February 2012
1 post
A Virtuoso Revealed →
Moyix recently announced the public release of the Virtuoso source code. Shoutz to the teams at Georgia Tech and MIT Lincoln Labs! While it is great to see major universities and national laboratories (ie Sandia, Lincoln Laboratories, etc) building on top of Volatility, its even more amazing when researchers at these institutions find ways to contribute these projects back to the Volatility...
January 2012
4 posts
Performing x64 Windows 7 Memory Forensics with... →
In this blog post, Patrick Olsen leverages Volatility’s x64 Alpha support to analyze a Windows 7 sample of physical memory that had been infected with malware. Shoutz to Patrick for sharing his analysis experiences with the community! If you have x64 memory samples and are willing to help provide feedback, please reach out to the Volatility Team!
PS. On a sad note, given the SIFT...
Android Memory Acquisition and Analysis with DMD... →
Joe Sylve recently gave a presentation at Shmoocon titled “Android Mind Reading: Memory Acquisition and Analysis with DMD and Volatility”. In the presentation, he discusses the challenges associated with Android memory sampling and introduces the Droid Memory Dumper (DMD). He also discusses how Volatility can be used to analyze Droid memory samples. Shoutz to Joe and the Digital...
Droid Device as a Portable Memory Forensics... →
Continuing on the recent Droid theme, you may be interested in checking out a recent blog post, “Running Volatility Memory Forensics Framework on your Android Phone!”. Unlike previous posts which discussed analyzing Android devices with Volatility, this post describes how to get Volatility running on your Droid device. Imagine if FireWire was more ubiquitous…! Shoutz to J-SP8s!
Analyzing Memory from Android Devices with... →
With the increasing market share of the Android operating system for smartphones and tablets, there is a growing interest in performing forensics analysis of these devices. In a recent paper, a research team from the University of New Orleans and Digital Forensics Solutions LLC, discusses Acquisition and Analysis of Volatile Memory from Android Devices. They also describe how this work was...
December 2011
2 posts
Volatility 2.0 Nominated for the 2011 Toolsmith... →
Volatility 2.0 was recently nominated for the ISSA Journal 2011 Toolsmith Tool of the Year. If you are a Volatility user and want to show your support for the hard work the development team put into getting 2.0 released, take a few moments to cast your vote. Your vote will also help demonstrate the community support for open source forensics projects!
Frank Boldwin: Hunting Malware With Volatility... →
One of the most talented rootkit hunters in the industry, Frank Boldwin, has released a great slide deck describing how to use Volatility 2.0 to find malware. He walks through a number of Volatility plugins and demonstrates how they can be used to find volatile artifacts associated with a variety of malware samples.
“Volatility is a very powerful tool, which is able to detect even the...
November 2011
3 posts
The Volatility Community Gives Back
In the spirit of giving thanks, we wanted to thank all of those who have volunteered their time and resources in support of The Volatility Project (TVP). The project has been blessed, throughout the past 5 years, with the talents of people that we would consider to be the brightest stars in the industry. For many of these contributors we’ve been even more impressed by their kindness,...
GRR: Google Rapid Response and Volatility →
For those of you that were unable to attend DFRWS 2011, I wanted to take a few moments to highlight an exciting project coming from the Google Incident Response Team, Google Rapid Response (GRR) (slides | paper). As everyone is aware, Google publicly disclosed, in 2010, that they were the subject of a targeted attack, commonly referred to as “Operation Aurora”. Given the scale of the...
Sandia National Laboratories: Virtual Machine... →
If you are interested in the area of virtual machine introspection, you may want to check out the libVMI project which was recently released open source by Sandia. LibVMI extends the work done on the XenAccess Project to provide an introspection library for reading and writing memory across multiple virtualization platforms. The current release offers support for VMs running on either Xen or...
October 2011
5 posts
ZeroAccess, Volatility, and Kernel Timers →
In another exciting episode of “Volatility Friday”, MHL walks through the steps of hunting for ZeroAccess using physical memory analysis. As an added bonus, you will also get some further insight into plugin development. If you have been enjoying MHLs posts, why not take a unknown sample, try it yourself, and post your findings? It’s a great way to engage the Volatility...
Off-Topic: The Questions Congress Should have... →
If anyone follows the politics of U.S. Cybersecurity, you should definitely check out the recent U.S. House of Representatives Permanent Select Committee on Intelligence’s Hearing on Cybersecurity. Rep. Ruppersberger and Rep. Rogers made some very candid statements in their opening remarks that you don’t typically hear in public forums. As usual, General Hayden was also able to bring...
"Volatility Rules the Markets!"
So…I may be taking that quote out of context and it may seem like salt in the wounds of many stock market investors but I couldn’t resist. While volatility is a popular topic on many investment websites, it has become increasing popular topic in the malware analysis community as well. Here is a sampling of recent blog posts you will definitely want to read:
Shylock via Volatility
...
Volatility 2.0: Timeliner, RegistryAPI, evtlogs... →
Gleeda recently released a whitepaper describing how to extract temporal information from physical memory. It’s exciting to see someone extending the Volatility temporal reconstruction research. The whitepaper also serves as a great tutorial for creating new plugins. You will also want to check out the links to the plugins she discussed at OMFW. Shoutz to Gleeda, Gleeda!
Abstract Memory Analysis: Zeus Encryption Keys →
In case you might have missed it, MHL has an excellent article describing how an analyst can leverage Volatility to locate and extract Zeus’s RC4 encryption keys in physical memory. His informative post also demonstrates how a talented memory analyst can stand on the shoulders of the Volatility community to push memory analysis to new heights!
“This is just one example of taking...
September 2011
2 posts
CSI:Internet Episode 3: A Trip into RAM →
As many of you know, my favorite articles are those that give you insight into how talented analysts think. It helps set the bar for the skills required to deal with the modern digital adversary. A great example of that was MHL’s examination of Stuxnet. As another example, this well written article allows you to look over the shoulder of Frank Boldewin as he digs into some undetected malware...
“I’ve said it before and I’ll say it again. I love Volatility. Volatility 2.0...”
– Russ McRee, “toolsmith: Memory Analysis with DumpIt and Volatility”, September 2011 ISSA Journal.
August 2011
1 post
Volatility 2.0 Release & Open Memory Forensics... →
In case you may have missed it, I’m excited to announce The Order of Volatility has officially released Volatility 2.0. Despite the fact that Volatility continues to be the most advanced memory forensics framework available, Volatility 2.0 was an opportunity for us to completely refactor the code base and rewrite most of the underlying subsystems. Highlights of this release include:
...
July 2011
3 posts
OMFW: Time is on My Side →
We are days away from OMFW! If you are planning to attend the workshop, you have hopefully registered and received your admission ticket. See you in New Orleans!
The next talk we are highlighting is “Time is on My Side”, which will be presented by Jamie Levy. Gleeda has been an active contributor to The Volatility Project for the last couple of years and played a critical role in...
OMFW: Towards Automated Generation of Memory... →
As many of you already know, we sent out the registration confirmations earlier this week. If you are still interested in attending, please send me a note and I will add you to the waiting list which will be serviced on a FIFO basis.
I’m pleased to announce another exciting presentation which will be delivered at OMFW 2011, “Towards Automated Generation of Memory Forensic Tools”...
OMFW: Linux Memory Analysis with Volatility →
As many of you know, OMFW is rapidly approaching. Based on the number of registration requests we are receiving, its seems the community is just as excited as we are. If you are still considering attending, I would suggest sending an email to request a seat as soon as possible. There are only a couple of seats remaining. We are planning to send out final reservation confirmations this weekend.
...
June 2011
4 posts
OMFW: Tracking Stuxnet's Footprint through Memory →
Over the next couple of weeks, we will be highlighting some of the talks to be presented at OMFW. The first is “Tracking Stuxnet’s Footprint through Memory” which will be presented by Michael Hale Ligh. MHL is the author of one of my favorite security books of all time, Malware Analyst’s Cookbook, and one of the best developer/analysts I’ve had the pleasure to...
SpiderLabs using Volatility to Analyze Hollow... →
In a recent blog post, the SpiderLabs team at Trustwave demonstrated how to leverage Volatility to find “Hollow Processes”, based on a recipe described in the Malware Analyst’s Cookbook. It’s great to see Volatility becoming the tool of choice for advanced security teams:
“The Volatility Framework is an excellent open source tool for volatile memory forensic...
Open Memory Forensics Workshop (OMFW) 2011 -... →
Volatile memory forensics (ie., RAM forensics) has proven one of the most exciting and important topics to the future of digital investigations. It has dramatically transformed the way we perform digital investigations and helped provide a path for addressing many of the challenges we currently face. OMFW is the only digital forensics workshop focused on providing a venue for the most advanced...
Building on Volatility to Support Mac OS X Memory... →
Andreas wrote a blog post describing an open source tool, written by Kyeong-Sik Lee and the Korean Digital Forensic Research Center, to analyze Mac OS X memory samples. The tool is called Volafox and builds on top of the Volatility code base. Hopefully, this will help inspire more work on the area of Mac OS X memory analysis and this support will get fully integrated into Volatility. Anyone up...
May 2011
1 post
Investigating the Honeynet's Compromised Linux... →
While the Honeynet Project has not announced the winner of Challenge 7, it does appear that they have finally posted the submissions. It is great to see that all 5 submissions leveraged Volatility’s Linux support for memory forensics!
Shoutz to attc for the work he has done on Volatility’s Linux support. Shoutz to all of those who submitted to the challenge for showing some Vol-loV!
April 2011
6 posts
Volatility and a Python Implementation of... →
As many of you have probably noticed, one of the things that was missing from the 1.4 development branch was the RegRipper integration. Almost two years ago, Moyix created a prototype which allowed Volatility users to leverage the capabilities of RegRipper for analyzing the Registry hives cached in physical memory. While we have spent countless hours entertaining ourselves by digging through...
Using Volatility to Solve the Nuit du Hack 2011... →
It appears that a couple of teams participating in the Nuit du Hack 2011 Capture the Flag have been leveraging The Volatility Framework. One team solved the Forensics 100 challenge by using Volatility 1.4_rc1 to extract the VNC server password from a sample of physical memory. They also used Volatility to solve the Forensic 300 challenge where they leveraged MHL’s new netscan plugin. Shoutz...
Andrew Case (attc/attrc) on PaulDotCom →
If you happen to have some free time tonight (04/28), you may want to check out Andrew Case, a Volatility Developer, on PaulDotCom. He will be discussing updates to the research he recently presented at Black Hat about De-Anonymizing Live CDs, which he has been integrating into Volatility. If you are lucky, he may even discuss some of the recent research he has been doing on integating Linux and...
Using "volatility" to study the CVE-2011-6011... →
Andre’ DiMino recently expanded on how he leveraged Volatility in his investigation of the recent Adobe Flash 0-day (CVE-2011-0611). He also included a memory sample collected from a compromised VM. Let’s see what interesting things the OOV can find in that sample….
Shoutz to Andre’! Thanks for the Vol-loV!
Open Memory Forensics Workshop (OMFW) 2011
After the amazing success of OMFW 2008 and a <cough>little</cough> hiatus, we are currently in the process of planning OMFW 2011. OMFW is the single most important event for those who are interested in the deep technical aspects of digital investigations and forensics. It is intended for those people who realize the only real defense against a creative technical human adversary is...
Volatility and The Flash Player Zero Day →
As many of you are aware, attackers have recently been exploiting a new Adobe Flash Zero Day in conjunction with targeted attacks. While reading Mila’s excellent write-up on contagio, I noticed Andre’ DiMino demonstrated how an analyst could leverage the upcoming 1.4 release of Volatility to find memory resident artifacts associated with the malware. It’s great to see that...
March 2011
3 posts
Research Leveraging Volatility to be Presented at... →
Please join me in congratulating Brendan Dolan-Gavitt and his co-authors for getting their research accepted at the 2011 IEEE Symposium on Security and Privacy. This has been the culmination of a lot of hard work and I’m glad that Brendan and his co-authors have been recognized for their efforts. As many of the Volatility developers will tell you, memory analysis can be a very challenging...
Volatile Challenge: The Honeynet Project has a... →
The latest forensics challenge for The Honeynet Project involves a Linux server that was possibly compromised and in need of forensic analysis. As a part of this challenge, they have provided an image of the hard disk and a sample of physical memory. In what can only be characterized as impeccable timing, The Volatility Framework now has “Beta” support for Linux. attc has even given...
When it comes to Linux, Volatility Does (Beta)! →
Back in 2008, the DFRWS Conference hosted a forensics challenge focused on advancing Linux memory analysis techniques and demonstrating the advantages of integrating evidence from multiple sources (ie memory, hard disk, and network). In conjunction with my esteemed colleagues, Michael Cohen and David Collet from the PyFlag project, we decided to team up for our submission. One of the major goals...
January 2011
3 posts
Mac Memory Acquisition →
Every once in a while, we are asked for advice on performing memory analysis on a Mac. One of the main challenges was the lack of public tools for sampling the state of a Mac’s physical memory. While Matthieu Suiche was one of the first researchers to explore Mac memory analysis, he seems to have lost interest and his tools were never released. Today, the Cyber Marshal group released the...
Black Hat DC 2011: De-Anonymizing Live CDs through... →
If you are planning to attend Black Hat DC 2011, you should check out Andrew Case’s presentation, “De-Anonymizing Live CDs through Physical Memory Analysis”. Andrew’s presentation will provide insight into steps investigators can take to deal with Live CD’s and Tor. Andrew has also been doing some very interesting work in the area of Linux memory analysis which is...
Open Source Digital Forensics Conference →
We recently received a message announcing Brian Carrier’s 2nd Annual Sleuth Kit and Open Source Forensics Conference. Brian has been a great friend of The Volatility Project (TVP) over the years and we encourage you to support our Open Source brethren. One of the exciting outcomes of last years conference was the recently announced “Open Source Digital Forensics” website.
For...
December 2010
1 post
Command Line Kung Fu: Making a Difference with... →
After taking the SANS Reverse Engineering Malware course, the Command Line Kung Fu team decided the take on a challenge using Volatility in their latest episode. In particular, they demonstrated how an investigator can combine a little command line magic with Volatility to perform cross view malware detection. While I think the team could have saved themselves a lot of trouble by simply creating a...
November 2010
2 posts
Volatile Link: Volatility Documentation →
Let me begin by thanking everyone for their offers to assist with the upcoming 1.4 release, it’s great to see the growing excitement from the Volatility Community. On a related note, I recently received a pointer to a blog that has been discussing Volatility usage:
Volatility Memory Forensics I - Installation
Volatility Memory Forensics II–Using Volatility
Volatility Mem Forensics...
Malware Analyst's Cookbook and DVD →
I wanted to take this opportunity to recognize MHL, Steven, Blake, and Matt on the outstanding work they put into the “The Malware Analyst’s Cookbook and DVD”. This book clearly ranks as one of the most authoritative works in the field of malware analysis. The MAC gives insight into the tools, techniques, creativity, and sophistication required of malware analysts to deal with...
July 2010
4 posts
Volatility Plugins: Taking Screenshots from Memory →
Many of you may have seen Moyix’s video demonstrating how you can use Volatility to reconstruct a Windows desktop from a sample of physical memory. He has finally decided to release his plugins for extracting information about on-screen windows. He also shows “screenshots” from two public memory samples. Shoutz to Moyix! I’m privileged to work with such an amazing team of...
REMnux: A Linux Distribution for... →
Lenny Zeltser recently released REMnux, a lightweight Linux distribution based on Ubuntu, which provides a platform to assist in reverse-engineering malicious code. The memory forensics capabilities of the platform are built on The Volatility Framework. Shoutz to Gleeda for sending the link!
New Volatility Plugin: Robust Process Scanner →
For those who may have missed it, moyix recently decided to release a robust process scanner, psscan3. This plugin was originally developed in conjunction with a research project focused on building “Robust Signatures for Kernel Data Structures”, which he presented at CCS 2009. Similar to its predecessors, the psscan3 plugin scans the physical address space looking for memory resident...
A Volatile Challenge: Finding THE APT (Advanced...
If you happen to be one of the few people who does not get inundated by SANS spam, you are probably blissfully unaware that next week is the 2010 Digital Forensics and Incident Response Summit. You will also be disappointed to learn that this year the Order of Volatility (OOV) has respectfully declined all invitations to participate. While we believe that the Digital Forensics and Incident...
June 2010
2 posts
At FIRST, there was Volatility.. →
If you are a supporter of The Volatility Project and plan to be at FIRST next week, please send us a note. We have a couple special events planned for supporters and members of the Volatility family!! See you in the MIA!
The Sleuth Kit and Open Source Digital Forensics... →
If you happen to be attending the Sleuth Kit and Open Source Digital Forensics Conference (or happen to be in the DC area) on June 9, 2010 and have some time to meet up, please send us a note. While The Volatility Project was unfortunately unable to accept the inivitation to present, we have been able to free up some time and have accepted Brian’s gracious invitation to attend. In...
May 2010
3 posts
A Volatile Challenge: Analyzing Physical Memory of... →
As we saw with the 2010 SSTIC Challenge, there is a growing interest in performing memory analysis of mobile devices. The latest DFRWS Forensic Challenge involves the development of tools and techniques for analyzing physical memory of mobile devices. In particular, the DFRWS challenge scenario involves analyzing memory samples taken from a Sony Ericsson K800i Cybershot, which belonged to a...
May ISSA Journal Toolsmith: Memory forensics with... →
May’s toolsmith article in the ISSA Journal discusses using Volatility and PTK to analyze a memory sample infected with “Banload”. In the article, Russ Mcree discusses how running even the basic Volatility commands can help an investigator “get right to the bottom of an incident”. He then goes to discuss how the results of Volatility can be combined with the...
The Honeynet Project's Banking Troubles Solved... →
In case you may have missed it, the results for the Honeynet Forensic Challenge (Challenge 3- Banking Troubles) have recently been posted. It is exciting to report that ALL three winning submissions and the Sample Solution leveraged The Volatility Framework! We would like to take this opportunity to recognize Mario Pascucci (Italy), Tyler Hudak (USA), and Carl Pulley (UK). We would also like to...