{"id":13511120,"url":"https://github.com/mnemonic-no/dnscache","last_synced_at":"2025-12-24T08:30:09.325Z","repository":{"id":96518755,"uuid":"82030242","full_name":"mnemonic-no/dnscache","owner":"mnemonic-no","description":"Volatility memory forensics plugin for extracting Windows DNS Cache","archived":false,"fork":false,"pushed_at":"2017-03-13T12:04:52.000Z","size":19,"stargazers_count":29,"open_issues_count":0,"forks_count":5,"subscribers_count":7,"default_branch":"master","last_synced_at":"2024-11-01T13:33:53.099Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"isc","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mnemonic-no.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2017-02-15T07:00:51.000Z","updated_at":"2024-09-20T07:52:38.000Z","dependencies_parsed_at":null,"dependency_job_id":"c241004a-62ef-4b4c-a2ee-dec0c394c161","html_url":"https://github.com/mnemonic-no/dnscache","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mnemonic-no%2Fdnscache","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mnemonic-no%2Fdnscache/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mnemonic-no%2Fdnscache/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mnemonic-no%2Fdnscache/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mnemonic-no","download_url":"https://codeload.github.com/mnemonic-no/dnscache/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246379366,"owners_count":20767694,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-01T03:00:34.857Z","updated_at":"2025-12-24T08:30:09.315Z","avatar_url":"https://github.com/mnemonic-no.png","language":"Python","funding_links":[],"categories":["Volatility 2"],"sub_categories":["Plugins"],"readme":"dnscache\n=========\n\ndnscache is a plugin for the [Volatility Memory Forensics Platform](http://www.volatilityfoundation.org/) to extract the Windows DNS Resolver Cache.\n\nThe plugin will try to download the .pdb file from microsoft for the dnsrslvr.dll. This behavior can be avoided by providing the file your self.\n\n## Usage\n\n\u003cpre\u003e\n  Options:\n      --proxy_server=PROXY_SERVER\n                          Use this proxy to download .PDB file\n      -D DUMP_DIR, --dump_dir=DUMP_DIR\n                          Dump directory for .PDB file\n      --symbols=http://msdl.microsoft.com/download/symbols\n                          Server to download .PDB file from\n      --pdb_file=PDB_FILE\n                          Allows you to download the .PDB file off system and\n                          provide the reference on the command line\n      --cabextract=cabextract\n                          Provide path to the cabextract system utility\n      --dll_file=DLL_FILE\n                          Provide dnsrslvr.dll from the file system.\n\n\u003c/pre\u003e\n\nThe plugin will provide more information if the volatility --verbose flag is set (among other things, this will output the download link for the .pdb file if the dnsrslvr.dll is not paged)\n\n`% vol.py --verbose dnscache -D dump/`\n\n## Installation\n\nCopy the dnscache.py to your plugins directory or point volatility to your checkout directory\n\ne.g.\n\n`% vol.py --plugins=/home/geir/src/dnscache dnscache`\n\n## Requirements\n\n* construct (pdbparse dependency) (Feb. 12 2017, see [BUGS.md](BUGS.md))\n* pefile\n* pdbparse\n* requests\n* cabextract (system utility)\n\n## Known issues\n\nSee the [BUGS.md](BUGS.md) file.\n\n## Contributing\n\nSee the [CONTRIBUTING.md](CONTRIBUTING.md) file.\n\n## Credits\n\nREFERENCES:\n1. Cohen, M. (2014). The Windows User mode heap and the DNS resolver cache.\n   Retrieved from:\n     http://www.rekall-forensic.com/posts/2014-12-20-usermode-heap.html\n2. Cohen, M. (2014). Source code for Module rekall.plugins.windows.dns\n   Retrieved from:\n     http://www.rekall-forensic.com/epydocs/rekall.plugins.windows.dns-pysrc.html\n3. Pulley, C. (2013). Source code for Module symbols.py (volatility community plugins)\n   Retrieved from:\n     https://github.com/carlpulley/volatility/blob/master/symbols.py\n4. Ligh, M., Case, A., Levy, J. \u0026 Walters, A. (2014). The Art of Memory Forensics.\n5. Levy, J. (2015). dns cache plugin #201 (Volatility Issiues)\n   Retrieved from:\n     https://github.com/volatilityfoundation/volatility/issues/201\n\n## License\n\ndnscache is released under the ISC License. See the bundled LICENSE file for\ndetails.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmnemonic-no%2Fdnscache","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmnemonic-no%2Fdnscache","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmnemonic-no%2Fdnscache/lists"}