While people frequently discuss Jesse’s “Buffalo” paper, Nicholas Paul Maclean was one of the first to publicly discuss robust memory address translation in his Masters Thesis “Acquisition and Analysis of Windows Memory”. Unfortunately, the site it was being hosted on was removed from the web. Based on Nick’s request, we have agreed to host the paper so it can be enjoyed by the rest of the community. Shoutz to Nick!
Michael Hale Ligh had a little extra free time on his flight to Malaysia and decided to update a few of his Volatility plugins. As an added bonus, he also provides some “interesting” commentary on our Incident Detection Summit presentation. Please take some time to help provide MHL with testing and feedback. Shouts to MHL! Have a safe trip.
I wanted to take a moment to say a few words about Bejtlich’s Incident Detection Summit. Let me begin by thanking Richard, Debbie, and Carol for the time and effort they spent organizing the event. I also want to take this opportunity to thank Brendan Dolan-Gavitt for the outstanding job he did with the presentation and Michael Hale Ligh for his contributions to the slides we presented. It’s both an honor and pleasure to work with such a talented group of people on the Volatility Project! Shouts to the OOV!
I also think it is important to recognize all the speakers and panelists who volunteered their time to support the event. It was a great opportunity to finally meet, in person, a number of people I have collaborated with over the years and meet new people we will definitely collaborate with in the future. This was by far the most interesting of all the Summits I have attended. In particular, I really enjoyed Matt Richard’s presentation on analyzing malware in office documents and Andre Ludwig’s candid panel discussions.
For the record, I’m still not a fan of the whole “yellow card system”. I firmly believe that it discourages open dialogue. On the other hand, I did appreciate the fact that Bejtlich did not attempt to moderate any of the questions from the audience, which has been common at previous summits. In the past, I have found this practice particularly troubling when there have been moderators that are clearly not vendor neutral and have incentives to further their own agendas.
It is also outstanding that the SANS Summit Series is willing to give a forum to so many open source efforts. Here’s hoping that in 2010 the training side of SANS will start contributing back to the open source communities they rely on so heavily!
I received “unofficial” confirmation that ManTech Memory DD (mdd) is no longer being supported. If you are relying on mdd to perform memory acquisition, I highly recommend migrating to an alternative solution (recommendations for both commercial and free options are available upon request ;). The Volatility Project would like to thank the people who worked on mdd for their contributions to the community.
If you are looking for a free alternative, the Volatility Project recommends you explore the amazing work being done by Matthieu Suiche, windd. We also encourage you to help support his development efforts (feedback, testing, etc).
I would like to take a moment to congratulate Brendan Dolan-Gavitt and his contributing authors (Abhinav Srivastava, Patrick Traynor and Jonathon Giffin) for getting their peer reviewed research paper accepted to CCS 2009, “Robust Signatures for Kernel Data Structures”. If you happen to be in Chicago next week, I highly recommend checking out his presentation. You will learn about some of the exciting new things Brendan is doing with Volatility and about the limitations of memory forensics tools. The outstanding research being performed by Brendan and the other members of the Order of Volatility is the reason that The Volatility Framework keeps pushing the state of the art in memory forensics! Shouts to Moyix!!!
In case you may have missed it, Matthieu Suiche has released a new version of windd. This release has a number of exciting new features including x64 support! Personally, I’m glad that there were no “finals” neglected to get this release out the door. Shouts to Matthieu from the Volatility Team! Keep up the great work!
Andreas Schuster will be teaching a two-day class on Windows memory analysis at the upcoming Hoffmann’s Advanced Forensic Sessions. In this class, Andreas will discuss how the Volatility Framework can be leveraged to help elucidate the “fascinating and complex world of Windows objects from a forensic perspective”. As we have previously mentioned, Andreas has been a substantial contributor to the Volatility project and the training he delivered earlier this year, at the first Hoffman Session, received outstanding reviews. This is your opportunity to learn from one of the pioneers in the memory analysis field.
While we don’t endorse a lot of the training offerings that attempt to include Volatility (since most of these organizations are not contributors to the project) , I want to highly recommend the iDefense Malware Training being offered by Michael Hale Ligh and Greg Sinclair. MHL is extremely talented and he has been a substantial contributor to the Volatility Framework.
After the amazing success of OMFW 2008 and a little hiatus in 2009, we are currently in the process of planning OMFW 2010. If you are interested in getting involved or have an exciting topic you would like to present, please let the team know. For those who want to attend, please be sure to check back frequently for registration details. Due to the overwhelming response in 2008, we were not able to fulfill all the registration requests, so please be sure to register early! There will be a number of surprises and I guarantee it will be an event you won’t want to miss! Check out what previous attendees of OMFW have said: Jim Clausing, Richard Bejtlich.
