Volatility

Volatility 1.1.2: Bug Fixes

Fri, 20 Jun 2008 10:01:00 -0400

Volatility 1.1.2: Bug Fixes: With the recent increase in acquisition tools, there are obviously more people capturing samples of physical memory. As a result, we decided to back port the bug fixes from the upcoming 1.3 release into the 1.1 branch. This release will also support samples taken from SP3 systems. Let us know if you have any issues! We will keep you posted on the status of 1.3! If you have any questions, feel free to post them to the Volatility mailing list.

Bait and Switch in Video

Wed, 18 Jun 2008 14:32:00 -0400

Bait and Switch in Video: Despite the infamous drug dealer, BSHary, attempts to to censor him, Sippy has an interesting blog post. In particular, I found keydet89’s comment interesting: “Having sat with the vendor, seen the videos and worked with their tool…ugh. That’s all I can say.” I guess this is to be expected from the same people who create and sell rootkits, including the one used by the Storm bot net.

Update: MDD released under the GPL

Wed, 18 Jun 2008 09:28:16 -0400

Update: MDD released under the GPL: The latest version of the mdd acquisition tool was released yesterday. I’m glad they fixed the compiling issue and finally decided to release all aspects under the GPL! (They may have had help in making that decision!). I’m sure they would appreciate any testing and feedback you can provide. Until it has been tested more, my normal caveats apply about running it in a production environment. Over the last five years collecting memory samples, we have seen unexpected things happen in production environments, especially on critical servers. Make sure you know what you are doing and have the proper memory forensics training!

Open Source Memory Acquisition

Sun, 15 Jun 2008 23:34:32 -0400

In case any of you may have missed it, there were a number of developments this weekend on the “open source” memory acquisition front. On Friday, Ben Stotts of ManTech International Corporation released MDD a physical memory acquisition tool for Windows computers. Jesse also discussed details about the tool in two recent blog posts. The first announcing the initial release (Thanks for the Volatility reference!) and the second addressing feedback. There still seems to be a great deal of confusion as to how this tool will be licensed. Both the website and the project page claim it will be GPL’d but they have failed to include the code for the driver, which would seem to be at odds with the GPL. Unfortunately, it also appears that the initial release of the tool does not work as distributed. Hopefully these issues will be cleared up shortly! After a few modifications, the tool can be coerced into working and we were able to successfully analyze the acquired samples with Volatility.

In related developments, Volatility friend and contributor Matthieu Suiche, the creator of Sandman, decided he wanted to be the first person to release a “truly” open source memory acquisition driver. Thus he released an independently developed open source memory acquisition driver this weekend, win32dd. Details can be found in his blog. As with mdd, we have also been able to successfully analyze samples collected with win32dd using Volatility. You have to admit that this is very impressive for 3 days of programming by a high school student preparing for exams. Good luck Matthieu!

While neither tool is probably ready, at this point, to replace your commercial acquisition tools, they are promising developments for the open memory forensics community. I know both projects would highly appreciate any auditing or testing you are able to provide. Hopefully through the help of the community and these two projects we will be able to develop a robust open source acquisition solution.

This has also motivated us to finally announce the Memory Forensics Tool Testing Initiative.

Libewf offers improved support for memory samples

Fri, 13 Jun 2008 09:59:00 -0400

Libewf offers improved support for memory samples: The latest version of libewf, libewf-beta-20080609, has been updated to offer improved support for memory samples stored in ewf. In case, a vendor may want to store samples in that format. The samples can now be converted back to raw samples which you can process with your favorite analysis tools (including Volatility!). They can also be handled natively by PyFlag! Thanks to Joachim Metz and Robert-Jan Mora for all their great work! So next time you get a sample with an E01 extension, you know what to do…

Recovery of Encryption Keys from Memory Using a Linear Scan

Wed, 04 Jun 2008 13:14:00 -0400

Recovery of Encryption Keys from Memory Using a Linear Scan: This paper discusses how encryption keys can be extracted from samples of physical memory using a linear scanning technique that attempts to find key patterns. The techniques were demonstrated using TrueCryp t running on Windows XP. The paper is written well and an easy read for those interested in the topic. The paper does not mention the related work performed by the Princeton team, as part of the “cold boot” paper, but it is possible that this paper may have been submitted before the Princeton paper was released. They also make the argument that the method we presented in the VolaTools paper would not work because the source code is not available but the source code is available and our technique does work! Maybe they could have found a more compelling example. Thanks to Jesse for pointing me to the paper!

OMFW Update

Mon, 02 Jun 2008 17:07:27 -0400

Thanks to all those who contacted me over the weekend, half of the available seats are now reserved for the Open Memory Forensics Workshop (OMFW)! I also wanted to take this opportunity to address some of the questions we have received:

OMFW participants are not required to register for DFRWS, but we would recommend it. There are a number of exciting talks about memory forensics being presented at DFRWS this year.
We have also received a number of questions about the cost of OMFW. There is no registration fee for OMFW. We want OMFW to be open to all people interested in contributing to the open source memory forensics community.

Open Memory Forensics Workshop (OMFW)

Fri, 30 May 2008 16:13:00 -0400

Volatile memory forensics (ie., RAM forensics) is becoming an extremely important topic to the future of digital investigations. It has the potential to dramatically transform the way we currently perform digital investigations and help address many of the challenges currently facing the digital forensics community.

We are pleased to announce the first ever workshop focused on open source volatile memory analysis. This workshop will bring together digital investigation researchers and practitioners to discuss the latest advancements in volatile memory analysis. You will also learn how memory analysis is currently being used to augment digital investigations. Through a series of invited talks and panel discussions you will have the opportunity to engage this exciting community.

This half-day workshop will be co-located with Digital Forensics Research Workshop (DFRWS) 2008 in Baltimore, Maryland, USA, on August 10, 2008. Pre-registration is required and space is limited, so register early. Please note that it will not be possible to register at the door. Reserve your seat by contacting: AAron Walters (awalters [at] 4tphi [dot] net). We are also still seeking individuals with interesting insights who would like to participate as a speaker or panelist.

Join with industry leaders to discuss the latest advancements in memory forensics and the importance of open source initiatives. This is your opportunity to help shape the future of memory forensics!

Invited speakers and panelists include:

Dr. Brian Carrier (Basis Technology)
Eoghan Casey (ONKC)
Dr. Michael Cohen (Australian Federal Police)
Brian Dykstra (Jones Dykstra & Associates)
Brendan Dolan-Gavitt (Georgia Institute of Technology)
Matthew Geiger (CERT)
Keith Jones (Jones Dykstra & Associates)
Jesse Kornblum (ManTech)
Andreas Schuster (Deutsche Telekom AG)
AAron Walters (Volatile Systems, LLC)
More to be announced……

Brought to you by the Volatility Team: Open Source Memory Forensics.

"Firms that hire “reformed” hackers to audit or guard their systems are not acting prudently any more..."

Sat, 24 May 2008 10:42:00 -0400

“Firms that hire “reformed” hackers to audit or guard their systems are not acting prudently any more than if they hired a “reformed” pedophile to babysit their kids. First of all, the ability to hack into a system involves a skill set that is not identical to that required to design a secure system or to perform an audit. Considering how weak many systems are, and how many attack tools are available, “hackers” have not necessarily been particularly skilled. (The same is true of “experts” who discover attacks and weaknesses in existing systems and then publish exploits, by the way — that behavior does not establish the bona fides for real expertise. If anything, it establishes a disregard for the community it endangers.)”

- Excerpt from CERIAS Weblog. Prof. Eugene Spafford, Executive Director of the Purdue CERIAS (Center for Education and Research in Information Assurance and Security). I know I have referenced this quote before but after reading Bejtlich’s post I figured it was worth highlighting again. Thanks for everything Spaf!

PTK Memory Dump Keyword Search

Sat, 17 May 2008 11:32:13 -0400

PTK Memory Dump Keyword Search: Yes, I know it is written in Italian but you can find a translated version here. PTK has recently added the ability to do keyword searching on the data found within an memory images. As we previously mentioned, they have also recently announced the inclusion of Volatility 1.1.1 in their upcoming release! Shouts to the PTK team!

UserDump Memory Forensics

Thu, 15 May 2008 12:43:41 -0400

UserDump Memory Forensics: Often during engagements, we run across people who collect Win32 process memory images using Microsoft’s userdump utility. We will now be able to process those images natively within Volatility. Shouts to Brendan Dolan-Gavitt!

The GPL Wins Again

Fri, 09 May 2008 13:58:00 -0400

The GPL Wins Again: “To all those who don’t like the license: you don’t have to use it. Just write your own code.” Shouts to guys at gpl-violations.org!

Windows Hibernation File for Fun and Profit

Wed, 07 May 2008 07:47:00 -0400

Windows Hibernation File for Fun and Profit: Congratulations to Matthieu Suiche on getting his presentation accepted to Black Hat. You could probably even convince him to discuss recent GPL violations! While legal recourse is being pursued, maybe this will provide extra motivation for violators to respect the legal system and the community. Matthieu is doing some interesting work and has been a great help with some of the new functionality being added to Volatility 1.3. If you are in Vegas, you should check out his presentation!

"Research maxims: 1) Pay attention to details. (2) Don’t make stuff up."

Tue, 06 May 2008 07:27:59 -0400

“Research maxims: 1) Pay attention to details. (2) Don’t make stuff up.”

- Prof. Roy A. Maxion, Carnegie Mellon University,Computer Science Department.

DFRWS 2008 Agenda

Mon, 05 May 2008 18:43:26 -0400

DFRWS 2008 Agenda: The program for DFRWS 2008 has been posted. There are a number of papers discussing important advancements in memory forensic analysis that you won’t want to miss. In particular, I want to congratulate Andreas Schuster , Brendan Dolan-Gavitt , Dr. Michael Cohen for getting their papers accepted. The great work these gentlemen are doing is helping to make Volatility the most advanced memory forensics framework. It’s encouraging to see people who are actually contributing to the open source community be rewarded for their hard work! Stay tuned for more exciting DFRWS announcements!

Linux Memory Forensics

Sun, 04 May 2008 08:52:43 -0400

Linux Memory Forensics

"But it’s just about impossible to prevent secrets from being written to..."

Thu, 01 May 2008 13:25:00 -0400

“But it’s just about impossible to prevent secrets from being written to memory—presumably, your program needs access to the data at some point.”

- Chess, Brian and Jacob West. “Secure Programming with Static Analysis”. Addison-Wesley. 2007.

PTK Includes Volatility

Wed, 30 Apr 2008 18:05:49 -0400

PTK Includes Volatility: For any of our Italian readers, PTK now includes support for Volatility. Once PTK is released, Volatility users will have the option of using PTK or PyFlag. Thanks for the email Michele!

Software Forensics: Software fingerprints

Wed, 30 Apr 2008 14:25:42 -0400

Software Forensics: Software fingerprints: You would hope that those same forensics companies claiming to help people enforce the law would at least respect the legal system. There is truly an amazing story going on behind the scenes. I want to give my respect to all those people that are attempting to “empower the community” as opposed to “exploit the community”!

The 3 Vendors: Software Forensics

Mon, 28 Apr 2008 11:06:38 -0400

The 3 Vendors: Software Forensics: This is a very interesting post by Andreas Schuster. You should definitely take some time to check it out! I’m sure we will see a lot more of this activity with respect to volatile memory forensics software. Especially, as vendors are desperately trying to catch up to the research community! Nice work Andreas and others ;)!