OMFW 2013: Bringing Mac Memory Forensics to the Mainstream - Andrew Case (@attrc)
"Bringing Mac Memory Forensics to the Mainstream", Andrew Case (@attrc), OMFW 2013.
Volatility now includes full Mac support for all versions from 10.5.x through the latest 10.8.x, both 32 and 64 bit. This presentation will show how these capabilities can be used in a variety of scenarios including digital forensics, incident response, and malware analysis. The presentation will also highlight many of the challenges that had to be overcome in pursuit of comprehensive Mac memory analysis support. Many of these challenges are unique to Mac, and required deep understanding of the often “interesting” design decisions made by the operating system developers.
OMFW 2013: Every Step You Take: Profiling the System - Jamie Levy (Gleeda)
"Every Step You Take: Profiling the System", Jamie Levy (@gleeda), OMFW 2013.
As DFIR investigations become more complicated, often spanning several machines, there is a need to employ some mechanisms in the memory forensics realm which are already heavily used in disk forensics. Some of these mechanisms include: whitelisting/blacklisting, indicators of compromise (IOCs) and profiling. This talk will cover new plugins that enable the investigator to create, combine and modify baseline profiles, to easily see items on either side of a baseline profile and hunt for IOCs across the enterprise
OMFW 2013: Mastering TrueCrypt and Windows 8 / Server 2012 Memory Forensics - Michael Hale Ligh (MHL)
"Mastering TrueCrypt and Windows 8 / Server 2012 Memory Forensics", Michael Hale Ligh (@iMHLv2), OMFW 2013.
This talk provides a how-to on leveraging memory forensics to investigate and defeat TrueCrypt hard disk encryption. We’ll walk through scenarios involving different suspects who used file-based containers, non-system partitions (i.e. flash drives), and full drive encryption to hide their assets. During the demonstrations, you’ll learn about three new Volatility plugins for recovering cached TrueCrypt passphrases, identifying the exact paths to the file-based containers, and extracting master keys even when suspects stray from AES and use non-default algorithms like Serpent and Twofish. As a subtle facet, we’ll be doing all of this on 32- and 64-bit Windows 8 and Server 2012 memory dumps - the first major new Windows operating system supported by Volatility in nearly two years.
This presentation is particularly topical considering the recent discussions about TrueCrypt.
OMFW 2013: Stabilizing Volatility - Mike Auty (Ikelos)
Stabilizing Volatility. Mike Auty (ikelos), OMFW 2013
This talk will step through a very brief history of Volatility, then cover the structure of the core, before explaining the primary techniques currently used in the Object, Address Space and Profile classes, as well as touching on some helper objects. The middle will cover several design decisions later found to be poor, and whether/when those can be resolved. Finally, an outline of new structures designed to overcome several of the limitations in the current Volatility will be shown.
OMFW 2013: All Your Social Media are belong to Volatility - Jeff Bryner
All Your Social Media are belong to Volatility, Jeff Bryner (@0x7eff), Incident Response/Forensics at Mozilla, OMFW 2013
Volatility is by far the richest memory forensic toolkit available. This year they upped the ante by inviting regular mortals to write plug-ins and submit them for the greater good. This session will demo my submissions for forensic recovery of social media artifacts from Facebook and Twitter. We will have the audience participate live by engaging with a Twitter and Facebook account, dump the memory of the victim machine and see what we can recover via Volatility. If time allows we will have a look at the code with an eye on encouraging more plugins for other social media sites; Tumblr, Pinterest, Flickr, Youtube, etc await!
OMFW 2013: Memoirs of a Hindsight Hero: Detecting Rootkits in OS X - Cem Gurkok
Memoirs of a Hindsight Hero: Detecting Rootkits in OS X, Cem Gurkok, OMFW 2013.
The OS X Kernel has become a popular target for malicious adversaries. At the moment there are tools that provide detection for basic OS X rootkit techniques, such as executable substitution or direct function modification (e.g. the Rubilyn rootkit). Advanced rootkits often leverage more advanced capabilities that are harder to detect, such as function inlining, DTrace hooks, call reference modification, shadow syscall and trustedbsd policy tables. In this presentation, I will be exploring how to attack the OS X syscall table and other kernel objects with these advanced techniques and how to detect these modifications in memory using the Volatility Framework. The presentation will include demonstrations of system manipulation on a live system and subsequent detection using the new Volatility Framework plugin.
OMFW 2013: Dalvik Memory Analysis and a Call to ARMs - Joe Syle
We wanted to highlight a few of the talks that will be presented at OMFW 2013:
Dalvik Memory Analysis and a Call to ARMs. Joe Sylve (@jtsylve) Managing Partner, 504ENSICS Labs
This talk will detail our DARPA Cyber Fast Track research effort for parsing Dalvik-level constructs from memory captures of Android devices. These include (at least) all of the built-in types, class names, statics, methods and variables, and similar information with values for object instances. In our effort we also have created, a free GUI-based browser, called Dalvik Inspector, with browsing, searching, and automated Volatility plugin generation capabilities for analysis of the raw parsed data. This tool facilitates deep, standalone analysis of application-internal structure. This talk will conclude with a discussion and appeal to the research community in regards to open research problems that need to be addressed in order to make Android memory analysis viable for the community at large.
This event will be the 5th public offering of the Windows Malware and Memory Forensics Training by The Volatility Project. This is the only memory forensics course officially designed, sponsored, and taught by the Volatility developers. One of the main reasons we made Volatility open-source is to encourage and facilitate a deeper understanding of how memory analysis works, where the evidence originates, and how to interpret the data collected by the framework’s extensive set of plugins. Now you can learn about these benefits first hand from the developers of the most powerful, flexible, and innovative memory forensics tool.
While the training course is constantly being updated, there are two updates being introduced during the Reston training that are worth highlighting:
- Windows 8 & Server 2012 Support
- Mastering TrueCrypt
Dates: Monday, November 11th through Friday, November 15th 2013
Location: Reston, VA (exact location will be shared upon registration)
Instructors: Michael Ligh (@iMHLv2), Andrew Case (@attrc), Jamie Levy (@gleeda)
The official registration invitations for OMFW 2013 went out earlier this week. If you are still planning to attend, I recommend sending a request as soon as possible. As of this afternoon, there are only 5 spots remaining! Starting next week, we will begin finalizing and announcing the exciting roster of speakers.
Reserve your seat by contacting: info [at] volatilesystems [dot] com.
Registration for the Open Memory Forensics Workshop 2013
We are excited to announce that the registration for the 4th annual OMFW is officially open. The workshop will be held on November 4, 2013 and will coincide with the Open Source Digital Forensics Conference. OMFW is the single most important event for those who are interested in pushing the state of the art of digital forensics and incident response. If you are interested in getting involved or have an exciting memory related topic that you would like to share with the digital forensics community, please let the team know. For those interested in attending, please see the official website for details. Due to the overwhelming response in previous year, we were not able to fulfill all the registration requests, so please be sure to register early! Check out what previous attendees of OMFW have said:
"The OMFW was well… mind blowing for the most part. The amount of knowledge the Volatility guys (and girl) have is insane."
Glenn P. Edwards Jr.
"For the last four years the Open Source Memory Forensics Workshop (OMFW) has hosted a collective who’s who of memory forensics and provided a forum in which to discuss the latest advances and tools."
"AAron was able to bring together an outstanding group of folks interested in "memory forensics" and there was some spirited discussion among the participants along with some really outstanding talks/demos. It was also great to be able to put faces to folks who until then had only been handles in IRC or names on e-mail/blog posts in the past."
"My first impression of the event was that the underground could have set digital forensics back 3-5 years if they had attacked our small conference room. Where else do you have Eoghan Casey, Brian Carrier, Harlan Carvey, Michael Cohen, Brendan Dolan-Gavitt, George Garner Jr., Andreas Schuster, Aaron Walters, et al, in the same room? I thought Brian Dykstra framed the situation properly when asking the following: “I know this is an easy question for all you ‘beautiful minds,’ but…”“
REMINDER: If you are planning to submit to the Volatility Framework Plugin Contest, please make sure your entry is submitted before August 1, 2013.