OMFW 2014 Update & Dr. Brendan Dolan-Gavitt
We are excited to announce that over half the seats for the Open Memory Forensics Workshop (OMFW) 2014 have already been reserved. It’s also great to see a large number of first time attendees from across government, academic, and commercial institutions. This is your one chance a year to hear about the latest research in memory forensics from the people who are pioneering the field. If you are still planning to attend, we suggest you register as soon as possible to make sure you have a seat.
We are also excited to announce that Dr. Brendan Dolan Gavitt (moyix) will be speaking at the workshop. As many of you know, Brendan has been a member of the Volatility family since the very beginning and recently earned his PhD from the Georgia Institute of Technology. If you have followed Brendan’s work throughout the years and his new research with PANDA, I’m sure you will not be disappointed.
In the upcoming weeks, we will continue finalizing and announcing the exciting roster of speakers.
Facebook Doubles Volatility Contest Prizes
As mentioned earlier this week, we have extended the deadline for the 2014 Volatility Plugin Contest until October 1st because an organization wanted to augment the prizes. We are excited to share that due to an extremely generous donation from Facebook, the total cash prizes have been doubled from $2250 USD to $4500 USD!
If you have already submitted to the contest, you can use this extra time to fine tune your submission or submit another entry to improve your chances. If you were considering submitting, you now have an extra month to demonstrate your creativity, become a memory analysis pioneer, win the admiration of your peers, and give back to the community!
It’s great to see some of the largest companies in the world showing their support for and giving back to the memory forensics community! Thank you, Facebook, and good luck to all participants in the contest - the stakes have literally just doubled!
2014 Volatility Plugin Contest Deadline Extended
Despite the fact we have already surpassed the number of submissions to last year’s contest, we are excited to announce that we have extended the
deadline for the 2014 Volatility Plugin Contest until October 1st, 2014. We
received a number of inquiries from people who recently learned about the
competition when they purchased “The Art of Memory Forensics” and an
exciting new competition sponsor (more details next week) that wanted to
further augment our prizes.
If you have already submitted to the contest, you can use this extra time to
fine-tune your submission. If you were considering submitting, you now have an extra month to demonstrate your creativity and implement an innovative, interesting, and useful Volatility extension! It’s great to see some of the largest companies in the world showing their support for and giving back to the memory forensics community!
Presenting Volatility Foundation Volatility Framework 2.4
Registration for OMFW 2014 is officially open! Be sure to register early as seats are limited.
The release of this new Volatility version coincides with the publication of The Art of Memory Forensics. It adds support for Windows 8, 8.1, 2012, and 2012 R2 memory dumps, Mac OS X Mavericks (up to 10.9.4), and Linux kernels up to 3.16. New plugins include the ability to extract cached Truecrypt passphrases and master keys from Windows and Linux memory dumps, investigate Mac user activity (such as pulling their contact database, calendar items, PGP encrypted mails, OTR Adium chat messages, etc), and analyze advanced Linux rootkits. See below for a detailed change log.
Binary releases, including pre-built executables for Windows and Mac OS X can be found on the Volatility Foundation website: http://www.volatilityfoundation.org
. We’ve also now moved our source code repository to Github: https://github.com/volatilityfoundation
. Note that there’s a separate repository containing over 160 Linux profiles for 32- and 64-bit OpenSuSE, Redhat, Debain, Ubuntu, Fedora, and CentOS (thanks Kevin!); and all Mac OS X profiles from 10.5 to 10.9.4.
The detailed change log is below:
Windows Memory Forensics
- Truecrypt plugins (summary, cached passphrases, master keys)
- Apihooks support for 64-bit memory images
- Apihooks plugin detects JMP FAR hook instructions
- Hashdump, Cachedump, and Lsadump plugins updated for x64 and Win8/2012
- Callbacks and timers plugins work on 64-bit memory images
- Mftparser identifies NTFS alternate data streams
- Mftparser -D option extracts MFT-resident files to disk
- Ability to scan for multiple executive object types concurrently with a single pass through the memory dump
- Procmemdump and procexedump condensed into “procdump” (and —memory option available)
- Envars plugin has a —silent flag to ignore common/default environment variables
- Vadtree plugin in graphviz output mode (—output=dot) color codes nodes per heap, stack, mapped file, DLL, etc.
- Getsids plugin automatically resolves user and service SIDs
- Timeliner plugin supports —machine to identify the source in multi-source timelines
- Verinfo (PE version info) plugin updated and moved into core framework
- Strings translator prints “FREE MEMORY” for data found in deallocated regions (used to skip them)
- Vadinfo plugin allows —addr to specify one region rather than printing them all
- Yarascan plugin allows you to control —size (bytes in preview) and —reverse (show data *before* a hit)
- Volshell plugin has new APIs proc(), addrspace(), getprocs(), and getmods() for easy access
- All process based plugins accept —name (process name regular expression filter)
- Added the auditpol plugin to check audit policies
- Added the cmdline plugin to show process command line arguments
- Volshell plugin can recursively print structure members (similar to windbg’s dt /r)
- New pooltracker plugin allows analysis of kernel pool tag statistics
- New bigpools plugin allows finding big page pool allocations
- Svcscan plugin prints service start type (manual, automatic, disabled, etc)
- Added a plugin to find and print text on the Notepad application’s heap
- PE dumping plugins (procdump, dlldump, moddump) support —fix to fix the image base value
- Joblinks plugin for getting information for job objects
Address Spaces / File Formats
- Support for QEMU virtual machine memory images
- Support for “split” VMware files (memory in .vmem and metadata in .vmss/.vmsn)
- Support for Windows BitMap crash dumps (created by Windows 8 / 2012 on BSOD)
Mac Memory Forensics
- Support for Mavericks through 10.9.4
- Mac string translation added
- Recover sent and received Adium messages, including those protected by OTR
- Enumerate contacts from the Contact application’s database
- Extract the HTML content of notes from the Notes application
- Ability to reveal clear-text PGP emails sent or received with the Mail application
- Locate Apple Keychain encryption keys in memory (for cracking with Chainbreaker)
- Find API hooks in both the kernel and process memory
- List IP and socket filters
- Extract loaded kernel extension to disk
- Find suspicious process mappings (i.e. injected code)
- Find hidden kernel extensions
- Recovered files cached in memory
Linux Memory Forensics
- Support for Linux kernels through 3.16
- Linux string translation added
- Detect API hooks in both userland processes and the kernel
- Detect GOT/PLT overwrites
- Find hollowed executables
- Find suspicious process mappings
- Library listing using the loader’s data structures
- Extract process ELF executables and libraries to disk
- List network interfaces in promiscuous mode
- List processes that are using raw sockets
- Find hidden kernel modules
- List Netfilter hooks
- Extract cached Truecrypt passphrases
Celebrate with the Volatility Team!
It’s been an exciting year for the Volatility team (@volatility) and we want you to come celebrate with us! The Volatility team will have a strong presence at both Black Hat USA and DFRWS 2014. This includes presentations, a book signing, and even a party!
At Black Hat, the core Volatility Developers (@4tphi, @attrc, @gleeda, @iMHLv2, and Mike Auty) will be partaking in a number of events including:
- Releasing Volatility 2.4 at Black Hat Arsenal: This release includes full support for Windows 8, 8.1, Server 2012, and Server 2012 R2, TrueCrypt key and password recovery modules, a switch to GitHub hosting, as well as over 30 new Mac and Linux plugins for investigating malicious code, rootkits, and user activity.
- Releasing The Art of Memory Forensics: AMF is over 900 pages of memory forensics and malware analysis across Windows, Mac, and Linux. It will be available for the first time in the bookstore during the pre-conference trainings and briefings.
- Book Signing for AMF: On Wednesday, August 6th at 3:15PM, in the Black Hat book store, we will be on site for signing books.
- Volatility Happy Hour sponsored by The Hacker Academy: This will be an open bar party where you can meet our team, bring books to be signed, and get stickers, t-shirts, and other Volatility swag all while enjoying tasty beverages. You must register (free) if you wish to attend!
, Dr. Golden Richard (@nolaforensix
), one of the Technical Editors for AMF, will be presenting a paper that he and @attrc wrote: In Lieu of Swap: Analyzing Compressed RAM in Mac OS X and Linux
. In this paper, they discuss the in-memory, compressed swap facilities of Mac OS X and Linux, their impact on memory forensics investigations, and how they developed Volatility plugins to decompress the caches transparently during the operation of Mac & Linux analysis plugins.
We hope to see everyone at these events, and we are looking forward to an exciting August! As a quick reminder, the 2014 Volatility Plugin Contest ends September 1. This is your opportunity to contribute to the Volatility community and win cash! We are also in the process of finalizing details on OMFW 2014. If you have something interesting to present, please reach out!
We frequently get inquiries from companies looking to recruit people with Volatility skills. As an example, check out this required skill from a recent Salesforce.com job description:
"You didn’t write Volatility (or maybe you did!), but you could write a book on how to use it."
The best way to obtain these required skills is spending time with the developers who pioneered the field of memory analysis. Check out the only Volatility training endorsed by the Volatility Foundation and taught by Volatility developers!
The December 2013 issue of Linux Magazine features an article about Volatility.
"The Volatility forensic tool helps admins analyze what went wrong on a system. When you need to draw conclusions about malware, or even compromised services, peer into memory with Volatility."
In this post, Facebook is sharing some experiences about building a forensics infrastructure for their production environment.
"The configuration uses an internal repository that contains useful open source tools such as Sleuthkit, LiME, Volatility, bulk_extractor and more. This level of automation helps us achieve our ‘timely’ requirement by immediately enabling an incident responder to perform collection, timelining, and memory/disk analysis."
OMFW 2013: Bringing Mac Memory Forensics to the Mainstream - Andrew Case (@attrc)
"Bringing Mac Memory Forensics to the Mainstream", Andrew Case (@attrc), OMFW 2013.
Volatility now includes full Mac support for all versions from 10.5.x through the latest 10.8.x, both 32 and 64 bit. This presentation will show how these capabilities can be used in a variety of scenarios including digital forensics, incident response, and malware analysis. The presentation will also highlight many of the challenges that had to be overcome in pursuit of comprehensive Mac memory analysis support. Many of these challenges are unique to Mac, and required deep understanding of the often “interesting” design decisions made by the operating system developers.
OMFW 2013: Every Step You Take: Profiling the System - Jamie Levy (Gleeda)
"Every Step You Take: Profiling the System", Jamie Levy (@gleeda), OMFW 2013.
As DFIR investigations become more complicated, often spanning several machines, there is a need to employ some mechanisms in the memory forensics realm which are already heavily used in disk forensics. Some of these mechanisms include: whitelisting/blacklisting, indicators of compromise (IOCs) and profiling. This talk will cover new plugins that enable the investigator to create, combine and modify baseline profiles, to easily see items on either side of a baseline profile and hunt for IOCs across the enterprise