Tracking The Volatility Project
If you are one of those people who likes to stay up to date on the latest happenings in the world of memory forensics and Volatility, there are a some new resources you should definitely check out:
Volatility Labs: This blog will now be the official blog of The Volatility Project. To kickstart the new blog and celebrate the upcoming OMFW, we are currently hosting the Month of Volatility Plugins (MoVP).
@Volatility: For those who want to follow the Volatility Development Team and get the inside track on upcoming events (ie the exciting new training courses), you should check us out on Twitter. Those who follow @Volatility will also be eligible for training discounts and receive priority registration for Volatility events.
Volatility Wiki: Thanks to MHL the Volatility Wiki page is receiving a much needed facelift. Check it out and let us know what you think!
OMFW 2012 Update: Limited Seats Remaining
If you were considering reserving a seat at the Open Memory Forensics Workshop (OMFW) 2012, we suggest you don’t wait too long. We only have a couple of seats still available. Once those seats are filled, we will have to wait list requests until someone cancels. For those who already have a confirmed reservation, we will be sending out the logistics details this weekend. It’s exciting to see all the new analysts wanting to unleash the power of the real memory forensics framework. Who takes pride in being a misguided tool user? Don’t be left out!
Andrew Case recently wrote another interesting blog post describing his new tmpfs plugin for Volatility. This plugin has a number of exciting and unexpected forensic applications, especially when you start analyzing Android samples. (Rumor has it this years DFRWS Rodeo involved analyzing Android memory samples with Volatility.) Shoutz to Andrew! You will not want to miss his OMFW presentation!
If you are not a member of the Volatility Users mailing list, you probably missed a recent thread discussing how to identify TrueCrypt artifacts in physical memory with Volatility 2.1. Lucky for you, “Bridgey the Geek” created a document that summarized the thread and his observations. If you are interested in TrueCrypt, you may also want to check out the research we did in 2007 to extract the TrueCrypt master key.
We are very excited to announce the official release of Volatility 2.1! While the main goal of this release was to get x64 support into an official release, we also sneaked in a number of interesting new capabilities! Highlights of this release include:
- New Address Spaces (AMD64PagedMemory, WindowsCrashDumpSpace64)
- Majority of Existing Plugins Updated with x64 Support
- Merged Malware Plugins into Volatility Core with Preliminary x64 Support (see FeaturesByPlugin21)
- WindowsHiberFileSpace32 Overhaul (also includes x64 Support)
- Expanded Operating System Profiles:
- Windows XP SP1, SP2 and SP3 x86
- Windows XP SP1 and SP2 x64 (there is no SP3 x64)
- Windows Server 2003 SP0, SP1, and SP2 x86
- Windows Server 2003 SP1 and SP2 x64 (there is no SP0 x64)
- Windows Vista SP0, SP1, and SP2 x86
- Windows Vista SP0, SP1, and SP2 x64
- Windows Server 2008 SP1 and SP2 x86 (there is no SP0)
- Windows Server 2008 SP1 and SP2 x64 (there is no SP0)
- Windows Server 2008 R2 SP0 and SP1 x64
- Windows 7 SP0 and SP1 x86
- Windows 7 SP0 and SP1 x64
- Plugin Additions (Now Over 70+ Analysis Plugins!):
- Printing Process Environment Variables (envvars)
- Inspecting the Shim Cache (shimcache)
- Profiling Command History and Console Usage (cmdscan, consoles)
- Converting x86 and x64 Raw Dumps to MS CrashDump (raw2dmp)
- Plugin Enhancements:
- Verbose details for kdbgscan and kpcrscan
- idt/gdt/timers plugins cycle automatically for each CPU
- apihooks detects LSP/winsock procedure tables
- New Output Formatting Support (Table Rendering)
- New Mechanism for Profile Modifications
- New Registry API Support
- New Volshell Commands
- Updated Documentation and Command Reference
In particular, I also wanted to take this opportunity to recognize those on the development team who helped push to make this release possible: Mike Auty, Andrew Case, Michael Cohen, Michael Hale Ligh, and Jamie Levy. These are the people who make a number of sacrifices in their own personal lives to continue to bring you the most advanced memory forensics framework in the world! If you appreciate the hard work they put into Volatility, I encourage you to Support Open Source Forensics Developers (SOSFD). Finally, shoutz to the Volatility Community for their continued support and feedback!
As an added bonus, we will also be releasing Volatility 2.2 at the Open Memory Forensics Workshop 2012 on October 2. This will be your only opportunity to learn about all the new features in 2.1 and 2.2 from the actual Volatility development team. Please register early. Seats are filling up fast.
Open Memory Forensics Workshop (OMFW) 2012 Update
We are excited to announce that over half the seats for the Open Memory Forensics Workshop (OMFW) have already been reserved. It’s also great to see a large number of first time attendees from across government, academic, and commercial institutions. This is your one chance a year to hear about the latest research in memory forensics from the people who are pioneering the field. Having insider information about the presentations, I guarantee this will be one of the best workshops we have ever held and you will be amazed! If you are still planning to attend, we suggest you register as soon as possible to make sure you have a seat. We will be confirming the venue seating capacity this week. We also wanted to take this opportunity to address some of the questions we have received:
- OMFW participants are not required to register for OSDFC. In fact, these are actually two separate events that just “happen” to be occurring around the same time. OMFW will be held at a different, but nearby, location so on-site registration at OSDFC will not be possible.
- The only way to register for OMFW is to email: email@example.com. Once you email this address, a seat will be reserved for you, assuming one is available, and you will receive details about completing registration.
In this blog post, Andre DiMino demonstrates how to use Volatility to analyze a Cridex sample. In particular, he extracts information from physical memory related to processes (psscan, pslist), network activity (connections, connscan, sockets, sockscan,), mutants (handles), and suspicious memory allocations (malfind, vaddump). He then demonstrates how an analyst can combine that data with Maltego. Andre was also kind enough to make the Cridex memory sample available. What can you find? Shoutz to Andre!
Digital Forensics and Incident Response Summit (a.k.a Wastin’ Time and Money in Austin with Rob, His Ego, and His Homies)
I know there has been a love fest of blog posts and tweets in the past couple of weeks discussing the 2012 DFIR Summit, so I wanted to offer an opposing and “unbiased” perspective. As I have stated in previous posts, I’ve gotten to the point where I have lost all interest in suffering through these types of events but, in this instance, I wanted to show support for Andrew and Joe. Thus, for the sake of the Volatility Community I was willing to endure instructor “try-outs” and the DFIR “circle back pat”…. which I think is celebrating how the industry is miserably struggling to keep up with advanced adversaries? (No?). The only advantage was that I have seen variations of most of these presentations numerous times, so I could focus my attention on getting actual work done. In this post, I will share a few of my observations: the positives, the negatives, and the strange.
- While I’m once again probably biased, I felt Andrew Case and Joe Sylve both gave outstanding presentations. Andrew discussed his research into Mac memory analysis and Joe discussed memory analysis of Android devices. There are a number of components that made their presentations standout. First, it was obvious that both speakers possess deep technical backgrounds in computer science and operating system internals, which is unfortunately hard to find these days in the forensics and incident response communities. Despite their technical expertise, they are also both strong practitioners and were able to present the material in an approachable manner. Second, both speakers transitioned their innovative research into open source contributions that other aspiring researchers could build upon and other practitioners can immediately use. Finally, they gave the audience a unique opportunity to learn from and ask questions of the actual developers. Developers often have an amazing perspective that can only be ascertained after having invested the time to actually understand the data and write the tools. This is why it is important that the community continue to Support Open Source Forensics Developers (SOSFD). After experiencing the Summit, as speakers, I would be surprised to see them present there again.
- Mr. Nick Harbour gave one of the more entertaining talks of the event. Granted, he seemed a little bitter since he didn’t have access to his original presentation data. Many of you may remember Nick from his days at Mandiant, where he led up their malware analysis team. Nick is part of a massive talent drain (Hi Wendy!) that has been fleeing Mandiant in recent months. Nick’s presentation discussed a number of “anti*” techniques that can make dealing with advanced threats challenging. He also spent a lot of time discussing the challenges associated with large-scale remediation. My favorite part of the presentation was when he told a story about a company that had paid for a year of IR services but Mandiant was unable to get the targeted adversary out. He conceded that the only reason the adversary left was because there was nothing left to steal! (..So much for finding evil and solving crimes.). He concluded with the following paraphrased quote: “Since I’m no longer an employee, I guess I can say it. We FAILED!” You will have to watch the video for yourself to fully appreciate the candor in his presentation. Everything that glitters (or has marketing videos and glossy reports) ain’t always gold!
- On another positive note, I finally had the pleasure of meeting Mr. Kristinn Gudjonsson, the actual developer of log2timeline. Kristinn is a very nice and intelligent open source developer! Previously, my only contact with the log2timeline project had been listening to Rob’s humble claims “That is a SANS started project. (Time, money, resources, code… AND the idea behind the entire project was my own personal idea that I had been pushing for years openly to the community and never capitalized on it.)…. But the idea, the concept, and the start of it were all my idea.” I always thought that those claims tried to diminish the contribution of the actual developer, and I’m glad to publicly confirm that Kristinn is a lot more talented than just Rob’s code monkey. Shoutz to Kristinn! We can’t wait to see the Python version!
- I was also pleasantly surprised to see that the summit had finally abandoned the question note cards. In previous years, all participants with questions were required to submit those questions on note cards that were collected at the end of the presentation. Those note cards were then reviewed by Rob and he would decide which questions would be asked of the speakers. As I mentioned back in 2009, this killed any notion of open dialogue and definitely biased the types of questions that would actually be asked. I’m glad to see that the yellow question cards have been abandoned.
- Finally, I do want to acknowledge Carol, her team, and the rest of the supporting Summit staff. They do an outstanding job given the resource constraints they are under. If you happen to attend any of the other Summits in the future, please take a moment and thank the supporting staff for their hard work.
- The Summit continues to take what I consider to be an exploitive stance towards its conference speakers, which has a direct impact on the quality of the content. As it has been stated on numerous occasions, the Summit believes that it is doing the speakers a favor by blessing them with the opportunity to present to its audience (Hmmm..an audience of ~150 people with ~20% being conference speakers). As a result, they do not cover any travel expenses for its speakers. In my opinion, this is just one of the reasons that the event is having a tough time attracting interesting content. Most modern conferences understand that a major draw of a conference is the presentations and speakers. As an example, Black Hat covers your flight, your hotel room, and even pays their speakers a stipend. They realize that a major thing that draws people to the event is the speakers and content not the hosting organization. Heh…Vegas may also play a part!
- It was also unfortunate that the Summit had some “technical difficulties” associated with it’s live streaming. From what I understand, there were a number of people who were watching the event over the Internet, who were very disappointed. While there were a number of claims that this was associated with the poor networking at the hotel, a Summit insider speculated that the “technical difficulties” were probably related to the fact that the Summit was unwilling to pay for an actual USTREAM account. Instead, they were trying to take advantage of the free version (seems like a reoccurring trend…). Take a moment and consider what an actual account costs in relation to what the attendees are paying to attend the Summit.
- The final negative is the fact that the Summit is hosted in Austin during the middle of the summer. Given the current economic conditions, I know a lot of people do not have large travel budgets, which impacts both attendees and speakers. While Austin is a great city with a bourgeoning infosec community, it is also unbearably hot during this time of year. Granted, we did eat at some great restaurants and I had one of the coolest drivers (Curley Culp)! I’ve also heard that next year is going to overlap with Black Hat…Good luck with that!
- I also wanted to mention one last observation, which I found rather strange. As I previously mentioned, I didn’t want to spend a lot of time at the summit, so I decided to fly in late Monday evening. It just so happened that I was sharing a flight with the Mr. Harlan Carvey, so we decided to share a shuttle back to the hotel. Upon arrival at the conference hotel, I was notified that I had a special message from the banquet organizer, Angela. I was instructed that I was supposed to call her immediately upon my arrival. It seems that Angela was concerned that I was flying in late and wanted to make sure I didn’t have any travel issues. Imagine that, the hotel’s banquet organizer wanted to make sure I, a mere conference attendee, had made it safely to the event. Was it strange that the keynote speaker for the conference, who was traveling with me, did not have such a note? So the real question is…whom was Angela supposed to notify of my arrival?
In conclusion, my opinion of the Summit has obviously not changed but having the opportunity to see both Andrew’s and Joe’s presentations made the trip worth it. If you are a presenter and you want your presentation to have the broadest impact, I would suggest striving for a venue like Black Hat. If you are an attendee hoping to network, I would suggest saving your money for Black Hat and organizing a meet-up or try an intimate setting like DFRWS. If you care about open source forensics tools, I would suggest Brian’s Open Source Digital Forensics Conference. If you care about cutting edge memory forensics and analysis, you should attend our Open Memory Forensics Workshop (OMFW). If you want to spend a lot of money to hang with Rob and people that are trying to teach for Rob, the Summit is definitely the place for you! Granted, what do I know…. I spend all my time focusing on “just the memory forensics niche” while others put open source tools on a virtual machine that “is challenging FTK and other commercial products and is routinely listed as the 3rd most popular forensic tool” (Stand in awe before the glory!). As with the Summit, does the true value come from the platform or the content that is delivered from that platform? The only thing that can save the community, is the community itself. SOSFD!
The Citizen Lab at the University of Toronto recently released a report describing an instance of the FinFisher Suite, a “Governmental IT Intrusion and Remote Monitoring Solution”, which was being sent to Bahraini activitists. In the report, the analysts used Volatility to detect “process hollowing” (malfind), detect hooked functions (apihooks), and extract other memory resident artifacts of “finspy” (memdump). It’s great to see that Volatility has become such a valuable resource to anti-virus companies and researchers dealing with “unknown” malware. Shouts to Morgan!
If you are planning to attend Black Hat USA 2012 and are still looking for training, I recommend you check out Digital Forensics and Incident Response by Andrew Case (attc) and Jamie Levy (gleeda). Besides learning from two of the top investigators in the industry, this is also an opportunity to “Support Open Source Forensics Developers”(SOSFD). Personally, I’ve lost faith in “Big-Box” training organizations who exploit open source developers and will only use my training budget to support those who actually contribute back to the community. Shoutz to attc and gleeda!