OMFW 2013: Memoirs of a Hindsight Hero: Detecting Rootkits in OS X - Cem Gurkok

Memoirs of a Hindsight Hero: Detecting Rootkits in OS X, Cem Gurkok, OMFW 2013.

 The OS X Kernel has become a popular target for malicious adversaries. At the moment there are tools that provide detection for basic OS X rootkit techniques, such as executable substitution or direct function modification (e.g. the Rubilyn rootkit). Advanced rootkits often leverage more advanced capabilities that are harder to detect, such as function inlining, DTrace hooks, call reference modification, shadow syscall and trustedbsd policy tables. In this presentation, I will be exploring how to attack the OS X syscall table and other kernel objects with these advanced techniques and how to detect these modifications in memory using the Volatility Framework. The presentation will include demonstrations of system manipulation on a live system and subsequent detection using the new Volatility Framework plugin.


OMFW 2013: Dalvik Memory Analysis and a Call to ARMs - Joe Syle

We wanted to highlight a few of the talks that will be presented at OMFW 2013:

Dalvik Memory Analysis and a Call to ARMs. Joe Sylve (@jtsylve) Managing Partner, 504ENSICS Labs

This talk will detail our DARPA Cyber Fast Track research effort for parsing Dalvik-level constructs from memory captures of Android devices. These include (at least) all of the built-in types, class names, statics, methods and variables, and similar information with values for object instances. In our effort we also have created, a free GUI-based browser, called Dalvik Inspector, with browsing, searching, and automated Volatility plugin generation capabilities for analysis of the raw parsed data. This tool facilitates deep, standalone analysis of application-internal structure. This talk will conclude with a discussion and appeal to the research community in regards to open research problems that need to be addressed in order to make Android memory analysis viable for the community at large.  


Registration for the Open Memory Forensics Workshop 2013

We are excited to announce that the registration for the 4th annual OMFW is officially open. The workshop will be held on November 4, 2013 and will coincide with the Open Source Digital Forensics Conference.  OMFW is the single most important event for those who are interested in pushing the state of the art of digital forensics and incident response.  If you are interested in getting involved or have an exciting memory related topic that you would like to share with the digital forensics community, please let the team know. For those interested in attending, please see the official website for details. Due to the overwhelming response in previous year, we were not able to fulfill all the registration requests, so please be sure to register early! Check out what previous attendees of OMFW have said:

"The OMFW was well… mind blowing for the most part. The amount of knowledge the Volatility guys (and girl) have is insane."
Glenn P. Edwards Jr.

"For the last four years the Open Source Memory Forensics Workshop (OMFW) has hosted a collective who’s who of memory forensics  and provided a forum in which to discuss the latest advances and tools."
Mike Webber

"AAron was able to bring together an outstanding group of folks interested in "memory forensics" and there was some spirited discussion among the participants along with some really outstanding talks/demos. It was also great to be able to put faces to folks who until then had only been handles in IRC or names on e-mail/blog posts in the past."
Jim Clausing

"My first impression of the event was that the underground could have set digital forensics back 3-5 years if they had attacked our small conference room. Where else do you have Eoghan Casey, Brian Carrier, Harlan Carvey, Michael Cohen, Brendan Dolan-Gavitt, George Garner Jr., Andreas Schuster, Aaron Walters, et al, in the same room? I thought Brian Dykstra framed the situation properly when asking the following: “I know this is an easy question for all you ‘beautiful minds,’ but…”“
Richard Bejtlich

REMINDER: If you are planning to submit to the Volatility Framework Plugin Contest, please make sure your entry is submitted before August 1, 2013.


Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Malware

If you are planning to head out to RSA this year, you should definitely add Andrew Case’s talk, “Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Malware” to your schedule.  His talk will be Wednesday, February 27 9:20-10:20 AM in Room 120.  Considering all the veiled marketing pitches you will have to endure, you might as well take time out to listen to someone who is actually technical and contributing to the community.  Besides, his talk will be far more informative than paying another $2,000 to hear someone explain how they lethally “Googled” Andrew’s work.  On that note, it will also be a good opportunity to show your support for open source forensics developers (#SOSFD).  Members of the Volatility Team will also be roaming the halls or drinking tea, if you are interested in meeting up!

← Older Entries Page 2 of 30 Newer Entries →