### Volatility Plugin Contest

Posted by Bagpuss on August 24, 2013
Tags: digital forensics, volatility

Results are in for the 1st Annual Volatility Framework Plugin Contest - and I'm happy to say that I came joint fourth.

Since entering the plugin contest, I've substantially rewritten parts of my submission based on some suggestions by Aaron Walters. My symbols plugin now:

• stores/caches its data using SQLite3 tables (which provides a large performance boost)
• the method lookup (injected into _EPROCESS objects) now can perform both address to name and name to addresses lookups (with basic SQL regular expression support)
• the FPO data structures (including the FPO program strings) are extracted from the PDB files (and so, it should now be possible to build WinDBG-like stack unwinds).
Here's an example of some of things that are now possible (here we work at a Volatility shell command line prompt with the symbols DB already built):
# simple address query lookup
volshell> self.proc.lookup(0xb25fc838)
'sysaudio.sys/PAGE!CClockInstance::ClockGetCorrelatedPhysicalTime'

[ 2153029696L ]