volatility3 icon indicating copy to clipboard operation
volatility3 copied to clipboard
verified publisher icon volatilityfoundation

Missing notepad and clipboard plugins from volatility 2

Open HasegawaAzusa opened this issue 3 years ago • 4 comments

Some of the functions of vol2 are not available to me in vol3. e.g. vol -f xxx notepad or vol -f xxx clipboard Even there is no way to view the history of the command line. This is fatal to forensics. I am currently unable to use vol3 to complete normal forensic actions, can you please make vol3 compatible with vol2 as soon as possible? I do love the fast and modular design of vol3 and I hope vol3 will one day replace vol2 in the future.

HasegawaAzusa avatar Apr 24 '22 05:04 HasegawaAzusa

Thanks for your comment. The clipboard plugin I don't know a great deal about, but the notepad plugin doesn't work in more recent versions of windows (even under volatility 2) because it's based on the way that the heap was handled back in windows 7. As such, it's unlikely anyone will invest time in replicating a plugin that won't have use in the future. Figuring out the modern heap handling code is a big task in itself, and there's not a very high priority need for it. I'm also slightly unclear how not having the contents of a notepad document could be "fatal to forensics", I've only ever seen it used in capture the flag challenges? Hyperbole doesn't really help the situation.

Volatility 2 is no longer being developed, and doesn't run on python 3. Python 2 was marked as end of life on 1 Jan 2020.

I've marked this as a plugin-request bug so that volunteers that want additional functionality can look towards adding it, and knowing what plugins have been requested. We're a very small volunteer group and our time commitments are varied, so I can't say when either of these plugins will be written by the core team, but if you'd like to try your hand at writing them we'll be happy to offer support and advice for merging them into the main codebase...

ikelos avatar Apr 24 '22 10:04 ikelos

I've been bored lately, delving deeper in memory forensics, and decided to make a notepad plugin for volatility3 myself. It doesn't parse any heap structures or anything fancy like that, it uses a pretty simple memory pattern to look for the displayed text in VADs and a huge charset to filter garbage, It can rarely produce false-positives, but it's better than nothing :)

@ikelos, should I make a PR?

its5Q avatar Jan 11 '24 09:01 its5Q

Yes please! We're always happy to review contributions! I can't say whether it'll get included, but at least if there's a PR people may find it. If you could put it in the plugins/windows directory, rather than framework/plugins/windows that's where we put windows plugins that the core team doesn't fully support/look after and those which are a little more experimental. Thanks!

ikelos avatar Jan 11 '24 11:01 ikelos

Yes please! We're always happy to review contributions! I can't say whether it'll get included, but at least if there's a PR people may find it. If you could put it in the plugins/windows directory, rather than framework/plugins/windows that's where we put windows plugins that the core team doesn't fully support/look after and those which are a little more experimental. Thanks!

Thanks, will do in a little bit

its5Q avatar Jan 11 '24 11:01 its5Q