Creation of the Shutdown Plugin

[Frascott05]

I added the Shutdown plugin from volatility2 that could be useful for some digital forensic analysis.
Hope this can be added to the official repo.

[eve-mem]

Hey @Frascott05 - nice! I've tested it on a few samples and it seems to work.

The old vol plugin would find the current control set itself or default to 1 https://github.com/volatilityfoundation/volatility/blob/328a178edeecaf8d2abf96618ecfcb14a7b0c860/volatility/plugins/registry/shutdown.py#L60-L63

It looks like your method will try them all from 1-5? I don't know much about windows, is 5 the maximum? It would be nice to explain why the magic number 5 was chosen in the code, just in case something changes in the future.

There is also a handy function used in lots of plugins to convert the filetime in wintime_to_datetime, so you shouldn't need to write you own filetime_to_dt. (I've attempted to use the suggestions feature of the first time to explain what I mean... hopefully it makes sense)

If you can it would be really helpful to write a test for this plugin too, that way it can automatically checked in the future.

[Frascott05]

Hi @eve-mem,
I really thank you for your suggestion, I commited them to the repository.

Despite the old shutdown plugin was able to find the current control set itself or default to 1,
Windows usually maintain a small numer of ControlSets (typically 3), but in some scenarios of recovery the
number of ControlSets could be more. So I prefered to use an average number that would be able to find the
shutdown in almost all the scenarios

[Frascott05]

Also, do you have any suggestions or examples to follow for writing a test?

[eve-mem]

If you look at test/plugins/windows then you'll see how some of the plugins are tested.

Here's an example:

volatility3/test/plugins/windows/windows.py

Lines 214 to 235 in fc8edc4

	class TestWindowsSvcList:
	def test_windows_generic_svclist(self, volatility, python, image):
	image = WindowsSamples.WINDOWS10_GENERIC.value.path
	rc, out, _err = test_volatility.runvol_plugin(
	"windows.svclist.SvcList",
	image,
	volatility,
	python,
	globalargs=("-r", "json"),
	)
	assert rc == 0
	json_out = json.loads(out)
	assert len(json_out) > 250
	expected_row = {
	"Binary": "\\Driver\\ACPI",
	"Display": "ACPI",
	"Name": "ACPI",
	"Start": "SERVICE_BOOT_START",
	"State": "SERVICE_RUNNING",
	"Type": "SERVICE_KERNEL_DRIVER",
	}
	assert test_volatility.match_output_row(expected_row, json_out)

There are two different windows samples at the moment to test with:

volatility3/test/__init__.py

Lines 13 to 17 in fc8edc4

	class WindowsSamples(Enum):
	WINDOWSXP_GENERIC = Sample("./test_images/win-xp-laptop-2005-06-25.img")
	"""WindowsXP sample from early Volatility training."""
	WINDOWS10_GENERIC = Sample("./test_images/win-10_19041-2025_03.dmp")
	"""Windows10 CrashDump sample."""

So you could write a test that runs your plugins against both samples and asserts that the output is as expected. I hope that helps.

[Frascott05]

sorry, I could't do it today, I hope I'll be able to work on the test case tomorrow

[eve-mem]

Don't worry, it can take weeks and months to get pull request reviewed and checked. There's no rush.

[Frascott05]

I've added the test class that checks for the right output of the plugin, thank you for the help