January302012
In this blog post, Patrick Olsen leverages Volatility’s x64 Alpha support to analyze a Windows 7 sample of physical memory that had been infected with malware. Shoutz to Patrick for sharing his analysis experiences with the community! If you have x64 memory samples and are willing to help provide feedback, please reach out to the Volatility Team!
PS. On a sad note, given the SIFT team’s unwillingness to respect the requests of open source developers and communities, it is unclear how much longer the Volatility Team can continue to support the integration of Volatility within SIFT. More details to follow as the situation unfolds….
December212011
Volatility 2.0 was recently nominated for the ISSA Journal 2011 Toolsmith Tool of the Year. If you are a Volatility user and want to show your support for the hard work the development team put into getting 2.0 released, take a few moments to cast your vote. Your vote will also help demonstrate the community support for open source forensics projects!
10AM
One of the most talented rootkit hunters in the industry, Frank Boldwin, has released a great slide deck describing how to use Volatility 2.0 to find malware. He walks through a number of Volatility plugins and demonstrates how they can be used to find volatile artifacts associated with a variety of malware samples.
“Volatility is a very powerful tool, which is able to detect even the most advanced rootkits if it’s being used properly.”
Shoutz to Frank!
November262011
The Volatility Community Gives Back
In the spirit of giving thanks, we wanted to thank all of those who have volunteered their time and resources in support of The Volatility Project (TVP). The project has been blessed, throughout the past 5 years, with the talents of people that we would consider to be the brightest stars in the industry. For many of these contributors we’ve been even more impressed by their kindness, generosity, and dedication. On that note, we wanted to acknowledge the efforts of those that helped to make the 2011 Open Memory Forensics Workshop (OMFW) a success. This year, the organizing committee decided to use OMFW as an opportunity to help raise money for charity. The charity selected by the 2011 OMFW attendees was the National Center for Missing & Exploited Children. Thanks to the generous contributions of our sponsors, we were able to donate 100% of the money collected from registration fees. We wanted to take this opportunity to share the response we received from this important organization:
Dear Attendees of the 2011 Open Memory Forensics Workshop:
Thank you for choosing the National Center for Missing & Exploited Children to support during your workshop.
We hope you will take pride in knowing that your donation, joined with the support of many others, enables NCMEC to carry on its efforts to locate and recover missing children and raise public awareness about ways to prevent child abduction, endangerment, and sexual exploitation.
Since 1984, we have handled more than 3.4 million calls to our hotline and played a role in the recovery of more than 166,800 children. Since its inception in March 1998, our CyberTipline, which allows individuals to submit an online form to report instances of sexual exploitation of children, has received more than 1.1 million reports, emphasizing our growing focus on this important issue.
We hope you will consider supporting our great mission to save children in the future.
Thank You,
Virginia Mullins
Director of Development
We would like to thank the OMFW sponsors (Volatile Systems, DFRWS, and Terremark), whose generous contributions made this possible. We would also like to thank all of the members of the Volatility Family who contributed their time and resources to the workshop.
We also wanted to take this opportunity to highlight the success of a public-private partnership between Terremark and the Culpeper County Sheriff’s Office. As many of you know, the Terremark Team has been a huge supporter of the Volatility Project throughout the last couple of years. Recently, the Terremark Team also donated resources to help the Culpeper County Sherriff’s Office develop a digital forensics lab. The lab was officially opened in October and is located at Terremark’s NAP of the Capital Region campus. It’s great to see members of the Volatility Family working closely with law enforcement to support public safety. Shoutz to the Terremark Team!
November252011
For those of you that were unable to attend DFRWS 2011, I wanted to take a few moments to highlight an exciting project coming from the Google Incident Response Team, Google Rapid Response (GRR) (slides | paper). As everyone is aware, Google publicly disclosed, in 2010, that they were the subject of a targeted attack, commonly referred to as “Operation Aurora”. Given the scale of the attack, Google reached out to a few not-so-discrete incident response companies to help augment their internal teams during the investigation. From this experience, Google quickly realized the nascent state of the incident response industry and tools. Thus, once the smoke cleared, the Google Team began investing a lot of resources into augmenting their own security capabilities and reducing incident response to a search problem. One of those efforts is Google Rapid Response, whose software development is being lead by Michael Cohen (aka scudette). You should recognize his name from the great work he has done on Volatility and PyFlag. GRR is an open source incident response framework which is intended to provide a scalable solution to the remote forensics challenges faced by many organizations. While the project is still in early stages of development, you should definitely take some time to check it out and follow its development! Besides, if you are a Volatility user, you will be interested to discover that “GRR also incorporates the Volatility Memory analysis framework” and Google has been contributing back, including work on 64-bit support! Shoutz to scudette, sham, and the other GRR developers!
PS: I’ve heard one of the companies Google hired during Aurora has been claiming, behind closed doors, that Google stole their ideas and is “ripping them off”. This is kind of hilarious when you consider the sordid history of that company’s own “intellectual property” (Hi Kevin! Hi Jamie!). I guess the thought of going up against Google can make a company a little nervous, especially, when they just took on substantial funding from Private Equity firms. The fact that they are concerned makes GRR even more interesting. Do you really think you can out search Google!
November182011
If you are interested in the area of virtual machine introspection, you may want to check out the libVMI project which was recently released open source by Sandia. LibVMI extends the work done on the XenAccess Project to provide an introspection library for reading and writing memory across multiple virtualization platforms. The current release offers support for VMs running on either Xen or KVM. As an added bonus for the Volatility Community, you should also check out their Volatility address space (tools/pyvmi/pyvmiaddressspace.py). From what I have been told, this should provide similar functionality to Moyix’s pyxa. Shoutz to Bryan and the Sandia team. It’s always great to see other organizations leveraging the power and flexibility of Volatility to perform cutting edge research. Especially, when they are able to release it back to the community!
October152011
In another exciting episode of “Volatility Friday”, MHL walks through the steps of hunting for ZeroAccess using physical memory analysis. As an added bonus, you will also get some further insight into plugin development. If you have been enjoying MHLs posts, why not take a unknown sample, try it yourself, and post your findings? It’s a great way to engage the Volatility community and it also helps others learn. Shoutz to MHL!
