DesktopFiles Volatility3 Plugins

[malfav]

desktopfiles.py – Enhanced Desktop Artifacts Scanner (Volatility 3 Plugin)

desktopfiles.py is a powerful Volatility 3 plugin built for Windows memory forensics, designed to identify and analyze files and folders located within user-specific directories such as Desktop, Downloads, Documents, and Temp.
It provides rich contextual insights into what files a user was interacting with at the time of the memory capture — a key element in user activity reconstruction and malware triage.

---

Key Capabilities

Targeted Artifact Discovery

Focuses on high-value forensic locations that frequently contain evidence of user actions or malicious activity:

• Desktop – Common drop zone for malicious attachments or shortcuts.
• Downloads – Often contains payloads, compressed archives, or installers.
• Documents – Potential exfiltration targets or staging directories.
• Temp – Frequently used for transient malicious or unpacked files.

---

Rich File Context

Goes beyond simple file enumeration by correlating multiple Volatility 3 subsystems to deliver enhanced forensic context:

• Active Processes: Detects processes actively using or mapping the file in memory (via pslist and vadinfo).
• Memory Address: Displays the virtual memory offset where the file structure or reference was located (filescan).
• User Attribution: Maps file paths to the corresponding Windows user profile, revealing user-level ownership and activity.

---

Flexible Filtering

Includes command-line options to refine search scope and reduce noise:

• User Filter: Limit results to a specific username.
• Extension Filter: Display only selected file types (e.g., .exe, .zip, .pdf).
• Folder Inclusion: Option to include or exclude folder entries from the results.