Mac OS X and Android Memory Forensics Support Coming Soon to Volatility
While I generally would never encourage anyone to suffer through a “Rob Lee” event (how much talk of shiny metal coins and APT can a person handle?), you might want to make an exception next week if you happen to be in Austin, Texas. Andrew Case (@attrc) will be discussing his recent research efforts to add Mac OS X support to Volatility. While Matthieu Suiche and the Volafox team did some great research to introduce the topic of Mac memory analysis, Andrew has created a number of new Volatility plugins to dramatically expand the types of artifacts that can be extracted. He will also be discussing his new Address Space Plugins that will finally allow analysts to investigate both x86 and x64 memory samples acquired by Mac Memory Reader. Finally, his presentation will also discuss new capabilities for detecting adversaries that had been hiding undetected within the opaqueness of your Mac’s kernel memory. Having seen a preview of the research and presentation, I definitely recommend checking it out! Wait till you see what he has in store for OMFW!
As an added bonus, Joe Sylve (@jtsylve) will be discussing the steps involved in acquiring physical memory samples from Android devices and how those samples can also be analyzed with Volatility. I’m excited that we will soon be able to analyze Windows, Linux, Mac, and Android memory samples from one cohesive framework. Shoutz to Andrew, Joe, and the other members of the Volatility team who have been working to integrate these capabilities.
Rob it must be depressing that your most interesting presentations are topics in the “memory forensic niche”..Oh the irony.. Shoutz to all those who truly “Support Open Source Forensics Developers”!