OMFW 2013: Dalvik Memory Analysis and a Call to ARMs - Joe Syle
We wanted to highlight a few of the talks that will be presented at OMFW 2013:
Dalvik Memory Analysis and a Call to ARMs. Joe Sylve (@jtsylve) Managing Partner, 504ENSICS Labs
This talk will detail our DARPA Cyber Fast Track research effort for parsing Dalvik-level constructs from memory captures of Android devices. These include (at least) all of the built-in types, class names, statics, methods and variables, and similar information with values for object instances. In our effort we also have created, a free GUI-based browser, called Dalvik Inspector, with browsing, searching, and automated Volatility plugin generation capabilities for analysis of the raw parsed data. This tool facilitates deep, standalone analysis of application-internal structure. This talk will conclude with a discussion and appeal to the research community in regards to open research problems that need to be addressed in order to make Android memory analysis viable for the community at large.
This event will be the 5th public offering of the Windows Malware and Memory Forensics Training by The Volatility Project. This is the only memory forensics course officially designed, sponsored, and taught by the Volatility developers. One of the main reasons we made Volatility open-source is to encourage and facilitate a deeper understanding of how memory analysis works, where the evidence originates, and how to interpret the data collected by the framework’s extensive set of plugins. Now you can learn about these benefits first hand from the developers of the most powerful, flexible, and innovative memory forensics tool.
While the training course is constantly being updated, there are two updates being introduced during the Reston training that are worth highlighting:
- Windows 8 & Server 2012 Support
- Mastering TrueCrypt
Dates: Monday, November 11th through Friday, November 15th 2013
Location: Reston, VA (exact location will be shared upon registration)
Instructors: Michael Ligh (@iMHLv2), Andrew Case (@attrc), Jamie Levy (@gleeda)
The official registration invitations for OMFW 2013 went out earlier this week. If you are still planning to attend, I recommend sending a request as soon as possible. As of this afternoon, there are only 5 spots remaining! Starting next week, we will begin finalizing and announcing the exciting roster of speakers.
Reserve your seat by contacting: info [at] volatilesystems [dot] com.
Registration for the Open Memory Forensics Workshop 2013
We are excited to announce that the registration for the 4th annual OMFW is officially open. The workshop will be held on November 4, 2013 and will coincide with the Open Source Digital Forensics Conference. OMFW is the single most important event for those who are interested in pushing the state of the art of digital forensics and incident response. If you are interested in getting involved or have an exciting memory related topic that you would like to share with the digital forensics community, please let the team know. For those interested in attending, please see the official website for details. Due to the overwhelming response in previous year, we were not able to fulfill all the registration requests, so please be sure to register early! Check out what previous attendees of OMFW have said:
"The OMFW was well… mind blowing for the most part. The amount of knowledge the Volatility guys (and girl) have is insane."
Glenn P. Edwards Jr.
"For the last four years the Open Source Memory Forensics Workshop (OMFW) has hosted a collective who’s who of memory forensics and provided a forum in which to discuss the latest advances and tools."
"AAron was able to bring together an outstanding group of folks interested in "memory forensics" and there was some spirited discussion among the participants along with some really outstanding talks/demos. It was also great to be able to put faces to folks who until then had only been handles in IRC or names on e-mail/blog posts in the past."
"My first impression of the event was that the underground could have set digital forensics back 3-5 years if they had attacked our small conference room. Where else do you have Eoghan Casey, Brian Carrier, Harlan Carvey, Michael Cohen, Brendan Dolan-Gavitt, George Garner Jr., Andreas Schuster, Aaron Walters, et al, in the same room? I thought Brian Dykstra framed the situation properly when asking the following: “I know this is an easy question for all you ‘beautiful minds,’ but…”“
REMINDER: If you are planning to submit to the Volatility Framework Plugin Contest, please make sure your entry is submitted before August 1, 2013.
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Malware
If you are planning to head out to RSA this year, you should definitely add Andrew Case’s talk, “Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Malware” to your schedule. His talk will be Wednesday, February 27 9:20-10:20 AM in Room 120. Considering all the veiled marketing pitches you will have to endure, you might as well take time out to listen to someone who is actually technical and contributing to the community. Besides, his talk will be far more informative than paying another $2,000 to hear someone explain how they lethally “Googled” Andrew’s work. On that note, it will also be a good opportunity to show your support for open source forensics developers (#SOSFD). Members of the Volatility Team will also be roaming the halls or drinking tea, if you are interested in meeting up!
Here’s your opportunity to impress your colleagues and become the inaugural member of the “Volatility Hall of Fame”. The contest is straightforward: Develop an innovative and useful extension to The Volatility Framework, impress the judges, and win the contest! Did I also mention you could win cold hard cash ($$$)? See the Volatility Labs site for details.
If you were unable to attend the training we held in December, I encourage you to check out "Windows Malware and Memory Forensics" being held in Chicago, during the week of March 18th-22nd. This is the only Windows memory forensics course officially designed, endorsed, and taught by the Volatility developers. The content being taught is so valuable that trainers from competing courses have attempted to surreptitiously register their spouses just to steal material! One of our recent attendees summed up the value of learning from the actual developers:
"The instructors answered your questions more thoroughly than any I’ve encountered. Highly, highly recommended!" (Jason B., Jones Dykstra and Associates)
If you missed Andrew’s presentation on finding malware artifacts in memory using Volatility, the slides and video were recently posted. Shoutz to Andrew!
As a part of the Hacker Academy’s new Deep Dive Series, Andrew Case will be discussing techniques for finding malware artifacts in physical memory with Volatility. The webinar takes place tomorrow (December 18) at 7pm Eastern. Don’t miss an opportunity to learn from one of the core Volatility developers and show your support for open source forensics (#SOSFD). Early registration is required. Shoutz to attc and the Hacker Academy!
If you have some time tomorrow, you should check out Andrew Case discussing Android Forensics during the DFIROnline meeting at 2000 US Eastern time. This is your opportunity to learn about the latest research in RAM analysis of Android devices and how that research is accessible to practitioners within The Volatility Framework. Shoutz to Andrew and all those who Support Open Source Forensics Developers (#SOS-FD)!