Plugins for the Volatility framework
Simply clone the repository locally and copy the facebook_extractor.py inside the "/volatility/volatility/plugins/" path. Otherwise use Volatility's --plugins argument to specify its directory.
The facebook_extractor.py contains 3 Volatility plugins:
- facebookgrabinfo
- facebookcontacts
- facebookmessages
For each plugin you can view its available options with: $ python vol.py "facebook-plugin" -h
Usually you would want to run facebookcontacts firstly, in order to get some contact IDs and the owner's ID. Then you can grab the owner's information and also look up for messages of him with some other contact.
Example:
- The oid argument is not necessary because the plugin should find the owner's ID automatically. However, there is a possibility that 2 different users logged in their account prior to capturing the RAM dump. Hence, the code won't decide for the correct ID but let you know about that and then you would have to supply it with the --oid parameter.
Special Thanks to @attrc, @gleeda and @superponible