Volatility

Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Malware

Fri, 15 Feb 2013 02:05:44 -0500

If you are planning to head out to RSA this year, you should definitely add Andrew Case’s talk, “Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Malware” to your schedule. His talk will be Wednesday, February 27 9:20-10:20 AM in Room 120. Considering all the veiled marketing pitches you will have to endure, you might as well take time out to listen to someone who is actually technical and contributing to the community. Besides, his talk will be far more informative than paying another $2,000 to hear someone explain how they lethally “Googled” Andrew’s work. On that note, it will also be a good opportunity to show your support for open source forensics developers (#SOSFD). Members of the Volatility Team will also be roaming the halls or drinking tea, if you are interested in meeting up!

1st Annual Volatility Plugin Contest

Tue, 15 Jan 2013 02:01:06 -0500

1st Annual Volatility Plugin Contest:

Here’s your opportunity to impress your colleagues and become the inaugural member of the “Volatility Hall of Fame”. The contest is straightforward: Develop an innovative and useful extension to The Volatility Framework, impress the judges, and win the contest! Did I also mention you could win cold hard cash ($$$)? See the Volatility Labs site for details.

Windows Malware and Memory Forensics Training in "My Kind of Town"!

Tue, 15 Jan 2013 01:39:29 -0500

Windows Malware and Memory Forensics Training in "My Kind of Town"!:

If you were unable to attend the training we held in December, I encourage you to check out “Windows Malware and Memory Forensics” being held in Chicago, during the week of March 18th-22nd. This is the only Windows memory forensics course officially designed, endorsed, and taught by the Volatility developers. The content being taught is so valuable that trainers from competing courses have attempted to surreptitiously register their spouses just to steal material! One of our recent attendees summed up the value of learning from the actual developers:

“The instructors answered your questions more thoroughly than any I’ve encountered. Highly, highly recommended!” (Jason B., Jones Dykstra and Associates)

Slides and Video from "Analyzing Malware in Memory" Webinar

Tue, 15 Jan 2013 00:49:14 -0500

Slides and Video from "Analyzing Malware in Memory" Webinar:

If you missed Andrew’s presentation on finding malware artifacts in memory using Volatility, the slides and video were recently posted. Shoutz to Andrew!

Analyzing Malware in Memory

Mon, 17 Dec 2012 15:06:47 -0500

Analyzing Malware in Memory:

As a part of the Hacker Academy’s new Deep Dive Series, Andrew Case will be discussing techniques for finding malware artifacts in physical memory with Volatility. The webinar takes place tomorrow (December 18) at 7pm Eastern. Don’t miss an opportunity to learn from one of the core Volatility developers and show your support for open source forensics (#SOSFD). Early registration is required. Shoutz to attc and the Hacker Academy!

Android Forensics with Volatility

Thu, 15 Nov 2012 02:09:52 -0500

Android Forensics with Volatility:

If you have some time tomorrow, you should check out Andrew Case discussing Android Forensics during the DFIROnline meeting at 2000 US Eastern time. This is your opportunity to learn about the latest research in RAM analysis of Android devices and how that research is accessible to practitioners within The Volatility Framework. Shoutz to Andrew and all those who Support Open Source Forensics Developers (#SOS-FD)!

Memory Analysis with Volatility at CTIN

Tue, 13 Nov 2012 03:50:29 -0500

Memory Analysis with Volatility at CTIN:

If you happen to be in Seattle area in March, Russ McRee, a member of Microsoft’s Online Services Security & Compliance team, will be giving a presentation on Volatility at the CTIN Digital Forensics Conference.

This discussion will cover the complete life cycle of memory acquisition and analysis for forensics and incident response, using Volatility.

Volatility has been referred to as the Python version of the Windows Internals book, given how much can be learned about Windows by reviewing how Volatility enumerates evidence. We’ll conduct real-time analysis and examine Volatility’s plug-in capabilities.

The Volatility project shortens the amount of time it takes to put cutting-edge research into the hands of practitioners, while encouraging and pushing the technical advancement of the digital forensics field.

Join us and learn more about this outstanding tool.

Shoutz to Russ!

Using Volatility to Detect the 0-day Blacksheep with no Signatures

Tue, 13 Nov 2012 02:50:32 -0500

Using Volatility to Detect the 0-day Blacksheep with no Signatures:

A team of researchers from the University of California at Santa Barbara demonstrated how Volatility could be used to monitor for indicators of compromise across an enterprise without signatures:

“Blacksheep functions by detecting anomalous memory dumps collected from a group of machines instead of looking for specific signatures of infection, it does not require the use of signatures. As such, it is well-built to handle previously-unseen malware threats.”

It’s great to see that Volatility continues to be the basis of research published at the nations top information security conferences. It’s exciting to think that the same industry leading framework that is used daily by digital forensics practitioners is also being used for cutting-edge research by some of the nations top security academics. Shoutz to the UCSB team!

Windows Memory Forensics Training for Analysts by Volatility Developers

Wed, 07 Nov 2012 11:09:30 -0500

Windows Memory Forensics Training for Analysts by Volatility Developers:

We are pleased to announce the first public offering of the Windows Memory Forensics for Analysts training course. This is the only memory forensics course officially designed, sponsored, and taught by the Volatility developers. One of the main reasons we made Volatility open-source is to encourage and facilitate a deeper understanding of how memory analysis works, where the evidence originates, and how to interpret the data collected by the framework’s extensive set of plugins. Now you can reap these benefits first hand from the developers of the most powerful, flexible, and innovative memory forensics tool.

Dates: Monday, December 3rd through Friday, December 7th 2012
Location: Reston, Virginia (exact location will be shared upon registration)
Instructors: Michael Ligh (@iMHLv2), Andrew Case (@attrc), Jamie Levy (@gleeda). Please see the VolatilityTeam wiki page for brief bios.

"Virtual Machine Introspection in a Hybrid Honeypot Architecture" with Volatility

Thu, 13 Sep 2012 02:56:19 -0400

"Virtual Machine Introspection in a Hybrid Honeypot Architecture" with Volatility:

In this paper, recently published at the 5th Workshop on Cyber Security Experimentation and Test, the researchers describe how they used Volatility in conjunction with LibVMI to create a hybrid honeypot architecture based on virtual machine introspection. They leverage Volatility’s powerful plugins to analyze the run time state of the systems and detect any changes that may arise. It’s great to see that researchers from top universities continue to publish research that builds upon The Volatility Framework (TVF). Shoutz to BDP and the rest of the research team!

Tracking The Volatility Project

Wed, 12 Sep 2012 15:16:04 -0400

If you are one of those people who likes to stay up to date on the latest happenings in the world of memory forensics and Volatility, there are a some new resources you should definitely check out:

Volatility Labs: This blog will now be the official blog of The Volatility Project. To kickstart the new blog and celebrate the upcoming OMFW, we are currently hosting the Month of Volatility Plugins (MoVP).

@Volatility: For those who want to follow the Volatility Development Team and get the inside track on upcoming events (ie the exciting new training courses), you should check us out on Twitter. Those who follow @Volatility will also be eligible for training discounts and receive priority registration for Volatility events.

Volatility Wiki: Thanks to MHL the Volatility Wiki page is receiving a much needed facelift. Check it out and let us know what you think!

OMFW 2012 Update: Limited Seats Remaining

Thu, 23 Aug 2012 01:15:45 -0400

If you were considering reserving a seat at the Open Memory Forensics Workshop (OMFW) 2012, we suggest you don’t wait too long. We only have a couple of seats still available. Once those seats are filled, we will have to wait list requests until someone cancels. For those who already have a confirmed reservation, we will be sending out the logistics details this weekend. It’s exciting to see all the new analysts wanting to unleash the power of the real memory forensics framework. Who takes pride in being a misguided tool user? Don’t be left out!

Recovering Tmpfs from Linux Memory Samples with Volatility

Sun, 19 Aug 2012 04:01:15 -0400

Recovering Tmpfs from Linux Memory Samples with Volatility:

Andrew Case recently wrote another interesting blog post describing his new tmpfs plugin for Volatility. This plugin has a number of exciting and unexpected forensic applications, especially when you start analyzing Android samples. (Rumor has it this years DFRWS Rodeo involved analyzing Android memory samples with Volatility.) Shoutz to Andrew! You will not want to miss his OMFW presentation!

Identifying TrueCrypt Artifacts in RAM with Volatility 2.1

Sun, 19 Aug 2012 03:37:33 -0400

Identifying TrueCrypt Artifacts in RAM with Volatility 2.1:

If you are not a member of the Volatility Users mailing list, you probably missed a recent thread discussing how to identify TrueCrypt artifacts in physical memory with Volatility 2.1. Lucky for you, “Bridgey the Geek” created a document that summarized the thread and his observations. If you are interested in TrueCrypt, you may also want to check out the research we did in 2007 to extract the TrueCrypt master key.

Volatility 2.1 Released! (Official x64 Support)

Mon, 06 Aug 2012 11:26:51 -0400

Volatility 2.1 Released! (Official x64 Support):

We are very excited to announce the official release of Volatility 2.1! While the main goal of this release was to get x64 support into an official release, we also sneaked in a number of interesting new capabilities! Highlights of this release include:

New Address Spaces (AMD64PagedMemory, WindowsCrashDumpSpace64)
Majority of Existing Plugins Updated with x64 Support
Merged Malware Plugins into Volatility Core with Preliminary x64 Support (see FeaturesByPlugin21)
WindowsHiberFileSpace32 Overhaul (also includes x64 Support)

Expanded Operating System Profiles:
Windows XP SP1, SP2 and SP3 x86
Windows XP SP1 and SP2 x64 (there is no SP3 x64)
Windows Server 2003 SP0, SP1, and SP2 x86
Windows Server 2003 SP1 and SP2 x64 (there is no SP0 x64)
Windows Vista SP0, SP1, and SP2 x86
Windows Vista SP0, SP1, and SP2 x64
Windows Server 2008 SP1 and SP2 x86 (there is no SP0)
Windows Server 2008 SP1 and SP2 x64 (there is no SP0)
Windows Server 2008 R2 SP0 and SP1 x64
Windows 7 SP0 and SP1 x86
Windows 7 SP0 and SP1 x64

Plugin Additions (Now Over 70+ Analysis Plugins!):
Printing Process Environment Variables (envvars)
Inspecting the Shim Cache (shimcache)
Profiling Command History and Console Usage (cmdscan, consoles)
Converting x86 and x64 Raw Dumps to MS CrashDump (raw2dmp)

Plugin Enhancements:
Verbose details for kdbgscan and kpcrscan
idt/gdt/timers plugins cycle automatically for each CPU
apihooks detects LSP/winsock procedure tables
New Output Formatting Support (Table Rendering)

New Mechanism for Profile Modifications
New Registry API Support
New Volshell Commands
Updated Documentation and Command Reference

In particular, I also wanted to take this opportunity to recognize those on the development team who helped push to make this release possible: Mike Auty, Andrew Case, Michael Cohen, Michael Hale Ligh, and Jamie Levy. These are the people who make a number of sacrifices in their own personal lives to continue to bring you the most advanced memory forensics framework in the world! If you appreciate the hard work they put into Volatility, I encourage you to Support Open Source Forensics Developers (SOSFD). Finally, shoutz to the Volatility Community for their continued support and feedback!

As an added bonus, we will also be releasing Volatility 2.2 at the Open Memory Forensics Workshop 2012 on October 2. This will be your only opportunity to learn about all the new features in 2.1 and 2.2 from the actual Volatility development team. Please register early. Seats are filling up fast.

Open Memory Forensics Workshop (OMFW) 2012 Update

Mon, 06 Aug 2012 00:06:43 -0400

We are excited to announce that over half the seats for the Open Memory Forensics Workshop (OMFW) have already been reserved. It’s also great to see a large number of first time attendees from across government, academic, and commercial institutions. This is your one chance a year to hear about the latest research in memory forensics from the people who are pioneering the field. Having insider information about the presentations, I guarantee this will be one of the best workshops we have ever held and you will be amazed! If you are still planning to attend, we suggest you register as soon as possible to make sure you have a seat. We will be confirming the venue seating capacity this week. We also wanted to take this opportunity to address some of the questions we have received:

OMFW participants are not required to register for OSDFC. In fact, these are actually two separate events that just “happen” to be occurring around the same time. OMFW will be held at a different, but nearby, location so on-site registration at OSDFC will not be possible.

The only way to register for OMFW is to email: info@volatilesystems.com. Once you email this address, a seat will be reserved for you, assuming one is available, and you will receive details about completing registration.

Analyzing Cridex with Volatility

Fri, 03 Aug 2012 11:10:19 -0400

Analyzing Cridex with Volatility:

In this blog post, Andre DiMino demonstrates how to use Volatility to analyze a Cridex sample. In particular, he extracts information from physical memory related to processes (psscan, pslist), network activity (connections, connscan, sockets, sockscan,), mutants (handles), and suspicious memory allocations (malfind, vaddump). He then demonstrates how an analyst can combine that data with Maltego. Andre was also kind enough to make the Cridex memory sample available. What can you find? Shoutz to Andre!

Digital Forensics and Incident Response Summit (a.k.a Wastin’ Time and Money in Austin with Rob, His Ego, and His Homies)

Mon, 30 Jul 2012 15:23:38 -0400

I know there has been a love fest of blog posts and tweets in the past couple of weeks discussing the 2012 DFIR Summit, so I wanted to offer an opposing and “unbiased” perspective. As I have stated in previous posts, I’ve gotten to the point where I have lost all interest in suffering through these types of events but, in this instance, I wanted to show support for Andrew and Joe. Thus, for the sake of the Volatility Community I was willing to endure instructor “try-outs” and the DFIR “circle back pat”…. which I think is celebrating how the industry is miserably struggling to keep up with advanced adversaries? (No?). The only advantage was that I have seen variations of most of these presentations numerous times, so I could focus my attention on getting actual work done. In this post, I will share a few of my observations: the positives, the negatives, and the strange.

Positives:

While I’m once again probably biased, I felt Andrew Case and Joe Sylve both gave outstanding presentations. Andrew discussed his research into Mac memory analysis and Joe discussed memory analysis of Android devices. There are a number of components that made their presentations standout. First, it was obvious that both speakers possess deep technical backgrounds in computer science and operating system internals, which is unfortunately hard to find these days in the forensics and incident response communities. Despite their technical expertise, they are also both strong practitioners and were able to present the material in an approachable manner. Second, both speakers transitioned their innovative research into open source contributions that other aspiring researchers could build upon and other practitioners can immediately use. Finally, they gave the audience a unique opportunity to learn from and ask questions of the actual developers. Developers often have an amazing perspective that can only be ascertained after having invested the time to actually understand the data and write the tools. This is why it is important that the community continue to Support Open Source Forensics Developers (SOSFD). After experiencing the Summit, as speakers, I would be surprised to see them present there again.
Mr. Nick Harbour gave one of the more entertaining talks of the event. Granted, he seemed a little bitter since he didn’t have access to his original presentation data. Many of you may remember Nick from his days at Mandiant, where he led up their malware analysis team. Nick is part of a massive talent drain (Hi Wendy!) that has been fleeing Mandiant in recent months. Nick’s presentation discussed a number of “anti*” techniques that can make dealing with advanced threats challenging. He also spent a lot of time discussing the challenges associated with large-scale remediation. My favorite part of the presentation was when he told a story about a company that had paid for a year of IR services but Mandiant was unable to get the targeted adversary out. He conceded that the only reason the adversary left was because there was nothing left to steal! (..So much for finding evil and solving crimes.). He concluded with the following paraphrased quote: “Since I’m no longer an employee, I guess I can say it. We FAILED!” You will have to watch the video for yourself to fully appreciate the candor in his presentation. Everything that glitters (or has marketing videos and glossy reports) ain’t always gold!
On another positive note, I finally had the pleasure of meeting Mr. Kristinn Gudjonsson, the actual developer of log2timeline. Kristinn is a very nice and intelligent open source developer! Previously, my only contact with the log2timeline project had been listening to Rob’s humble claims “That is a SANS started project. (Time, money, resources, code… AND the idea behind the entire project was my own personal idea that I had been pushing for years openly to the community and never capitalized on it.)…. But the idea, the concept, and the start of it were all my idea.” I always thought that those claims tried to diminish the contribution of the actual developer, and I’m glad to publicly confirm that Kristinn is a lot more talented than just Rob’s code monkey. Shoutz to Kristinn! We can’t wait to see the Python version!
I was also pleasantly surprised to see that the summit had finally abandoned the question note cards. In previous years, all participants with questions were required to submit those questions on note cards that were collected at the end of the presentation. Those note cards were then reviewed by Rob and he would decide which questions would be asked of the speakers. As I mentioned back in 2009, this killed any notion of open dialogue and definitely biased the types of questions that would actually be asked. I’m glad to see that the yellow question cards have been abandoned.
Finally, I do want to acknowledge Carol, her team, and the rest of the supporting Summit staff. They do an outstanding job given the resource constraints they are under. If you happen to attend any of the other Summits in the future, please take a moment and thank the supporting staff for their hard work.

Negatives:

The Summit continues to take what I consider to be an exploitive stance towards its conference speakers, which has a direct impact on the quality of the content. As it has been stated on numerous occasions, the Summit believes that it is doing the speakers a favor by blessing them with the opportunity to present to its audience (Hmmm..an audience of ~150 people with ~20% being conference speakers). As a result, they do not cover any travel expenses for its speakers. In my opinion, this is just one of the reasons that the event is having a tough time attracting interesting content. Most modern conferences understand that a major draw of a conference is the presentations and speakers. As an example, Black Hat covers your flight, your hotel room, and even pays their speakers a stipend. They realize that a major thing that draws people to the event is the speakers and content not the hosting organization. Heh…Vegas may also play a part!
It was also unfortunate that the Summit had some “technical difficulties” associated with it’s live streaming. From what I understand, there were a number of people who were watching the event over the Internet, who were very disappointed. While there were a number of claims that this was associated with the poor networking at the hotel, a Summit insider speculated that the “technical difficulties” were probably related to the fact that the Summit was unwilling to pay for an actual USTREAM account. Instead, they were trying to take advantage of the free version (seems like a reoccurring trend…). Take a moment and consider what an actual account costs in relation to what the attendees are paying to attend the Summit.
The final negative is the fact that the Summit is hosted in Austin during the middle of the summer. Given the current economic conditions, I know a lot of people do not have large travel budgets, which impacts both attendees and speakers. While Austin is a great city with a bourgeoning infosec community, it is also unbearably hot during this time of year. Granted, we did eat at some great restaurants and I had one of the coolest drivers (Curley Culp)! I’ve also heard that next year is going to overlap with Black Hat…Good luck with that!

Strange:

I also wanted to mention one last observation, which I found rather strange. As I previously mentioned, I didn’t want to spend a lot of time at the summit, so I decided to fly in late Monday evening. It just so happened that I was sharing a flight with the Mr. Harlan Carvey, so we decided to share a shuttle back to the hotel. Upon arrival at the conference hotel, I was notified that I had a special message from the banquet organizer, Angela. I was instructed that I was supposed to call her immediately upon my arrival. It seems that Angela was concerned that I was flying in late and wanted to make sure I didn’t have any travel issues. Imagine that, the hotel’s banquet organizer wanted to make sure I, a mere conference attendee, had made it safely to the event. Was it strange that the keynote speaker for the conference, who was traveling with me, did not have such a note? So the real question is…whom was Angela supposed to notify of my arrival?

In conclusion, my opinion of the Summit has obviously not changed but having the opportunity to see both Andrew’s and Joe’s presentations made the trip worth it. If you are a presenter and you want your presentation to have the broadest impact, I would suggest striving for a venue like Black Hat. If you are an attendee hoping to network, I would suggest saving your money for Black Hat and organizing a meet-up or try an intimate setting like DFRWS. If you care about open source forensics tools, I would suggest Brian’s Open Source Digital Forensics Conference. If you care about cutting edge memory forensics and analysis, you should attend our Open Memory Forensics Workshop (OMFW). If you want to spend a lot of money to hang with Rob and people that are trying to teach for Rob, the Summit is definitely the place for you! Granted, what do I know…. I spend all my time focusing on “just the memory forensics niche” while others put open source tools on a virtual machine that “is challenging FTK and other commercial products and is routinely listed as the 3rd most popular forensic tool” (Stand in awe before the glory!). As with the Summit, does the true value come from the platform or the content that is delivered from that platform? The only thing that can save the community, is the community itself. SOSFD!

Using Volatility to Detect the FinFisher Suite

Sun, 29 Jul 2012 16:50:38 -0400

Using Volatility to Detect the FinFisher Suite:

The Citizen Lab at the University of Toronto recently released a report describing an instance of the FinFisher Suite, a “Governmental IT Intrusion and Remote Monitoring Solution”, which was being sent to Bahraini activitists. In the report, the analysts used Volatility to detect “process hollowing” (malfind), detect hooked functions (apihooks), and extract other memory resident artifacts of “finspy” (memdump). It’s great to see that Volatility has become such a valuable resource to anti-virus companies and researchers dealing with “unknown” malware. Shouts to Morgan!

SOSFD: Digital Forensics and Incident Response Training

Tue, 03 Jul 2012 02:29:26 -0400

SOSFD: Digital Forensics and Incident Response Training:

If you are planning to attend Black Hat USA 2012 and are still looking for training, I recommend you check out Digital Forensics and Incident Response by Andrew Case (attc) and Jamie Levy (gleeda). Besides learning from two of the top investigators in the industry, this is also an opportunity to “Support Open Source Forensics Developers”(SOSFD). Personally, I’ve lost faith in “Big-Box” training organizations who exploit open source developers and will only use my training budget to support those who actually contribute back to the community. Shoutz to attc and gleeda!