Volatility

ACM CCS 2009: Robust Signatures for Kernel Data Structures

Wed, 04 Nov 2009 00:09:00 -0500

ACM CCS 2009: Robust Signatures for Kernel Data Structures:

I would like to take a moment to congratulate Brendan Dolan-Gavitt and his contributing authors (Abhinav Srivastava, Patrick Traynor and Jonathon Giffin) for getting their peer reviewed research paper accepted to CCS 2009, “Robust Signatures for Kernel Data Structures”. If you happen to be in Chicago next week, I highly recommend checking out his presentation. You will learn about some of the exciting new things Brendan is doing with Volatility and about the limitations of memory forensics tools. The outstanding research being performed by Brendan and the other members of the Order of Volatility is the reason that The Volatility Framework keeps pushing the state of the art in memory forensics! Shouts to Moyix!!!

Windd 1.3 Final! (x86 and x64)

Sat, 17 Oct 2009 00:36:23 -0400

Windd 1.3 Final! (x86 and x64):

In case you may have missed it, Matthieu Suiche has released a new version of windd. This release has a number of exciting new features including x64 support! Personally, I’m glad that there were no “finals” neglected to get this release out the door. Shouts to Matthieu from the Volatility Team! Keep up the great work!

Training: Tools and techniques for Windows Memory Analysis

Sat, 17 Oct 2009 00:25:54 -0400

Training: Tools and techniques for Windows Memory Analysis:

Andreas Schuster will be teaching a two-day class on Windows memory analysis at the upcoming Hoffmann’s Advanced Forensic Sessions. In this class, Andreas will discuss how the Volatility Framework can be leveraged to help elucidate the “fascinating and complex world of Windows objects from a forensic perspective”. As we have previously mentioned, Andreas has been a substantial contributor to the Volatility project and the training he delivered earlier this year, at the first Hoffman Session, received outstanding reviews. This is your opportunity to learn from one of the pioneers in the memory analysis field.

ForensicZone: Volatility Batch File Maker

Sat, 17 Oct 2009 00:08:34 -0400

ForensicZone: Volatility Batch File Maker:

Richard McQuown, from ForensicZone, recently released the “Volatility Batch File Maker”. This utility allows an investigator to automatically generate scripts for running Volatility plugins (procdump, memdmp, vaddump) against a memory sample. These scripts are built by leveraging information extracted by various process enumeration tools (ie. psscan2, Ptfinder, and PtFinderFE). Shouts to Richard!

iDefense Malware Training in NYC and London

Thu, 08 Oct 2009 01:01:00 -0400

iDefense Malware Training in NYC and London:

While we don’t endorse a lot of the training offerings that attempt to include Volatility (since most of these organizations are not contributors to the project) , I want to highly recommend the iDefense Malware Training being offered by Michael Hale Ligh and Greg Sinclair. MHL is extremely talented and he has been a substantial contributor to the Volatility Framework.

Open Memory Forensics Workshop (OMFW) 2010

Thu, 08 Oct 2009 00:40:47 -0400

After the amazing success of OMFW 2008 and a little hiatus in 2009, we are currently in the process of planning OMFW 2010. If you are interested in getting involved or have an exciting topic you would like to present, please let the team know. For those who want to attend, please be sure to check back frequently for registration details. Due to the overwhelming response in 2008, we were not able to fulfill all the registration requests, so please be sure to register early! There will be a number of surprises and I guarantee it will be an event you won’t want to miss! Check out what previous attendees of OMFW have said: Jim Clausing, Richard Bejtlich.

VDP Update: "New" Contributions

Thu, 08 Oct 2009 00:09:24 -0400

VDP Update: "New" Contributions:

In case you may have missed it, there have been some new contributions to the Volatility Documentation Project. SAL contributed a batch script and documentation for aggregating Volatility output. SAL also submitted a document describing how to create “Pretty Process Mapping”. Special shouts to Gleeda for all your efforts and SAL for the contributions!

VDP Update: Volatility Linux Install Guide

Sun, 09 Aug 2009 13:16:09 -0400

VDP Update: Volatility Linux Install Guide:

As a contribution to the Volatility Documentation Project (VDP), Jon Evans recently posted a “Volatility Linux Install Guide”. In this document, Jon describes how to install Volatility and plugins within a Linux environment. Please take some time to review the document and let Jon know if you have any comments or suggestions. Shouts to Jon and thanks for your contributions to the Volatility Project!

VDP Update: Volatility SVN Guide

Mon, 03 Aug 2009 22:32:00 -0400

VDP Update: Volatility SVN Guide:

Gleeda, the undisputed “Volatility Queen of Documentation” and leader of the Volatility Documentation Project (VDP), wrote another document describing how to access the latest version of Volatility using SVN. This may be especially useful for those Windows users among you who were wondering how to get access to the latest version of the code. Shouts to Gleeda!

If you have some extra cycles to spare, the VDP is still searching for more volunteers and contributions. In particular, I’m hoping some of the organizations who are leveraging Volatility in their training classes would consider giving something back to the community!

Making Fun of Your Malware

Mon, 03 Aug 2009 00:12:43 -0400

Making Fun of Your Malware:

If you weren’t able to make it to Defcon this year, MHL was gracious enough to post the slides to the “Making Fun of Your Malware” presentation he gave with Matt Richard. As an added bonus, you should check out the videos for his upcoming Volatility plugins. With these plugins, MHL demonstrates powerful malware analysis capabilities. The first video demonstrates a plugin with the ability to rebuild both the IAT and a missing PE header. The second video demonstrates how a malware analyst can leverage Volatility to create IDB files for IDA Pro. I continue to be impressed how Volatility developers are shaping the future of memory analysis! Shouts to MHL!!!

Automating Malware Analysis

Thu, 30 Jul 2009 23:18:07 -0400

Automating Malware Analysis:

The latest issue of Hakin9 magazine contains an interesting article by
Tyler Hudak describing an automated analysis script. In this article, Tyler also describes how he leverages Volatility to augment this malware analysis process. Shouts to Tyler!

Last Call: Volatility 1.3 Bugs

Tue, 28 Jul 2009 18:46:37 -0400

If you have a bug you would like to see fixed in the next release of Volatility, please send the details to the Volatility developers mailing list by the end of the week. A special thanks to all of you who have already sent in reports.

Volatility Documentation Project

Fri, 24 Jul 2009 01:53:15 -0400

Volatility Documentation Project:

I’m pleased to announce the start of the Volatility Documentation Project (VDP). As an initial contribution, Gleeda has created a guide for the “Installation of Volatility on Windows XP”. This was written to help people who are just getting started using Volatility. If you are a Volatility user and would like to give something back to the community, helping with documentation would be a significant contribution and greatly appreciated. Regardless of whether it is content for the Volatility Wiki or another HOW-TO guide, there are many in the community who will benefit from your shared knowledge. Shouts to Gleeda and thanks for the post on “Volatility News”! Until futher notice, Gleeda is the “Volatility Queen of Documentation”. (yes that is an official title ;).

New and Updated Volatility Plug-ins

Wed, 22 Jul 2009 01:27:48 -0400

New and Updated Volatility Plug-ins:

Volatility contributor Michael Hale Ligh has recently released a number of new and updated plugins.

idt.py: printing the Interrupt Descriptor Table (IDT) addresses
driverirp.py: printing driver IRP function addresses
usermode_hooks2.py: updated usermode hook detection plug-in
kernel_hooks.py: detects IAT, EAT, and in-line hooks in kernel drivers
orphan_threads.py: detects hidden system/kernel threads
malfind2.py: updated plugin for detecting hidden/injected code in usermode processes

His blog post also demonstrates how each plugin can be useful for detecting different types of malware. Please take some time to test these plugins and send Michael any feedback you may have. Shouts to MHL for his contributions to the Volatility community!

What's in your RAM?

Thu, 16 Jul 2009 23:28:54 -0400

What's in your RAM?:

The latest episode of Hak5 discusses memory forensics. In this episode, they mention a number of tools/plugins created by members of the Volatility community (ie win32dd, hashdump, and Volatility). In the show notes, they also provide a link to another blog post describing how SAM hashes can be extracted from physical memory. Shouts to Hak5 crew! Thanks to sck for sending me the link.

Volatility Call for Bugs

Mon, 06 Jul 2009 00:27:47 -0400

Volatility Call for Bugs:

Jesse Kornblum, our favorite geek raised by wolves, has graciously agreed to help prepare the next release of Volatility. Please take some time and report any bugs you may have encountered. It’s great to see people willing to step up and contribute back to the community! Remember, Volatility is powered by the people! Shouts to Jesse!

Windows Memory Forensics with Volatility

Wed, 01 Jul 2009 23:27:50 -0400

Windows Memory Forensics with Volatility:

Andreas Schuster recently posted his slides from the training he gave at FIRST 2009. If you want to learn more about Windows memory forensics, especially the internals of Volatility, you should definitely check them out. These slides will even teach you how to write your first plugin. Shouts to Andreas for his continued contributions to the Volatility community! Thanks to moyix for sending me the link!

Got Memory Forensics and Malware Analysis skillz?

Wed, 24 Jun 2009 23:12:44 -0400

We are currently seeking passionate and talented individuals with skills in the areas of memory forensics, malware analysis, and reverse engineering. If you are looking for a position in a rapidly growing company that is building solutions to address the hardest and most exciting challenges currently facing the digital forensics community, we want to talk to you! This is your opportunity to work alongside industry pioneers to help shape the future of digital forensics. Join the digital forensics revolution! Please contact us at (info at volatilesystems dot com)(https://www.volatilesystems.com).

SANSFIRE 2009: Building an Automated Malware Behavioral Analysis Environment using Free and Open-source Tools.

Wed, 17 Jun 2009 10:19:00 -0400

SANSFIRE 2009: Building an Automated Malware Behavioral Analysis Environment using Free and Open-source Tools.:

On Thursday, June 18 at 8:00 PM EDT, Jim Clausing, SANS ISC Handler and Volatility contributor, will be presenting a Webcast discussing how to build automated malware analysis environments. This is a great opportunity to learn how people are leveraging the power of Volatility for malware analysis. Shouts to Jim! Thanks to MHL for sending me the link!

UPDATE: Jim just sent me the link to the associated paper.

VolReg 0.6, now with BIG_DATA

Mon, 08 Jun 2009 20:15:20 -0400

VolReg 0.6, now with BIG_DATA:

Moyix has released a new version of VolReg with experimental support for BIG_DATA values. This version also fixes some bugs that came up during testing. While you are exploring his Volatility plugins page, you may also want to check out the updated version of VolShell. Please take some time to provide feedback and testing. Shouts to Moyix!