forensic-toolbox/volatility_mapping.py at main · Prof-GP/forensic-toolbox · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
"""
Volatility 3 Plugin Mappings for Digital Forensics
Contains forensically relevant plugins organized by OS type and category.
"""

# Forensically relevant plugins organized by OS and category
FORENSIC_PLUGINS = {
    'Windows': {
        'processes': [
            'windows.pslist.PsList',
            'windows.pstree.PsTree',
            'windows.dlllist.DllList',
            'windows.cmdline.CmdLine',
            'windows.envars.Envars',
        ],
        'processes_scan': [
            'windows.psscan.PsScan',  # SLOW: Scans entire memory
            'windows.handles.Handles',  # Can be slow with many processes
        ],
        'network': [
            'windows.netscan.NetScan',
            'windows.netstat.NetStat',
        ],
        'registry': [
            'windows.registry.hivelist.HiveList',
            'windows.registry.userassist.UserAssist',
            'windows.registry.printkey.PrintKey',
        ],
        'files': [
            'windows.filescan.FileScan',
        ],
        'malware_indicators': [
            'windows.malfind.Malfind',
            'windows.modules.Modules',
            'windows.ssdt.SSDT',
            'windows.callbacks.Callbacks',
        ],
        'malware_scan': [
            'windows.vadinfo.VadInfo',  # Can be slow
            'windows.modscan.ModScan',  # SLOW: Scans entire memory
            'windows.driverscan.DriverScan',  # SLOW: Scans entire memory
        ],
        'system_info': [
            'windows.info.Info',
            'windows.svcscan.SvcScan',
            'windows.getservicesids.GetServiceSIDs',
        ],
    },
    'Linux': {
        'processes': [
            'linux.pslist.PsList',
            'linux.pstree.PsTree',
            'linux.bash.Bash',
        ],
        'network': [
            'linux.sockstat.Sockstat',
        ],
        'files': [
            'linux.lsof.Lsof',
            'linux.mount.Mount',
        ],
        'system_info': [
            'linux.info.Info',
        ],
    },
    'Mac': {
        'processes': [
            'mac.pslist.PsList',
            'mac.pstree.PsTree',
        ],
        'network': [
            'mac.netstat.Netstat',
        ],
        'system_info': [
            'mac.info.Info',
        ],
    }
}

# Plugin descriptions for user-friendly output
PLUGIN_DESCRIPTIONS = {
    # Windows plugins
    'windows.pslist.PsList': 'List active processes (FAST)',
    'windows.pstree.PsTree': 'Process tree hierarchy (FAST)',
    'windows.psscan.PsScan': 'Scan for hidden/terminated processes (VERY SLOW - scans entire memory)',
    'windows.dlllist.DllList': 'List loaded DLLs per process',
    'windows.handles.Handles': 'List open handles per process (can be slow)',
    'windows.cmdline.CmdLine': 'Display process command-line arguments (FAST)',
    'windows.envars.Envars': 'Display process environment variables',
    'windows.netscan.NetScan': 'Scan for network connections and sockets',
    'windows.netstat.NetStat': 'Active network connections (FAST)',
    'windows.registry.hivelist.HiveList': 'List registry hive locations in memory',
    'windows.registry.userassist.UserAssist': 'Extract UserAssist registry data',
    'windows.registry.printkey.PrintKey': 'Print registry key values',
    'windows.filescan.FileScan': 'Scan for file objects in memory (SLOW)',
    'windows.malfind.Malfind': 'Detect hidden/injected code and memory anomalies',
    'windows.vadinfo.VadInfo': 'Display Virtual Address Descriptor (VAD) information (can be slow)',
    'windows.modules.Modules': 'List loaded kernel modules (FAST)',
    'windows.modscan.ModScan': 'Scan for unlinked kernel modules (VERY SLOW - scans entire memory)',
    'windows.driverscan.DriverScan': 'Scan for driver objects (VERY SLOW - scans entire memory)',
    'windows.ssdt.SSDT': 'Display System Service Descriptor Table (FAST)',
    'windows.callbacks.Callbacks': 'List kernel callbacks (FAST)',
    'windows.info.Info': 'Display OS and kernel information (FAST)',
    'windows.svcscan.SvcScan': 'Scan for Windows services',
    'windows.getservicesids.GetServiceSIDs': 'Get service SIDs',

    # Linux plugins
    'linux.pslist.PsList': 'List active processes',
    'linux.pstree.PsTree': 'Process tree hierarchy',
    'linux.bash.Bash': 'Extract bash command history',
    'linux.sockstat.Sockstat': 'List open sockets',
    'linux.lsof.Lsof': 'List open files per process',
    'linux.mount.Mount': 'Display mounted filesystems',
    'linux.info.Info': 'Display OS and kernel information',

    # Mac plugins
    'mac.pslist.PsList': 'List active processes',
    'mac.pstree.PsTree': 'Process tree hierarchy',
    'mac.netstat.Netstat': 'List network connections',
    'mac.info.Info': 'Display OS and kernel information',
}

# Priority plugins to run first (quick analysis)
PRIORITY_PLUGINS = {
    'Windows': [
        'windows.info.Info',
        'windows.pslist.PsList',
        'windows.netscan.NetScan',
        'windows.cmdline.CmdLine',
    ],
    'Linux': [
        'linux.info.Info',
        'linux.pslist.PsList',
        'linux.sockstat.Sockstat',
    ],
    'Mac': [
        'mac.info.Info',
        'mac.pslist.PsList',
        'mac.netstat.Netstat',
    ]
}


def get_plugin_description(plugin_name: str) -> str:
    """
    Get a human-readable description for a plugin.

    Args:
        plugin_name: Full plugin path (e.g., 'windows.pslist.PsList')

    Returns:
        Description string or 'No description available'
    """
    return PLUGIN_DESCRIPTIONS.get(plugin_name, 'No description available')


def get_all_plugins_for_os(os_type: str) -> list:
    """
    Get all forensically relevant plugins for a specific OS.

    Args:
        os_type: OS type ('Windows', 'Linux', 'Mac')

    Returns:
        List of plugin names
    """
    if os_type not in FORENSIC_PLUGINS:
        return []

    all_plugins = []
    for category, plugins in FORENSIC_PLUGINS[os_type].items():
        all_plugins.extend(plugins)

    return all_plugins


def get_plugins_by_category(os_type: str, categories: list) -> list:
    """
    Get plugins filtered by specific categories.

    Args:
        os_type: OS type ('Windows', 'Linux', 'Mac')
        categories: List of category names (e.g., ['processes', 'network'])

    Returns:
        List of plugin names
    """
    if os_type not in FORENSIC_PLUGINS:
        return []

    plugins = []
    for category in categories:
        if category in FORENSIC_PLUGINS[os_type]:
            plugins.extend(FORENSIC_PLUGINS[os_type][category])

    return plugins


def get_priority_plugins(os_type: str) -> list:
    """
    Get priority plugins for quick analysis.

    Args:
        os_type: OS type ('Windows', 'Linux', 'Mac')

    Returns:
        List of priority plugin names
    """
    return PRIORITY_PLUGINS.get(os_type, [])