Volatility

Memory Analysis with Volatility at CTIN: If you happen to be in Seattle area in March, Russ McRee, a member of Microsoft’s Online Services Security & Compliance team, will be giving a presentation on Volatility at the CTIN Digital Forensics ... [More] Conference.  This discussion will cover the complete life cycle of memory acquisition and analysis for forensics and incident response, using Volatility. Volatility has been referred to as the Python version of the Windows Internals book, given how much can be learned about Windows by reviewing how Volatility enumerates evidence. We’ll conduct real-time analysis and examine Volatility’s plug-in capabilities. The Volatility project shortens the amount of time it takes to put cutting-edge research into the hands of practitioners, while encouraging and pushing the technical advancement of the digital forensics field. Join us and learn more about this outstanding tool. Shoutz to Russ! [Less]

Using Volatility to Detect the 0-day Blacksheep with no Signatures: A team of researchers from the University of California at Santa Barbara demonstrated how Volatility could be used to monitor for indicators of compromise across an enterprise ... [More] without signatures: “Blacksheep functions by detecting anomalous memory dumps collected from a group of machines instead of looking for specific signatures of infection, it does not require the use of signatures. As such, it is well-built to handle previously-unseen malware threats.” It’s great to see that Volatility continues to be the basis of research published at the nations top information security conferences. It’s exciting to think that the same industry leading framework that is used daily by digital forensics practitioners is also being used for cutting-edge research by some of the nations top security academics. Shoutz to the UCSB team! [Less]

Windows Memory Forensics Training for Analysts by Volatility Developers: We are pleased to announce the first public offering of the Windows Memory Forensics for Analysts training course. This is the only memory forensics course officially designed ... [More] , sponsored, and taught by the Volatility developers. One of the main reasons we made Volatility open-source is to encourage and facilitate a deeper understanding of how memory analysis works, where the evidence originates, and how to interpret the data collected by the framework’s extensive set of plugins. Now you can reap these benefits first hand from the developers of the most powerful, flexible, and innovative memory forensics tool. Dates: Monday, December 3rd through Friday, December 7th 2012Location: Reston, Virginia (exact location will be shared upon registration)Instructors: Michael Ligh (@iMHLv2), Andrew Case (@attrc), Jamie Levy (@gleeda). Please see the VolatilityTeam wiki page for brief bios. Read More [Less]

"Virtual Machine Introspection in a Hybrid Honeypot Architecture" with Volatility: In this paper, recently published at the 5th Workshop on Cyber Security Experimentation and Test, the researchers describe how they used Volatility in conjunction with ... [More] LibVMI to create a hybrid honeypot architecture based on virtual machine introspection.  They leverage Volatility’s powerful plugins to analyze the run time state of the systems and detect any changes that may arise. It’s great to see that researchers from top universities continue to publish research that builds upon The Volatility Framework (TVF).   Shoutz to BDP and the rest of the research team! [Less]

If you are one of those people who likes to stay up to date on the latest happenings in the world of memory forensics and Volatility, there are a some new resources you should definitely check out:Volatility Labs: This blog will now be the official ... [More] blog of The Volatility Project.  To kickstart the new blog and celebrate the upcoming OMFW, we are currently hosting the Month of Volatility Plugins (MoVP).@Volatility: For those who want to follow the Volatility Development Team and get the inside track on upcoming events (ie the exciting new training courses), you should check us out on Twitter. Those who follow @Volatility will also be eligible for training discounts and receive priority registration for Volatility events.  Volatility Wiki:  Thanks to MHL the Volatility Wiki page is receiving a much needed facelift. Check it out and let us know what you think! [Less]

If you were considering reserving a seat at the Open Memory Forensics Workshop (OMFW) 2012, we suggest you don’t wait too long.  We only have a couple of seats still available. Once those seats are filled, we will have to wait list requests until ... [More] someone cancels.  For those who already have a confirmed reservation, we will be sending out the logistics details this weekend.  It’s exciting to see all the new analysts wanting to unleash the power of the real memory forensics framework. Who takes pride in being a misguided tool user? Don’t be left out! [Less]

Recovering Tmpfs from Linux Memory Samples with Volatility: Andrew Case recently wrote another interesting blog post describing his new tmpfs plugin for Volatility.  This plugin has a number of exciting and unexpected forensic applications ... [More] , especially when you start analyzing Android samples. (Rumor has it this years DFRWS Rodeo involved analyzing Android memory samples with Volatility.) Shoutz to Andrew! You will not want to miss his OMFW presentation! [Less]

Identifying TrueCrypt Artifacts in RAM with Volatility 2.1: If you are not a member of the Volatility Users mailing list, you probably missed a recent thread discussing how to identify TrueCrypt artifacts in physical memory with Volatility 2.1. Lucky ... [More] for you, “Bridgey the Geek” created a document that summarized the thread and his observations.   If you are interested in TrueCrypt, you may also want to check out the research we did in 2007 to extract the TrueCrypt master key. [Less]

Volatility 2.1 Released! (Official x64 Support): We are very excited to announce the official release of Volatility 2.1! While the main goal of this release was to get x64 support into an official release, we also sneaked in a number of interesting ... [More] new capabilities! Highlights of this release include: New Address Spaces (AMD64PagedMemory, WindowsCrashDumpSpace64) Majority of Existing Plugins Updated with x64 Support Merged Malware Plugins into Volatility Core with Preliminary x64 Support (see FeaturesByPlugin21) WindowsHiberFileSpace32 Overhaul (also includes x64 Support) Expanded Operating System Profiles: Windows XP SP1, SP2 and SP3 x86 Windows XP SP1 and SP2 x64 (there is no SP3 x64) Windows Server 2003 SP0, SP1, and SP2 x86 Windows Server 2003 SP1 and SP2 x64 (there is no SP0 x64) Windows Vista SP0, SP1, and SP2 x86 Windows Vista SP0, SP1, and SP2 x64 Windows Server 2008 SP1 and SP2 x86 (there is no SP0) Windows Server 2008 SP1 and SP2 x64 (there is no SP0) Windows Server 2008 R2 SP0 and SP1 x64 Windows 7 SP0 and SP1 x86 Windows 7 SP0 and SP1 x64  Plugin Additions (Now Over 70+ Analysis Plugins!): Printing Process Environment Variables (envvars) Inspecting the Shim Cache (shimcache) Profiling Command History and Console Usage (cmdscan, consoles) Converting x86 and x64 Raw Dumps to MS CrashDump (raw2dmp) Plugin Enhancements: Verbose details for kdbgscan and kpcrscan idt/gdt/timers plugins cycle automatically for each CPU apihooks detects LSP/winsock procedure tables     New Output Formatting Support (Table Rendering)   New Mechanism for Profile Modifications New Registry API Support    New Volshell Commands Updated Documentation and Command Reference In particular, I also wanted to take this opportunity to recognize those on the development team who helped push to make this release possible: Mike Auty, Andrew Case, Michael Cohen, Michael Hale Ligh, and Jamie Levy. These are the people who make a number of sacrifices in their own personal lives to continue to bring you the most advanced memory forensics framework in the world! If you appreciate the hard work they put into Volatility, I encourage you to Support Open Source Forensics Developers (SOSFD). Finally, shoutz to the Volatility Community for their continued support and feedback! As an added bonus, we will also be releasing Volatility 2.2 at the Open Memory Forensics Workshop 2012 on October 2.  This will be your only opportunity to learn about all the new features in 2.1 and 2.2 from the actual Volatility development team. Please register early. Seats are filling up fast. [Less]

We are excited to announce that over half the seats for the Open Memory Forensics Workshop (OMFW) have already been reserved. It’s also great to see a large number of first time attendees from across government, academic, and commercial ... [More] institutions.  This is your one chance a year to hear about the latest research in memory forensics from the people who are pioneering the field.  Having insider information about the presentations, I guarantee this will be one of the best workshops we have ever held and you will be amazed!  If you are still planning to attend, we suggest you register as soon as possible to make sure you have a seat. We will be confirming the venue seating capacity this week. We also wanted to take this opportunity to address some of the questions we have received: OMFW participants are not required to register for OSDFC. In fact, these are actually two separate events that just “happen” to be occurring around the same time.  OMFW will be held at a different, but nearby, location so on-site registration at OSDFC will not be possible.          The only way to register for OMFW is to email: [email protected]. Once you email this address, a seat will be reserved for you, assuming one is available, and you will receive details about completing registration. [Less]