" • new plugins to parse IE history/index.dat URLs, recover shellbags data, dump cached files (exe/pdf/doc/etc), extract the MBR and MFT records, explore recently unloaded kernel modules, dump SSL private and public keys/certs, and display details on process privileges"

"Added ADS support.
This is probably a work in progress but it seems to be working so I’ll push this out. Whenever analyzeMFT encounters a resident $DATA record, it stores a copy of the contents away for later use. If it encounters a named $DATA record, it does two things:

• A duplicate of the parent record is created and the filename is changed to be <parent filename>:<ADS filename>.

• All ADS records, parent and children, get a flag set in the new ADS column"

As my CS prof used to say, it is an exercise left to the reader to figure out how to combine those.....

-David

On Jul 24, 2013, at 8:10 PM, "FRANCIS PROVENCHER" <FRANCIS.PROVENCHER@msp.gouv.qc.ca> wrote:

Hi all,

I'v have a memory dump has an evidence for a case.

Volatility can help me to discover "Alternate data stream" file on the system?

Thanks for your help!

_______________________________________________
Vol-users mailing list
Vol-users@volatilesystems.com
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users