (6.3.9600.18340 / 2016-05-13) +Win2012x64 - A Profile for Windows Server 2012 x64 +Win2016x64_14393 - A Profile for Windows Server 2016 x64 (10.0.14393.0 / 2016-07-16) +Win7SP0x64 - A Profile for Windows 7 SP0 x64 +Win7SP0x86 - A Profile for Windows 7 SP0 x86 +Win7SP1x64 - A Profile for Windows 7 SP1 x64 +Win7SP1x64_23418 - A Profile for Windows 7 SP1 x64 (6.1.7601.23418 / 2016-04-09) +Win7SP1x86 - A Profile for Windows 7 SP1 x86 +Win7SP1x86_23418 - A Profile for Windows 7 SP1 x86 (6.1.7601.23418 / 2016-04-09) +Win81U1x64 - A Profile for Windows 8.1 Update 1 x64 +Win81U1x86 - A Profile for Windows 8.1 Update 1 x86 +Win8SP0x64 - A Profile for Windows 8 x64 +Win8SP0x86 - A Profile for Windows 8 x86 +Win8SP1x64 - A Profile for Windows 8.1 x64 +Win8SP1x64_18340 - A Profile for Windows 8.1 x64 (6.3.9600.18340 / 2016-05-13) +Win8SP1x86 - A Profile for Windows 8.1 x86 +WinXPSP1x64 - A Profile for Windows XP SP1 x64 +WinXPSP2x64 - A Profile for Windows XP SP2 x64 +WinXPSP2x86 - A Profile for Windows XP SP2 x86 +WinXPSP3x86 - A Profile for Windows XP SP3 x86 + +Plugins +------- +amcache - Print AmCache information +apihooks - Detect API hooks in process and kernel memory +atoms - Print session and window station atom tables +atomscan - Pool scanner for atom tables +auditpol - Prints out the Audit Policies from HKLM\SECURITY\Policy\PolAdtEv +bigpools - Dump the big page pools using BigPagePoolScanner +bioskbd - Reads the keyboard buffer from Real Mode memory +cachedump - Dumps cached domain hashes from memory +callbacks - Print system-wide notification routines +clipboard - Extract the contents of the windows clipboard +cmdline - Display process command-line arguments +cmdscan - Extract command history by scanning for _COMMAND_HISTORY +connections - Print list of open connections [Windows XP and 2003 Only] +connscan - Pool scanner for tcp connections +consoles - Extract command history by scanning for _CONSOLE_INFORMATION +crashinfo - Dump crash-dump information +deskscan - Poolscaner for tagDESKTOP (desktops) +devicetree - Show device tree +dlldump - Dump DLLs from a process address space +dlllist - Print list of loaded dlls for each process +driverirp - Driver IRP hook detection +drivermodule - Associate driver objects to kernel modules +driverscan - Pool scanner for driver objects +dumpcerts - Dump RSA private and public SSL keys +dumpfiles - Extract memory mapped and cached files +dumpregistry - Dumps registry files out to disk +editbox - Displays information about Edit controls. (Listbox experimental.) +envars - Display process environment variables +eventhooks - Print details on windows event hooks +evtlogs - Extract Windows Event Logs (XP/2003 only) +filescan - Pool scanner for file objects +gahti - Dump the USER handle type information +gditimers - Print installed GDI timers and callbacks +gdt - Display Global Descriptor Table +getservicesids - Get the names of services in the Registry and return Calculated SID +getsids - Print the SIDs owning each process +handles - Print list of open handles for each process +hashdump - Dumps passwords hashes (LM/NTLM) from memory +hibinfo - Dump hibernation file information +hivedump - Prints out a hive +hivelist - Print list of registry hives. +hivescan - Pool scanner for registry hives +hpakextract - Extract physical memory from an HPAK file +hpakinfo - Info on an HPAK file +idt - Display Interrupt Descriptor Table +iehistory - Reconstruct Internet Explorer cache / history +imagecopy - Copies a physical address space out as a raw DD image +imageinfo - Identify information for the image +impscan - Scan for calls to imported functions +joblinks - Print process job link information +kdbgscan - Search for and dump potential KDBG values +kpcrscan - Search for and dump potential KPCR values +ldrmodules - Detect unlinked DLLs +limeinfo - Dump Lime file format information +linux_apihooks - Checks for userland apihooks +linux_arp - Print the ARP table +linux_aslr_shift - Automatically detect the Linux ASLR shift +linux_banner - Prints the Linux banner information +linux_bash - Recover bash history from bash process memory +linux_bash_env - Recover a process' dynamic environment variables +linux_bash_hash - Recover bash hash table from bash process memory +linux_check_afinfo - Verifies the operation function pointers of network protocols +linux_check_creds - Checks if any processes are sharing credential structures +linux_check_evt_arm - Checks the Exception Vector Table to look for syscall table hooking +linux_check_fop - Check file operation structures for rootkit modifications +linux_check_idt - Checks if the IDT has been altered +linux_check_inline_kernel - Check for inline kernel hooks +linux_check_modules - Compares module list to sysfs info, if available +linux_check_syscall - Checks if the system call table has been altered +linux_check_syscall_arm - Checks if the system call table has been altered +linux_check_tty - Checks tty devices for hooks +linux_cpuinfo - Prints info about each active processor +linux_dentry_cache - Gather files from the dentry cache +linux_dmesg - Gather dmesg buffer +linux_dump_map - Writes selected memory mappings to disk +linux_dynamic_env - Recover a process' dynamic environment variables +linux_elfs - Find ELF binaries in process mappings +linux_enumerate_files - Lists files referenced by the filesystem cache +linux_find_file - Lists and recovers files from memory +linux_getcwd - Lists current working directory of each process +linux_hidden_modules - Carves memory to find hidden kernel modules +linux_ifconfig - Gathers active interfaces +linux_info_regs - It's like 'info registers' in GDB. It prints out all the +linux_iomem - Provides output similar to /proc/iomem +linux_kernel_opened_files - Lists files that are opened from within the kernel +linux_keyboard_notifiers - Parses the keyboard notifier call chain +linux_ldrmodules - Compares the output of proc maps with the list of libraries from libdl +linux_library_list - Lists libraries loaded into a process +linux_librarydump - Dumps shared libraries in process memory to disk +linux_list_raw - List applications with promiscuous sockets +linux_lsmod - Gather loaded kernel modules +linux_lsof - Lists file descriptors and their path +linux_malfind - Looks for suspicious process mappings +linux_memmap - Dumps the memory map for linux tasks +linux_moddump - Extract loaded kernel modules +linux_mount - Gather mounted fs/devices +linux_mount_cache - Gather mounted fs/devices from kmem_cache +linux_netfilter - Lists Netfilter hooks +linux_netscan - Carves for network connection structures +linux_netstat - Lists open sockets +linux_pidhashtable - Enumerates processes through the PID hash table +linux_pkt_queues - Writes per-process packet queues out to disk +linux_plthook - Scan ELF binaries' PLT for hooks to non-NEEDED images +linux_proc_maps - Gathers process memory maps +linux_proc_maps_rb - Gathers process maps for linux through the mappings red-black tree +linux_procdump - Dumps a process's executable image to disk +linux_process_hollow - Checks for signs of process hollowing +linux_psaux - Gathers processes along with full command line and start time +linux_psenv - Gathers processes along with their static environment variables +linux_pslist - Gather active tasks by walking the task_struct->task list +linux_pslist_cache - Gather tasks from the kmem_cache +linux_psscan - Scan physical memory for processes +linux_pstree - Shows the parent/child relationship between processes +linux_psxview - Find hidden processes with various process listings +linux_recover_filesystem - Recovers the entire cached file system from memory +linux_route_cache - Recovers the routing cache from memory +linux_sk_buff_cache - Recovers packets from the sk_buff kmem_cache +linux_slabinfo - Mimics /proc/slabinfo on a running machine +linux_strings - Match physical offsets to virtual addresses (may take a while, VERY verbose) +linux_threads - Prints threads of processes +linux_tmpfs - Recovers tmpfs filesystems from memory +linux_truecrypt_passphrase - Recovers cached Truecrypt passphrases +linux_vma_cache - Gather VMAs from the vm_area_struct cache +linux_volshell - Shell in the memory image +linux_yarascan - A shell in the Linux memory image +lsadump - Dump (decrypted) LSA secrets from the registry +mac_adium - Lists Adium messages +mac_apihooks - Checks for API hooks in processes +mac_apihooks_kernel - Checks to see if system call and kernel functions are hooked +mac_arp - Prints the arp table +mac_bash - Recover bash history from bash process memory +mac_bash_env - Recover bash's environment variables +mac_bash_hash - Recover bash hash table from bash process memory +mac_calendar - Gets calendar events from Calendar.app +mac_check_fop - Validate File Operation Pointers +mac_check_mig_table - Lists entires in the kernel's MIG table +mac_check_syscall_shadow - Looks for shadow system call tables +mac_check_syscalls - Checks to see if system call table entries are hooked +mac_check_sysctl - Checks for unknown sysctl handlers +mac_check_trap_table - Checks to see if mach trap table entries are hooked +mac_compressed_swap - Prints Mac OS X VM compressor stats and dumps all compressed pages +mac_contacts - Gets contact names from Contacts.app +mac_dead_procs - Prints terminated/de-allocated processes +mac_dead_sockets - Prints terminated/de-allocated network sockets +mac_dead_vnodes - Lists freed vnode structures +mac_devfs - Lists files in the file cache +mac_dmesg - Prints the kernel debug buffer +mac_dump_file - Dumps a specified file +mac_dump_maps - Dumps memory ranges of process(es), optionally including pages in compressed swap +mac_dyld_maps - Gets memory maps of processes from dyld data structures +mac_find_aslr_shift - Find the ASLR shift value for 10.8+ images +mac_get_profile - Automatically detect Mac profiles +mac_ifconfig - Lists network interface information for all devices +mac_interest_handlers - Lists IOKit Interest Handlers +mac_ip_filters - Reports any hooked IP filters +mac_kernel_classes - Lists loaded c++ classes in the kernel +mac_kevents - Show parent/child relationship of processes +mac_keychaindump - Recovers possbile keychain keys. Use chainbreaker to open related keychain files +mac_ldrmodules - Compares the output of proc maps with the list of libraries from libdl +mac_librarydump - Dumps the executable of a process +mac_list_files - Lists files in the file cache +mac_list_kauth_listeners - Lists Kauth Scope listeners +mac_list_kauth_scopes - Lists Kauth Scopes and their status +mac_list_raw - List applications with promiscuous sockets +mac_list_sessions - Enumerates sessions +mac_list_zones - Prints active zones +mac_lsmod - Lists loaded kernel modules +mac_lsmod_iokit - Lists loaded kernel modules through IOkit +mac_lsmod_kext_map - Lists loaded kernel modules +mac_lsof - Lists per-process opened files +mac_machine_info - Prints machine information about the sample +mac_malfind - Looks for suspicious process mappings +mac_memdump - Dump addressable memory pages to a file +mac_moddump - Writes the specified kernel extension to disk +mac_mount - Prints mounted device information +mac_netstat - Lists active per-process network connections +mac_network_conns - Lists network connections from kernel network structures +mac_notesapp - Finds contents of Notes messages +mac_notifiers - Detects rootkits that add hooks into I/O Kit (e.g. LogKext) +mac_orphan_threads - Lists threads that don't map back to known modules/processes +mac_pgrp_hash_table - Walks the process group hash table +mac_pid_hash_table - Walks the pid hash table +mac_print_boot_cmdline - Prints kernel boot arguments +mac_proc_maps - Gets memory maps of processes +mac_procdump - Dumps the executable of a process +mac_psaux - Prints processes with arguments in user land (**argv) +mac_psenv - Prints processes with environment in user land (**envp) +mac_pslist - List Running Processes +mac_pstree - Show parent/child relationship of processes +mac_psxview - Find hidden processes with various process listings +mac_recover_filesystem - Recover the cached filesystem +mac_route - Prints the routing table +mac_socket_filters - Reports socket filters +mac_strings - Match physical offsets to virtual addresses (may take a while, VERY verbose) +mac_tasks - List Active Tasks +mac_threads - List Process Threads +mac_threads_simple - Lists threads along with their start time and priority +mac_timers - Reports timers set by kernel drivers +mac_trustedbsd - Lists malicious trustedbsd policies +mac_version - Prints the Mac version +mac_vfsevents - Lists processes filtering file system events +mac_volshell - Shell in the memory image +mac_yarascan - Scan memory for yara signatures +machoinfo - Dump Mach-O file format information +malfind - Find hidden and injected code +mbrparser - Scans for and parses potential Master Boot Records (MBRs) +memdump - Dump the addressable memory for a process +memmap - Print the memory map +messagehooks - List desktop and thread window message hooks +mftparser - Scans for and parses potential MFT entries +moddump - Dump a kernel driver to an executable file sample +modscan - Pool scanner for kernel modules +modules - Print list of loaded modules +multiscan - Scan for various objects at once +mutantscan - Pool scanner for mutex objects +netscan - Scan a Vista (or later) image for connections and sockets +notepad - List currently displayed notepad text +objtypescan - Scan for Windows object type objects +patcher - Patches memory based on page scans +poolpeek - Configurable pool scanner plugin +pooltracker - Show a summary of pool tag usage +printkey - Print a registry key, and its subkeys and values +privs - Display process privileges +procdump - Dump a process to an executable file sample +pslist - Print all running processes by following the EPROCESS lists +psscan - Pool scanner for process objects +pstree - Print process list as a tree +psxview - Find hidden processes with various process listings +qemuinfo - Dump Qemu information +raw2dmp - Converts a physical memory sample to a windbg crash dump +screenshot - Save a pseudo-screenshot based on GDI windows +servicediff - List Windows services (ala Plugx) +sessions - List details on _MM_SESSION_SPACE (user logon sessions) +shellbags - Prints ShellBags info +shimcache - Parses the Application Compatibility Shim Cache registry key +shutdowntime - Print ShutdownTime of machine from registry +sockets - Print list of open sockets +sockscan - Pool scanner for tcp socket objects +ssdt - Display SSDT entries +strings - Match physical offsets to virtual addresses (may take a while, VERY verbose) +svcscan - Scan for Windows services +symlinkscan - Pool scanner for symlink objects +thrdscan - Pool scanner for thread objects +threads - Investigate _ETHREAD and _KTHREADs +timeliner - Creates a timeline from various artifacts in memory +timers - Print kernel timers and associated module DPCs +truecryptmaster - Recover TrueCrypt 7.1a Master Keys +truecryptpassphrase - TrueCrypt Cached Passphrase Finder +truecryptsummary - TrueCrypt Summary +unloadedmodules - Print list of unloaded modules +userassist - Print userassist registry keys and information +userhandles - Dump the USER handle tables +vaddump - Dumps out the vad sections to a file +vadinfo - Dump the VAD info +vadtree - Walk the VAD tree and display in tree format +vadwalk - Walk the VAD tree +vboxinfo - Dump virtualbox information +verinfo - Prints out the version information from PE images +vmwareinfo - Dump VMware VMSS/VMSN information +volshell - Shell in the memory image +win10cookie - Find the ObHeaderCookie value for Windows 10 +windows - Print Desktop Windows (verbose details) +wintree - Print Z-Order Desktop Windows Tree +wndscan - Pool scanner for window stations +yarascan - Scan process or kernel memory with Yara signatures + +3. To get more information on a Windows memory sample and to make sure Volatility + supports that sample type, run 'python vol.py imageinfo -f ' or 'python vol.py kdbgscan -f ' + + Example: + + $ python vol.py imageinfo -f WIN-II7VOJTUNGL-20120324-193051.raw + Volatility Foundation Volatility Framework 2.6 + Determining profile based on KDBG search... + + Suggested Profile(s) : Win2008R2SP0x64, Win7SP1x64, Win7SP0x64, Win2008R2SP1x64 (Instantiated with Win7SP0x64) + AS Layer1 : AMD64PagedMemory (Kernel AS) + AS Layer2 : FileAddressSpace (/Path/to/WIN-II7VOJTUNGL-20120324-193051.raw) + PAE type : PAE + DTB : 0x187000L + KDBG : 0xf800016460a0 + Number of Processors : 1 + Image Type (Service Pack) : 1 + KPCR for CPU 0 : 0xfffff80001647d00L + KUSER_SHARED_DATA : 0xfffff78000000000L + Image date and time : 2012-03-24 19:30:53 UTC+0000 + Image local date and time : 2012-03-25 03:30:53 +0800 + + If multiple profiles are suggested by imageinfo or kdbgscan, or if you're having trouble analyzing + Windows 7 or later memory samples, please see the guidelines here: + + https://github.com/volatilityfoundation/volatility/wiki/2.6-Win-Profiles + +4. Run some other plugins. -f is a required option for all plugins. Some + also require/accept other options. Run "python vol.py -h" for + more information on a particular command. A Command Reference wiki + is also available on the GitHub site: + + https://github.com/volatilityfoundation/volatility/wiki + + as well as Basic Usage: + + https://github.com/volatilityfoundation/volatility/wiki/Volatility-Usage + +Licensing and Copyright +======================= + +Copyright (C) 2007-2016 Volatility Foundation + +All Rights Reserved + +Volatility is free software; you can redistribute it and/or modify +it under the terms of the GNU General Public License as published by +the Free Software Foundation; either version 2 of the License, or +(at your option) any later version. + +Volatility is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU General Public License for more details. + +You should have received a copy of the GNU General Public License +along with Volatility. If not, see . + +Bugs and Support +================ +There is no support provided with Volatility. There is NO +warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR +PURPOSE. + +If you think you've found a bug, please report it at: + + https://github.com/volatilityfoundation/volatility/issues + +In order to help us solve your issues as quickly as possible, +please include the following information when filing a bug: + +* The version of volatility you're using +* The operating system used to run volatility +* The version of python used to run volatility +* The suspected operating system of the memory image +* The complete command line you used to run volatility + +Depending on the operating system of the memory image, you may need to provide +additional information, such as: + +For Windows: +* The suspected Service Pack of the memory image + +For Linux: +* The suspected kernel version of the memory image + +Other options for communicaton can be found at: + https://github.com/volatilityfoundation/volatility/wiki + +Missing or Truncated Information +================================ +Volatility Foundation makes no claims about the validity or correctness of the +output of Volatility. Many factors may contribute to the +incorrectness of output from Volatility including, but not +limited to, malicious modifications to the operating system, +incomplete information due to swapping, and information corruption on +image acquisition. + +Command Reference +==================== +The following url contains a reference of all commands supported by +Volatility. + + https://github.com/volatilityfoundation/volatility/wiki + diff --git a/thirdparty/Volatility/volatility-2.5.standalone.exe b/thirdparty/Volatility/volatility-2.5.standalone.exe new file mode 100644 index 0000000000..a9d700bd57 Binary files /dev/null and b/thirdparty/Volatility/volatility-2.5.standalone.exe differ diff --git a/thirdparty/Volatility/volatility_2.6_win64_standalone.exe b/thirdparty/Volatility/volatility_2.6_win64_standalone.exe new file mode 100644 index 0000000000..3a82b88b01 Binary files /dev/null and b/thirdparty/Volatility/volatility_2.6_win64_standalone.exe differ