As part of an entry for the Honeynet Forensics Challenge 2010/3 (Banking Troubles), I wrote a series of plugins for the Volatility memory forensic framework that:
- extracted cached data associated with file objects
- extracted stack related data for each process thread
- performed some basic heap data extraction (this code didn't really turn up anything useful for the challenge though!).