June42008

Recovery of Encryption Keys from Memory Using a Linear Scan

This paper discusses how encryption keys can be extracted from samples of physical memory using a linear scanning technique that attempts to find key patterns. The techniques were demonstrated using TrueCrypt running on Windows XP. The paper is written well and an easy read for those interested in the topic. The paper does not mention the related work performed by the Princeton team, as part of the “cold boot” paper, but it is possible that this paper may have been submitted before the Princeton paper was released. They also make the argument that the method we presented in the VolaTools paper would not work because the source code is not available but the source code is available and our technique does work! Maybe they could have found a more compelling example. Thanks to Jesse for pointing me to the paper!
June22008

OMFW Update

Thanks to all those who contacted me over the weekend, half of the available seats are now reserved for the Open Memory Forensics Workshop (OMFW)!  I also wanted to take this opportunity to address some of the questions we have received:

  • OMFW participants are not required to register for DFRWS, but we would recommend it.  There are a number of exciting talks about memory forensics being presented at DFRWS this year.
  • We have also received a number of questions about the cost of OMFW.  There is no registration fee for OMFW. We want OMFW to be open to all people interested in contributing to the open source memory forensics community. 
May302008

Open Memory Forensics Workshop (OMFW)

Volatile memory forensics (ie., RAM forensics) is becoming an extremely important topic to the future of digital investigations. It has the potential to dramatically transform the way we currently perform digital investigations and help address many of the challenges currently facing the digital forensics community.

We are pleased to announce the first ever workshop focused on open source volatile memory analysis. This workshop will bring together digital investigation researchers and practitioners to discuss the latest advancements in volatile memory analysis. You will also learn how memory analysis is currently being used to augment digital investigations. Through a series of invited talks and panel discussions you will have the opportunity to engage this exciting community.

This half-day workshop will be co-located with Digital Forensics Research Workshop (DFRWS) 2008 in Baltimore, Maryland, USA, on August 10, 2008. Pre-registration is required and space is limited, so register early. Please note that it will not be possible to register at the door. Reserve your seat by contacting: AAron Walters (awalters [at] 4tphi [dot] net). We are also still seeking individuals with interesting insights who would like to participate as a speaker or panelist.

Join with industry leaders to discuss the latest advancements in memory forensics and the importance of open source initiatives. This is your opportunity to help shape the future of memory forensics!

Invited speakers and panelists include:

  • Dr. Brian Carrier (Basis Technology)
  • Eoghan Casey (ONKC)
  • Dr. Michael Cohen (Australian Federal Police)
  • Brian Dykstra (Jones Dykstra & Associates)
  • Brendan Dolan-Gavitt (Georgia Institute of Technology)
  • Matthew Geiger (CERT)
  • Keith Jones (Jones Dykstra & Associates)
  • Jesse Kornblum (ManTech)
  • Andreas Schuster (Deutsche Telekom AG)
  • AAron Walters (Volatile Systems, LLC)
  • More to be announced……

Brought to you by the Volatility Team: Open Source Memory Forensics.

May242008
“Firms that hire “reformed” hackers to audit or guard their systems are not acting prudently any more than if they hired a “reformed” pedophile to babysit their kids. First of all, the ability to hack into a system involves a skill set that is not identical to that required to design a secure system or to perform an audit. Considering how weak many systems are, and how many attack tools are available, “hackers” have not necessarily been particularly skilled. (The same is true of “experts” who discover attacks and weaknesses in existing systems and then publish exploits, by the way — that behavior does not establish the bona fides for real expertise. If anything, it establishes a disregard for the community it endangers.)” Excerpt from CERIAS Weblog. Prof. Eugene Spafford, Executive Director of the Purdue CERIAS (Center for Education and Research in Information Assurance and Security). I know I have referenced this quote before but after reading Bejtlich’s post I figured it was worth highlighting again.  Thanks for everything Spaf!
May172008

PTK Memory Dump Keyword Search

Yes, I know it is written in Italian but you can find a translated version here. PTK has recently added the ability to do keyword searching on the data found within an memory images. As we previously mentioned, they have also recently announced the inclusion of Volatility 1.1.1 in their upcoming release! Shouts to the PTK team!
May152008

UserDump Memory Forensics

Often during engagements, we run across people who collect Win32 process memory images using Microsoft’s userdump utility.  We will now be able to process those images natively within Volatility.  Shouts to Brendan Dolan-Gavitt!
May92008

The GPL Wins Again

“To all those who don’t like the license: you don’t have to use it. Just write your own code.” Shouts to guys at gpl-violations.org
May72008

Windows Hibernation File for Fun and Profit

Congratulations to Matthieu Suiche on getting his presentation accepted to Black Hat. You could probably even convince him to discuss recent GPL violations! While legal recourse is being pursued, maybe this will provide extra motivation for violators to respect the legal system and the community. Matthieu is doing some interesting work and has been a great help with some of the new functionality being added to Volatility 1.3. If you are in Vegas, you should check out his presentation!
May62008
“Research maxims: 1) Pay attention to details. (2) Don’t make stuff up.” Prof. Roy A. Maxion, Carnegie Mellon University,Computer Science Department.
May52008

DFRWS 2008 Agenda

The program for DFRWS 2008 has been posted. There are a number of papers discussing important advancements in memory forensic analysis that you won’t want to miss. In particular, I want to congratulate Andreas Schuster , Brendan Dolan-Gavitt , Dr. Michael Cohen for getting their papers accepted. The great work these gentlemen are doing is helping to make Volatility the most advanced memory forensics framework.  It’s encouraging to see people who are actually contributing to the open source community be rewarded for their hard work! Stay tuned for more exciting DFRWS announcements!
← Older Entries Page 3 of 11 Newer Entries →