As part of an entry for the Honeynet Forensics Challenge 2010/3 (Banking Troubles), I wrote a series of plugins for the Volatility memory forensic framework that:

  • extracted cached data associated with file objects
  • extracted stack related data for each process thread
  • performed some basic heap data extraction (this code didn't really turn up anything useful for the challenge though!).
Details on this code may be found on GitHub and on the Volatility issue tracker.