Celebrate with the Volatility Team!
It’s been an exciting year for the Volatility team (@volatility) and we want you to come celebrate with us! The Volatility team will have a strong presence at both Black Hat USA and DFRWS 2014. This includes presentations, a book signing, and even a party!
At Black Hat, the core Volatility Developers (@4tphi, @attrc, @gleeda, @iMHLv2, and Mike Auty) will be partaking in a number of events including:
- Releasing Volatility 2.4 at Black Hat Arsenal: This release includes full support for Windows 8, 8.1, Server 2012, and Server 2012 R2, TrueCrypt key and password recovery modules, a switch to GitHub hosting, as well as over 30 new Mac and Linux plugins for investigating malicious code, rootkits, and user activity.
- Releasing The Art of Memory Forensics: AMF is over 900 pages of memory forensics and malware analysis across Windows, Mac, and Linux. It will be available for the first time in the bookstore during the pre-conference trainings and briefings.
- Book Signing for AMF: On Wednesday, August 6th at 3:15PM, in the Black Hat book store, we will be on site for signing books.
- Volatility Happy Hour sponsored by The Hacker Academy: This will be an open bar party where you can meet our team, bring books to be signed, and get stickers, t-shirts, and other Volatility swag all while enjoying tasty beverages. You must register (free) if you wish to attend!
, Dr. Golden Richard (@nolaforensix
), one of the Technical Editors for AMF, will be presenting a paper that he and @attrc wrote: In Lieu of Swap: Analyzing Compressed RAM in Mac OS X and Linux
. In this paper, they discuss the in-memory, compressed swap facilities of Mac OS X and Linux, their impact on memory forensics investigations, and how they developed Volatility plugins to decompress the caches transparently during the operation of Mac & Linux analysis plugins.
We hope to see everyone at these events, and we are looking forward to an exciting August! As a quick reminder, the 2014 Volatility Plugin Contest ends September 1. This is your opportunity to contribute to the Volatility community and win cash! We are also in the process of finalizing details on OMFW 2014. If you have something interesting to present, please reach out!
We frequently get inquiries from companies looking to recruit people with Volatility skills. As an example, check out this required skill from a recent Salesforce.com job description:
"You didn’t write Volatility (or maybe you did!), but you could write a book on how to use it."
The best way to obtain these required skills is spending time with the developers who pioneered the field of memory analysis. Check out the only Volatility training endorsed by the Volatility Foundation and taught by Volatility developers!
The December 2013 issue of Linux Magazine features an article about Volatility.
"The Volatility forensic tool helps admins analyze what went wrong on a system. When you need to draw conclusions about malware, or even compromised services, peer into memory with Volatility."
In this post, Facebook is sharing some experiences about building a forensics infrastructure for their production environment.
"The configuration uses an internal repository that contains useful open source tools such as Sleuthkit, LiME, Volatility, bulk_extractor and more. This level of automation helps us achieve our ‘timely’ requirement by immediately enabling an incident responder to perform collection, timelining, and memory/disk analysis."
OMFW 2013: Bringing Mac Memory Forensics to the Mainstream - Andrew Case (@attrc)
"Bringing Mac Memory Forensics to the Mainstream", Andrew Case (@attrc), OMFW 2013.
Volatility now includes full Mac support for all versions from 10.5.x through the latest 10.8.x, both 32 and 64 bit. This presentation will show how these capabilities can be used in a variety of scenarios including digital forensics, incident response, and malware analysis. The presentation will also highlight many of the challenges that had to be overcome in pursuit of comprehensive Mac memory analysis support. Many of these challenges are unique to Mac, and required deep understanding of the often “interesting” design decisions made by the operating system developers.
OMFW 2013: Every Step You Take: Profiling the System - Jamie Levy (Gleeda)
"Every Step You Take: Profiling the System", Jamie Levy (@gleeda), OMFW 2013.
As DFIR investigations become more complicated, often spanning several machines, there is a need to employ some mechanisms in the memory forensics realm which are already heavily used in disk forensics. Some of these mechanisms include: whitelisting/blacklisting, indicators of compromise (IOCs) and profiling. This talk will cover new plugins that enable the investigator to create, combine and modify baseline profiles, to easily see items on either side of a baseline profile and hunt for IOCs across the enterprise
OMFW 2013: Mastering TrueCrypt and Windows 8 / Server 2012 Memory Forensics - Michael Hale Ligh (MHL)
"Mastering TrueCrypt and Windows 8 / Server 2012 Memory Forensics", Michael Hale Ligh (@iMHLv2), OMFW 2013.
This talk provides a how-to on leveraging memory forensics to investigate and defeat TrueCrypt hard disk encryption. We’ll walk through scenarios involving different suspects who used file-based containers, non-system partitions (i.e. flash drives), and full drive encryption to hide their assets. During the demonstrations, you’ll learn about three new Volatility plugins for recovering cached TrueCrypt passphrases, identifying the exact paths to the file-based containers, and extracting master keys even when suspects stray from AES and use non-default algorithms like Serpent and Twofish. As a subtle facet, we’ll be doing all of this on 32- and 64-bit Windows 8 and Server 2012 memory dumps - the first major new Windows operating system supported by Volatility in nearly two years.
This presentation is particularly topical considering the recent discussions about TrueCrypt.
OMFW 2013: Stabilizing Volatility - Mike Auty (Ikelos)
Stabilizing Volatility. Mike Auty (ikelos), OMFW 2013
This talk will step through a very brief history of Volatility, then cover the structure of the core, before explaining the primary techniques currently used in the Object, Address Space and Profile classes, as well as touching on some helper objects. The middle will cover several design decisions later found to be poor, and whether/when those can be resolved. Finally, an outline of new structures designed to overcome several of the limitations in the current Volatility will be shown.
OMFW 2013: All Your Social Media are belong to Volatility - Jeff Bryner
All Your Social Media are belong to Volatility, Jeff Bryner (@0x7eff), Incident Response/Forensics at Mozilla, OMFW 2013
Volatility is by far the richest memory forensic toolkit available. This year they upped the ante by inviting regular mortals to write plug-ins and submit them for the greater good. This session will demo my submissions for forensic recovery of social media artifacts from Facebook and Twitter. We will have the audience participate live by engaging with a Twitter and Facebook account, dump the memory of the victim machine and see what we can recover via Volatility. If time allows we will have a look at the code with an eye on encouraging more plugins for other social media sites; Tumblr, Pinterest, Flickr, Youtube, etc await!
OMFW 2013: Memoirs of a Hindsight Hero: Detecting Rootkits in OS X - Cem Gurkok
Memoirs of a Hindsight Hero: Detecting Rootkits in OS X, Cem Gurkok, OMFW 2013.
The OS X Kernel has become a popular target for malicious adversaries. At the moment there are tools that provide detection for basic OS X rootkit techniques, such as executable substitution or direct function modification (e.g. the Rubilyn rootkit). Advanced rootkits often leverage more advanced capabilities that are harder to detect, such as function inlining, DTrace hooks, call reference modification, shadow syscall and trustedbsd policy tables. In this presentation, I will be exploring how to attack the OS X syscall table and other kernel objects with these advanced techniques and how to detect these modifications in memory using the Volatility Framework. The presentation will include demonstrations of system manipulation on a live system and subsequent detection using the new Volatility Framework plugin.