Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Malware
If you are planning to head out to RSA this year, you should definitely add Andrew Case’s talk, “Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Malware” to your schedule. His talk will be Wednesday, February 27 9:20-10:20 AM in Room 120. Considering all the veiled marketing pitches you will have to endure, you might as well take time out to listen to someone who is actually technical and contributing to the community. Besides, his talk will be far more informative than paying another $2,000 to hear someone explain how they lethally “Googled” Andrew’s work. On that note, it will also be a good opportunity to show your support for open source forensics developers (#SOSFD). Members of the Volatility Team will also be roaming the halls or drinking tea, if you are interested in meeting up!
Here’s your opportunity to impress your colleagues and become the inaugural member of the “Volatility Hall of Fame”. The contest is straightforward: Develop an innovative and useful extension to The Volatility Framework, impress the judges, and win the contest! Did I also mention you could win cold hard cash ($$$)? See the Volatility Labs site for details.
If you were unable to attend the training we held in December, I encourage you to check out "Windows Malware and Memory Forensics" being held in Chicago, during the week of March 18th-22nd. This is the only Windows memory forensics course officially designed, endorsed, and taught by the Volatility developers. The content being taught is so valuable that trainers from competing courses have attempted to surreptitiously register their spouses just to steal material! One of our recent attendees summed up the value of learning from the actual developers:
"The instructors answered your questions more thoroughly than any I’ve encountered. Highly, highly recommended!" (Jason B., Jones Dykstra and Associates)
If you missed Andrew’s presentation on finding malware artifacts in memory using Volatility, the slides and video were recently posted. Shoutz to Andrew!
As a part of the Hacker Academy’s new Deep Dive Series, Andrew Case will be discussing techniques for finding malware artifacts in physical memory with Volatility. The webinar takes place tomorrow (December 18) at 7pm Eastern. Don’t miss an opportunity to learn from one of the core Volatility developers and show your support for open source forensics (#SOSFD). Early registration is required. Shoutz to attc and the Hacker Academy!
If you have some time tomorrow, you should check out Andrew Case discussing Android Forensics during the DFIROnline meeting at 2000 US Eastern time. This is your opportunity to learn about the latest research in RAM analysis of Android devices and how that research is accessible to practitioners within The Volatility Framework. Shoutz to Andrew and all those who Support Open Source Forensics Developers (#SOS-FD)!
If you happen to be in Seattle area in March, Russ McRee, a member of Microsoft’s Online Services Security & Compliance team, will be giving a presentation on Volatility at the CTIN Digital Forensics Conference.
This discussion will cover the complete life cycle of memory acquisition and analysis for forensics and incident response, using Volatility.
Volatility has been referred to as the Python version of the Windows Internals book, given how much can be learned about Windows by reviewing how Volatility enumerates evidence. We’ll conduct real-time analysis and examine Volatility’s plug-in capabilities.
The Volatility project shortens the amount of time it takes to put cutting-edge research into the hands of practitioners, while encouraging and pushing the technical advancement of the digital forensics field.
Join us and learn more about this outstanding tool.
Shoutz to Russ!
A team of researchers from the University of California at Santa Barbara demonstrated how Volatility could be used to monitor for indicators of compromise across an enterprise without signatures:
"Blacksheep functions by detecting anomalous memory dumps collected from a group of machines instead of looking for specific signatures of infection, it does not require the use of signatures. As such, it is well-built to handle previously-unseen malware threats.”
It’s great to see that Volatility continues to be the basis of research published at the nations top information security conferences. It’s exciting to think that the same industry leading framework that is used daily by digital forensics practitioners is also being used for cutting-edge research by some of the nations top security academics. Shoutz to the UCSB team!
We are pleased to announce the first public offering of the Windows Memory Forensics for Analysts training course. This is the only memory forensics course officially designed, sponsored, and taught by the Volatility developers. One of the main reasons we made Volatility open-source is to encourage and facilitate a deeper understanding of how memory analysis works, where the evidence originates, and how to interpret the data collected by the framework’s extensive set of plugins. Now you can reap these benefits first hand from the developers of the most powerful, flexible, and innovative memory forensics tool.
Dates: Monday, December 3rd through Friday, December 7th 2012
Location: Reston, Virginia (exact location will be shared upon registration)
Instructors: Michael Ligh (@iMHLv2), Andrew Case (@attrc), Jamie Levy (@gleeda). Please see the VolatilityTeam wiki page for brief bios.
In this paper, recently published at the 5th Workshop on Cyber Security Experimentation and Test, the researchers describe how they used Volatility in conjunction with LibVMI to create a hybrid honeypot architecture based on virtual machine introspection. They leverage Volatility’s powerful plugins to analyze the run time state of the systems and detect any changes that may arise. It’s great to see that researchers from top universities continue to publish research that builds upon The Volatility Framework (TVF). Shoutz to BDP and the rest of the research team!