July12009
Andreas Schuster recently posted his slides from the training he gave at FIRST 2009. If you want to learn more about Windows memory forensics, especially the internals of
Volatility, you should definitely check them out. These slides will even teach you how to write your first plugin. Shouts to Andreas for his continued contributions to the Volatility community! Thanks to
moyix for sending me the link!
June242009
Got Memory Forensics and Malware Analysis skillz?
We are currently seeking passionate and talented individuals with skills in the areas of memory forensics, malware analysis, and reverse engineering. If you are looking for a position in a rapidly growing company that is building solutions to address the hardest and most exciting challenges currently facing the digital forensics community, we want to talk to you! This is your opportunity to work alongside industry pioneers to help shape the future of digital forensics. Join the digital forensics revolution! Please contact us at (info at volatilesystems dot com)(
https://www.volatilesystems.com).
June172009
On Thursday, June 18 at 8:00 PM EDT, Jim Clausing, SANS ISC Handler and Volatility contributor, will be presenting a Webcast discussing how to build automated malware analysis environments. This is a great opportunity to learn how people are leveraging the power of Volatility for malware analysis. Shouts to Jim! Thanks to MHL for sending me the link!
UPDATE: Jim just sent me the link to the associated paper.
June82009
Moyix has released a new version of VolReg with experimental support for BIG_DATA values. This version also fixes some bugs that came up during testing. While you are exploring his
Volatility plugins page, you may also want to check out the updated version of VolShell. Please take some time to provide feedback and testing. Shouts to Moyix!
8PM
Matthieu Suiche has released an updated version of win32dd,
the open source memory forensics acqusition tool. This version has a couple of important bug fixes and now provides a number of useful statistics about the state of volatile memory. Please take some time to provide feedback and suggestions for new features. Shouts to Matthieu!
May312009
Another interesting example demonstrating the power of
Volatility. You should at least be able to follow along with the screenshots ;). The blog also contains a number of other Volatility
posts. Shouts to Vte. Javier Garcia Mayen.
May262009
Michael Hale Ligh has created another new
Volatility plugin for malware analysts. This
plug-in called usermode_hooks.py can be used to detect IAT/EAT/Inline rootkit hooks in usermode processes. I’m sure he would appreciate testing help and any feedback you are able to provide. Shouts to MHL!
May252009
As usual, Richard Bejtlich has an interesting response to Dave’s post.
However, are you going to be able to hide your presence on the system and network — perfectly, continuously, perpetually? (Or at least as long as it takes to accomplish your mission?) The answer is no, and this is how professional defenders deal with this problem on operational networks.
May202009
Dave Aitel writes:
The other thing that keeps coming up is memory forensics. You can do a lot
with it today to find trojan .sys's that hackers are using - but it has a
low ceiling I think. Most rootkits "hide processes", or "hide sockets". But
it's an insane thing to do in the kernel. If you're in the kernel, why do
you need a process at all? For the GUI? What are we writing here, MFC
trojans? There's not a ton of entropy in the kernel, but there's enough that
the next generation of rootkits is going to be able to avoid memory
forensics as a problem they even have to think about. The gradient here is
against memory forensics tools - they have to do a ton of work to counteract
every tiny thing a rootkit writer does.
With exploits it's similar. Conducting memory forensics on userspace in
order to find traces of CANVAS shellcode is a losing game in even the medium
run. Anything thorough enough to catch shellcode is going to have too many
false positives to be useful. Doesn't mean there isn't work to be done here,
but it's not a game changer.
I’m glad to see that people are finally recognizing the importance of memory forensics. I can’t say that I necessarily agree with Dave’s opinion but that hasn’t changed since we discussed it at Shmoo a couple of years ago. At some point the attacker is going to leave artifacts in memory! Who agrees with Dave?
