Tuesday, November 21, 2017

Results from the (5th Annual) 2017 Volatility Plugin Contest are in!

Congratulations to all the participants! This year's contest resulted in a ton of new and exciting functionality available to law enforcement agents, DF/IR practitioners, malware analysts, and researchers around the globe, which can immediately be transitioned into their workflows. That's the whole spirit of open source memory forensics with Volatility, and we're once again very proud to sponsor a contest with such impressive results.

After over 10 years of development with the Volatility Framework and 4 years of previous plugin contests, you might think that there's nothing left to do, but the community continuously proves otherwise. This year, in particular, we were super impressed not only with the creativity and quality of the submissions, but the fact that several works were influenced by or in support of submissions from previous contests.   

Everyone is a winner in this contest. Although a few developers will walk away with prizes, they all solved a problem that they (and inevitably others) faced, gained experience writing Python plugins, and learned some intricacies of memory analysis internals. The capability to program around technical issues and design/implement solutions is a gift. You can applaud by following the authors on Twitter/GitHub/LinkedIn, providing feedback on their ideas, and helping to improve their code with testing, documentation, or contributing patches.


Here is a break down of the placements and prizes


1st place and $1500 USD cash or a Free Seat at Malware and Memory Forensics Training by the Volatility Project goes to:
Xabier Ugarte-Pedrero from Cisco Talos for PyREBox
2nd place and $500 USD cash goes to:
KSL Group (Kyle Ness, Shachaf Atun, and Liam Stein) for Threadmap
3rd place and $250 USD cash goes to:
Peter Kálnai and Michel Poslušný from ESET for Browserhooks
4th place and Volatility Swag goes to:
(tie) Michael Brown for SQLite Artifacts and Adam Bridge for Linux (X) Windows
5th place and Volatility Swag goes to:
Frank Block for Linux Glibc Heap Analysis

Here is a detailed summary of the submissions. If you have feedback for the authors, we're sure they'd love to hear your thoughts.


1st: Xabier Ugarte-Pedrero (Cisco Talos): PyREBox

PyREBox provides an extensible reverse engineering sandbox that combines debugging capabilities with introspection. The analyst can interact with the whole system emulator, QEMU, guest either manually, using IPython, or by creating Python scripts. Unlike previous reverse engineering platforms, PyREBox, is explicitly designed for modern threat analysts and the tasks they commonly perform. PyREBox also leverages Volatility to help bridge the semantic gap challenges typically associated with virtual machine introspection.

2nd: Liam, Shachaf and Kyle (KSL Group): Threadmap

The KSL Group (Kyle Ness, Shachaf Atun, Liam Stein) submitted the threadmap plugin, which is the result of their extensive research comparing and contrasting weaknesses in existing tools for identifying code injection based on process hollowing. The authors found an obvious gap between the prevalence of attacks in the wild that leverage process hollowing and the strength of tools that can perform detection reliably. Based on the documentation provided alongside the Volatility plugin, the authors not only analyzed existing malware samples (i.e. a reactive approach) but also developed their own variations of process hollowing that are likely to be seen in the near future - and included coverage for those types of attacks as well.

https://github.com/kslgroup/threadmap

3rd: Peter Kalnai and Michal Poslusny (ESET): Browserhooks

Something magical happens when reverse engineers write Volatility plugins. Peter and Michal from ESET have been tracking banking trojans and MITB malware for a while now, documenting the methods that malicious authors take to subvert victim systems - in particular, how they find and hook the SSL VMT (virtual method table) even in browsers such as Chromium-based browsers that static link with the SSL libraries, change regularly, and don't export the table locations. Studying the pros/cons of attacker methodologies, learning from them in order to create a more robust detection platform, and immediately transitioning that knowledge into a capability analysts can use (via Volatility) requires a unique skill set. In addition to exploring these previously undetected API hooks, the authors also extended Volatility's apihooks plugin to work on WOW64 processes (32-bit processes on a 64-bit architecture) and integrated their work into VolUtility - a submission to last year's plugin contest.

https://github.com/eset/volatility-browserhooks
https://www.virusbulletin.com/conference/vb2017/abstracts/browser-attack-points-still-abused-banking-trojans
https://www.virusbulletin.com/uploads/pdf/conference_slides/2017/Kalnai-VB2017-browser-attack-points-trojans.pdf

4th (tie): Michael Brown: SQLite Artifacts

Michael Brown wrote a seriously cool set of Volatility plugins to interrogate SQL artifacts in RAM. Influenced by Dave Lassalle's previous work for the 2014 Volatility Plugin Contest, Michael wrote a more generalized version of the SQL tools that can search for any table schema. In his own words, "You can enter your own schema, but Sqlitefind can also automatically find table definitions in the sqlite_master table, so the user doesn't need to know the schema beforehand! You can even discover tables that you didn't know were in memory." Given the number of applications that rely on sqlite3 under the hood, this opens doors to an unexplored world of application artifacts.

https://github.com/mbrown1413/SqliteFind

4th (tie): Adam Bridge: Linux (X) Windows & Atoms

Adam's contribution to this year's contest is the first of its kind - a set of plugins to analyze forensic artifacts of the X Window System environment on Linux. The data structures recovered by the plugins are tied to the X server itself, thus they work independently of the Linux distribution or window manager. Captured information includes details about each window, such as X and Y co-ordinates, width and height dimensions, parent window objects, window IDs, color schemes, and atom associations. Natively, the plugins can be used to determine titles of browser windows (URLs visited), titles of LibreOffice applications (opened documents), and in the future - potentially even a screen shots plugin for Linux!

https://twitter.com/bridgeythegeek
https://github.com/bridgeythegeek

5th: Frank Block: Linux Glibc Heap Analysis

Frank's submission to this year's contest introduces a library to parse the user mode heap of a process using Glibc (currently supports x86/x64 and Glibc versions 2.20 - 2.25), an API for developers to create their own plugins, and two example plugins that demonstrate the forensic value - command shell history (zsh) and password management (keepassx). We are super impressed with the level of effort Frank put into this suite of tools. Not only did he implement a model of multiple Glibc versions, but he documented the library's internals, produced a 60+ page academic technical report and published a condensed 10-page DFRWS paper.

https://authors.elsevier.com/sd/article/S1742287617301895 (DFRWS Paper)
https://opus4.kobv.de/opus4-fau/frontdoor/index/index/docId/8340
https://insinuator.net/author/fblock/


The following submissions appear in the order they were received. As previously mentioned, these developers deserve huge props. We look forward to seeing future work by these authors!


Mark McKinnon: Volatility Autopsy Modules

Mark's work on integrating Volatility output into the Autopsy GUI will undoubtedly make life easier for many investigators. Whether they're not familiar with using command line tools, they're uncomfortable in a Linux environment, or if they just want to save time and visualize memory artifacts across various different cases in the same interface, this is a huge advantage for Autopsy users. The module includes a generic interface that allows running any Volatility plugin that supports SQLite rendering. It also contains more specialized modules that take the output of Volatility's dumpfiles (extract files from RAM) and imagecopy (convert hiber/crash to raw) plugins and make their results available in Autopsy as well, creating a near full circle of analysis between disk and memory, all captured in the same GUI.

https://twitter.com/markmckinnon
https://github.com/markmckinnon
https://www.linkedin.com/in/mark-mckinnon-9b08715
https://medium.com/@markmckinnon_80619
https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Volatility
https://medium.com/@markmckinnon_80619/volatility-autopsy-plugin-module-8beecea6396

Javier Vicente Vallejo: Symbolizemod

As a malware analyst, Javier starts most of his work with Windbg or Volatility and then pivots to IDA Pro to gain a detailed understanding of the malicious code. In this line of work, having access to symbols for the malware being disassembled or debugged is practically a requirement if you want to be efficient. The symbolizemod plugin lets you extract variables and symbols from a particular memory region and exports them as a DBG file, which is a common format understood by IDA Pro and Windbg. The end goal is similar to Volatility's existing impscan plugin, except impscan only exports in text and IDC formats. In fact, symbolizemod also includes a command line switch to leverage impscan's engine for enumerating symbols. By default, however, symbolizemod uses its own engine (called "raw mode") which in some cases can produce different results.

https://vallejo.cc/
https://github.com/vallejocc
https://twitter.com/vallejocc

Alessandro De Vito: Chrome Ragamuffin

Chrome Ragamuffin is part of a larger research project started by Alessandro over a year ago. Although the research is ongoing, Alessandro's Volatility plugin is already full of features and it's one of the most compelling examples of recovering application level artifacts that we've seen. Overcoming challenges such as incognito mode and the fact that Chrome updates automatically nearly every time you launch it, Alessandro managed to dissect critical in-memory data structures related to the browser's DOM and the user's navigation. Alessandro has presented his work at OSDFC and Bsides Zurich, showing how to analyze memory to detect CSRF, clickjacking, phishing, and malicious redirects.



Here are a few additional resources regarding previous contests and community-driven plugins:


Volatility Foundation Contest Home Page: http://www.volatilityfoundation.org/contest

Volatility 2016 Plugin Contest Results: http://www.volatilityfoundation.org/2016
Volatility 2015 Plugin Contest Results: http://www.volatilityfoundation.org/2015
Volatility 2014 Plugin Contest Results: http://www.volatilityfoundation.org/2014-cjpn
Volatility 2013 Plugin Contest Results: http://www.volatilityfoundation.org/2013-c19yz

Volatility Community GitHub Repository: https://github.com/volatilityfoundation/community

Tuesday, June 6, 2017

Our Newly Updated Memory Forensics and Malware Analysis Course is Headed to Herndon and London!

As we head into summer, we wanted to let everyone know that for 2017 we only have two remaining public offerings of our highly popular and newly updated Malware and Memory Forensics training course. If you would like to join us, our international course will be in London during the week of September 18th - 22nd, and our US course will be back in Herndon during the week of October 16th - 20th.

Our cutting edge materials are one of the main reasons students value our course. We don't teach the same concepts year after year. Instead, we update our class regularly, to stay in sync with (and in some cases, ahead of) the rapidly changing attack surfaces, advances in defense technologies, malware hiding tricks, and operating system forensics artifacts. A few recent additions include:

  • Windows 10 security features, such as Device Guard, Credential Guard, Isolated User Mode, Protected Processes, etc.
  • Challenges of recent hibernation file analysis, the impact of new sleep modes, and hybrid style hibernations 
  • How to analyze RAM backed page files on Windows 10 & memory compression 
  • The Linux subsystem of Windows 10 and the associated memory artifacts
  • Memory-only Powershell and .NET based attacks
  • New event log sources that compliment memory forensics

Not only only will you be learning these memory forensics topics directly from the authors of the Volatility Framework and the Art of Memory Forensics, but you will also receive Volatility stickers, a branded USB drive, a copy of the Art of Memory Forensics (digital or print), and various opportunities to win SyncStops - all nicely documented by a former student:
One of the most popular class contests is our CTF that pits individuals (or teams of two) against the rest of the class, in a challenge that involves analyzing Windows and Linux memory samples in a scenario resembling events that unfolded during the 2016 U.S. Presidential Election.
To continue providing the most up-to-date memory forensics training available anywhere in the world, our instructors constantly perform high impact, real-world DFIR  (1, 2, 3, 4, 5). The knowledge gained during these investigation is immediately transitioned into content and labs for our training courses:

Besides the core knowledge needed to perform effective memory forensics, we also teach the latest tools and techniques for reliable memory acquisition. Students will gain experience using Volexity Surge Collect Pro for robust, fast, and secure collection of Windows memory to local and remote/network-based destinations. Students can purchase Surge licenses at a discounted price during course registration (see Memory Forensics Training FAQ) or separately after the class.

In closing this update, we would again like to thank the DFIR community for its continued support of the Volatility project and our associated training course. In particular, all the newcomers who are just starting to explore memory analysis, as well as our alumni and numerous repeat students who just can't get enough!

On a side note, if you are going to be at DFRWS or Black Hat this summer then be sure to come introduce yourself!

-- The Volatility Team

Thursday, April 20, 2017

The (5th Annual) 2017 Volatility Plugin Contest is Live!

Its that time again, folks! The 2017 Volatility Plugin contest is now live and accepting submissions until October 1st, 2017. Winners of this year's contest will be receiving over $2,250 in cash prizes as well as plenty of Volatility swag (t-shirts, stickers, mugs, sync stops, etc).

The purpose of the contest is to encourage open memory forensics research and development. It is a great opportunity for students to become familiar with memory forensics, develop a master's thesis or PhD project, as well as gain experience that will be very desirable by future employers. For those already in the field, submitting to the contest is a great way to gain experience and visibility in the memory forensics community. After the contest is over we promote the work in our conference presentations, blogs, and social media.

If you are looking for inspiration or to see the past winners, please check out the pages from 201320142015, and 2016. You will find projects that allow for inspection of virtual machines guests from the view of the host, recovery of in-memory browser artifacts, methods to detect stealthy rootkits, and much more.

If you have any questions please feel free to reach out to us. 

We are looking forward to another year of innovative open source research!

Friday, December 30, 2016

The Release of Volatility 2.6

This release improves support for Windows 10 and adds support for Windows Server 2016, Mac OS Sierra 10.12, and Linux with KASLR kernels. A lot of bug fixes went into this release as well as performance enhancements (especially related to page table parsing and virtual address space scanning).

Here's the TL;DR:

The release page, with standalone binary downloads for 64-bit Windows, Linux, and Mac:
http://www.volatilityfoundation.org/26

Information on new Volatility 2.6 profiles:
https://github.com/volatilityfoundation/volatility/wiki/2.6-Win-Profiles

Python source code packages:
https://github.com/volatilityfoundation/volatility/releases

We look forward to working with you all in the new year!
The Volatility Team

Monday, December 5, 2016

Results from the 2016 Volatility Plugin Contest are in!

Congratulations to all the participants! This year we received more submissions than ever before (21 to be exact, from 16 different authors), so judging took longer than we expected. Sorry about that! The good news is...there's a LOT of new and exciting functionality available to law enforcement agents, DF/IR practitioners, malware analysts, and researchers around the globe, which can immediately be transitioned into their workflows. That's the whole spirit of open source memory forensics with Volatility, and we're once again very proud to sponsor a contest with such impressive results.

It may sound cheesy, but everyone is a winner in this contest. Although a few developers will walk away with prizes, they all solved a problem that they (and inevitably others) faced, gained experience writing Python plugins, and learned some intricacies of memory analysis internals. The capability to program around technical issues and design/implement solutions is a gift. You can applaud by following the authors on Twitter/GitHub/LinkedIn, providing feedback on their ideas, and helping to improve their code with testing, documentation, or contributing patches.

We also want to thank Airbnb for donating $999 to the cash prizes! When looking for a new job, we definitely recommend considering employers that support open source forensics and value the importance of memory analysis. Maybe you can be their next Security CSIRT Engineer!


Here is a break down of the placements and prizes


1st place and $1800 USD cash or a Free Seat at Malware and Memory Forensics Training by the Volatility Project goes to:
Monnappa for Hollow Process Detection and Analysis. Monnappa also participated in the 2015, so this is his second consecutive contest. Aside from the code itself, Monnappa's corresponding documentation was very impressive. Given Monnappa has already taken our training class, he'll likely take the cash prize!
2nd place and $800 USD cash goes to:
Kevin Breen for VolUtility and LastPass Credential Recovery. Although we've seen web interfaces in the past, Kevin's take on it has a lot of unique and helpful features. He's already integrated quite a number of new capabilities since the contest closed in October and he's showing no signs of slowing down. He's got Volatility plugin fever! 
3rd place and $450 USD cash goes to:
Dima Pshoul for Advanced Malware Hunter's Kit. Dima designed several creative ways to detect memory-only injected code, which is one of the major reasons why analysts rely on memory forensics. Say hello to malfind's two new best friends! 
4th place and $100 USD cash and Volatility Swag goes to:
Mariano Graziano for ROP Payload Analysis and Linux Kernel Symbol Finder. This is Mariano's second plugin contest - he previously won first place for Actaeon. Its great to see Mariano continuing to implement powerful capabilities like ROPMEMU. Likewise, the Linux kernel symbol finder preemptively solves issues that analysts will face in the absence of Linux profiles.
5th place and $100 USD cash and Volatility Swag goes to:
Bart Inglot for RDP Key Extraction and Replay. This is Bart's second plugin contest, but the first time he's made it to the top 5. We met Bart a few years ago when he attended one of our training classes in Amsterdam, and since then, he's been rapidly improving his memory forensics skills. Bart's submission highlights some really cool capabilities related to offline DPAPI data decryption and extraction of key data from RAM. 
Thomas White for Mac FileVault2 and Microsoft Bitlocker Key Extraction. Together with Volatility's existing plugins for Truecrypt and dm-crypt on Linux, investigators not only have quite thorough support for pulling FDE keys from RAM, but they can understand where and how the keys are stored in virtual memory. 

Here is a detailed summary of the submissions. If you have feedback for the authors, we're sure they'd love to hear your thoughts.


1st: Monnappa: Hollow Process Detection and Analysis

Monnappa's hollowfind is a Volatility plugin to detect different types of process hollowing techniques used in the wild to bypass, confuse, deflect and divert forensic analysis techniques. The plugin detects such attacks by finding discrepancies in the VAD, PEB, and other OS meta-data structures. The plugin also disassembles the address of entry point to detect any redirection attempts and also reports any suspicious memory regions which should help in detecting the injected code.

Monnappa's research on the process hollowing technique in general is very impressive. To design the plugins, he needed to reverse engineer various real-world malware samples that performed process hollowing, intimately study their subtle differences, and write code to handle each case. His blog below is complete with commented IDA screen shots and Volatility plugin output produced after executing the described malware.

Monnappa's Blog on Process Hollowing: detecting-deceptive-hollowing-techniques
Monnappa's GitHub: https://github.com/monnappa22
Monnappa's Twitter: @monnappa22

2nd: Kevin Breen: VolUtility Web Interface

VolUtility is a web interface (written in Django) for Volatility. It runs plugins and stores the output, derived directly from the plugin's JSON rendering APIs, in a Mongo database. It extracts files from plugins (that support --dump-dir) and stores the binary content in the database as well, allowing searches across all plugins and file content with string search and Yara rules. In comparison with other web interfaces that we've seen in the past, VolUtility stands out due to its extensions, which allow integration with Cuckoo Sandbox, Exif, Floss, and VirusTotal. It also features a hex viewer, PST and SQLite viewers, registry hive browser, volshell-like input controls, etc. We found the documentation very thorough and installation/configuration on Linux was a breeze.

Kevin's Twitter: @kevthehermit
Kevin's Website: https://techanarchy.net

2nd: Kevin Breen: LastPass Credential Recovery

LastPass is a highly popular and widely used password manager. Its ease of use and direct integration into major browsers allows for even non-technical users to maintain unique, strong passwords across a variety of websites and services. Since many users trust all of their passwords to LastPass, cleartext credentials from its database are highly valuable forensic targets. This newly submitted plugin, named lastpass, allows for targeting of LastPass user credentials that were stored in memory at the time of acquisition, allowing for rapid exploitation by forensic analysts.

Kevin leveraged the process VAD scanner API in Volatility along with custom Yara rules to locate signatures related to the cached LastPass credentials. Currently the plugin focuses on IE, Chrome, and FireFox, however Kevin plans to test additional browsers, extend support to additional password managers, and implement unified output so the data can be consumed/post-processed by other applications easily.

Kevin's Twitter: @kevthehermit
Kevin's Website: https://techanarchy.net

3rd: Dima Pshoul: Advanced Malware Hunter's Kit

In Dima's own words, he is a "long time Volatility user who wanted to contribute to the framework and also improve it by writing unique and powerful plugins." Mission accomplished! The "Advanced Malware Hunter's Kit" includes plugins for reconstructing call stacks, detecting hollowed processes, finding malicious threads via code executed from dynamically allocated addresses, and locating injected code regions by analyzing return addresses on the stack.

Dima did a great job analyzing the current plugins in the Volatility Framework (namely malfind) and the associated weaknesses that malware can exploit to trick investigators. Conceptually, the techniques Dima introduced in his plugins will be invaluable supplements for detection of malware hiding in memory.

Dima's GitHub: https://github.com/papadp

4th: Mariano Graziano: ROPEMU (ROP Payload Analysis)

ROPMEMU is a framework for analyzing return-oriented programming (ROP) payloads. It includes two Volatility plugins. The first plugin, ropemu, emulates a ROP payload gadget-by-gadget and produces a JSON trace of the affected machine state. The second plugin, unchain, transforms ROP gadget sequences into simplified non-ROP code for easier analysis and understanding. The plugins leverage the Unicorn emulator and the Capstone disassembler. In addition to the Volatility plugins, several interesting "helper" utilities are also included.

In addition to the Volatility plugins, Mariano also published an academic paper on his work and has presented it at conferences, undoubtedly inspiring countless other researches.

Mariano's AsiaCCS Slides: ROPMEMU_final.pdf
Mariano's Twitter: @emd3l
Mariano's Blog Post at Cisco Talos: http://blog.talosintel.com/2016/06/ropmemu.html
The Project's GitHub: https://github.com/vrtadmin/ROPMEMU
Mariano's GitHub: https://github.com/emdel

4th: Mariano Graziano: Linux Kernel Symbol Finder

Mariano's ksfinder is a standalone Python script to retrieve exported kernel symbols from Linux physical memory dumps. The script is useful in a scenario in which the analyst does not have a Linux profile and cannot create it (for example, the suspect system was reformatted after memory collection, you simply no longer have access to it, you couldn't obtain the kernel headers, etc). In those cases, ksfinder recreates (or partially recreates) the System.map file by parsing the __ksymtab_strings and __ksymtab of the Linux kernel image (aka vmlinux) solely from the memory sample.

Although the script is not technically a Volatility plugin, it can easily be imported or integrated with Volatility plugins to alleviate one of the biggest issues analysts face with regards to memory forensics of Linux systems.

Mariano's Twitter: @emd3l

5th (tie): Bart Inglot: RDP Key Extraction and Replay

The rdpkeys plugin extracts RC4 and SSL keys from a memory image that can be used for RDP replay. The keys are automatically converted into PEM format, but can be also saved in the native format (referred to as PVK). Bart also included instructions to decode an RDP session with WireShark using the SSL key extracted by the plugin, and examples of when the extraction works and when it can fail.

Bart's plugin makes excellent use of Volatility's APIs. For example, he leveraged the Registry API to recover LSA Secrets, and on platforms that require it - he used the Cached File APIs to recover the DPAPI Master Keys and SSL Private Keys. We also found it very valuable to see examples of using the Python DPAPI module to perform decryption based on resources found in memory - this will undoubtedly serve as a template for various other plugins in the future.

Bart's Writeup: BartInglot_RdpKeys.pdf
Bart's submission: rdpkeys.py
Bart's Twitter: @BartInglot

5th (tie): Thomas White: FileVault2 & Bitlocker Key Recovery

Thomas White's two FVE plugins are aimed at helping investigators recover the necessary keying information for decrypting/unlocking disks. In particular, the Bitlocker plugin targets recent versions of Microsoft Windows and recovers the FVEK, cipher information, and TWEAK key. One of the most impressive aspects of this plugin is the research and documentation that goes along with it. Thomas recorded the steps he took when live debugging the Windows kernel to identify differences in key storage locations starting with Windows 8. This is an extremely valuable tutorial on how Volatility plugins come to life, especially those that access undocumented structures and memory regions.

Likewise, the FileVault2 plugin targets Mac OSX and has even been tested on Sierra (10.12). The write up below includes a short tutorial on mounting the evidence with extracted master keys using fvdemount.

Thomas' Post on FileVault: extracting-filevault-2-keys-with-volatility
Thomas' Twitter: @triblchkn


The following submissions appear in the order they were received. As previously mentioned, these developers deserve huge props. We look forward to seeing future work by these authors!


Aim4r: VolDiff Memory Diffing and Malware Identification

VolDiff is a python script that leverages Volatility to identify malware artifacts in Windows 7 memory samples. It not only helps automate Volatility plugin execution but it also provides numerous built-in checks for suspicious artifacts typically associated with malware. Examples include child/parent process relationships, process sessions, execution paths, interesting imported APIs, suspicious strings, etc. Most of the checks are based on the output of Volatility plugins such as pslist, psscan, dlllist, impscan, and malfind. Analysts can easily extend the heuristics by editing regular expressions in the configuration area of the tool.

VolDiff also provides the ability to highlight the differences between a sample taken before and after malware execution. This can help an analyst rapidly triage the types of changes the malware may have made to the system. VolDiff helps automate common analysis techniques used by malware investigators.

Aim4r's Twitter: @aim4r
Aim4r's GitHub: https://github.com/aim4r
Example analysis: Memory-Analysis-of-DarkComet-using-VolDiff

Marcin Ulikowski: Bitlocker Key Recovery

This plugin finds and extracts Full Volume Encryption Key (FVEK) from memory dumps and/or hibernation files. This allows rapid unlocking of systems that had BitLocker encrypted volumes mounted at the time of acquisition. Architecturally, the plugin scans for BitLocker cryptographic allocations (memory pools) in virtual memory, covering both 32- and 64-bit systems running Windows Vista through Windows 8.1 (support for Windows 10 is in progress). Marcin notes that Windows 8 and newer use the Cryptography API: Next Generation (CNG), so the pool tags are different than previous versions. We found Marcin's AES key schedule validation routines particularly useful (to avoid false positives) in addition to his documentation on how to use bdemount to decrypt protected resources.

Marcin's Twitter: @elceef

Hemant Kumar and Sajeev Nair: Windows MemDiff Forensic Tool (WMDF)

This Windows GUI tool provides a front end to extracting memory related artifacts with Volatility. Additionally, analysts can compare those collected artifacts with a whitelisted artifacts database (generated by running the tool against a baseline system) of their choice. This comparison points out the changes made by malware on the system, helps provide analysts with crisp and low level information, and decreases the area of investigation an analyst needs to manually review.

WMDF Submission: https://goo.gl/XC177B
WMDF Documentation: WMDF.pdf
Hemant's Twitter: @hemantxcode
Sajeev's Twitter: @nairsaj

Nichlas Holm: Network Packets, IP/MAC, ARP

This submission, networkpackets, is a Volatility plugin for extracting network packets (IPv4 and ARP) out of memory samples. The plugin provides the ability to quickly identify memory-resident network packets, and based on those packets provides an analyst with context about the network environment. This context includes information about the IP/MAC address of the system, the network gateway, and an overview of other systems in the same network. Extracted packets are exported into PCAP format, which enables analysis with traditional network analysis tools.


Stanislas 'P1kachu' Lejay: Auto-Profile Detection

P1kachu addresses a real problem (OS and profile detection) that Volatility users frequently face with his profilescan plugin. This plugin uses a pattern-matching approach to infer the operating system of a target memory image. It then calls the corresponding OS-specific profile detection plugin. Since Volatility does not provide such a plugin for Linux images, the authors also developed a helpful a uname scanner plugin, linuxgetprofile, which also outputs details on the kernel and compiler versions.

We're confident that P1kachu's plugin and associated methodologies can become a critical piece in many investigators initial workflows, saving them valuable time and avoiding a lot of the typical "guess work" that has traditionally been done.

P1kachu's GitHub: https://github.com/P1kachu
P1kachu's Website: http://p1kachu.pluggi.fr
Post on ProfileScan: volatility-profile-finder

Martin Korman: VolatilityBot Malware Detonation Framework

VolatilityBot provides a modular malware "detonation" architecture that helps automate many of the manual and repetitive tasks associated with malware analysis. This includes the extraction of malicious binaries and any associated code injections or related artifacts (strings, IP address, etc.) that may be created during execution. Once the suspicious code has been extracted, it also provides numerous post-processing modules to help identify behavior patterns in the code and prepare the extracted code for in-depth static analysis. Finally, VolatilityBot also provides a number of capabilities for automated heuristic analysis and triaging memory samples at scale.

Martin's Twitter: @MartinKorman
Martin's VB 2015 Slides: Korman-VB2015.pdf
Martin's Code Repository: https://github.com/mkorman90/VolatilityBot

James Hall and Kevin Breen: USBStor

The USBStor plugin scans registries for values relating to USB devices plugged into the system under investigation. Instead of the analyst needing to manually analyze each registry hive (USBSTOR, USB, MountedDevices etc.) the plugin will return all available information about previously connected USB devices in an easy to digest, collated format. This greatly decreases analysis time and ensures no mistakes are made and no information is overlooked. The plugin's output contains details such as USB serial number, vendor and product info, container ID, mounted volume name, drive letter, USB friendly name, the last connection timestamp, and more.

James' Website: https://ducktoolkit.com
James' Twitter: @411hall

Tyler Halfpop: FindEvil Malware Analysis Automation 

The FindEvil project, along with its two new Volatility plugins, findevilproc and findevilmem, provide for automated extraction of executables (applications, DLLs, and kernel drivers) from memory as well as calculation of several attributes of interest to investigators – Virus Total scores, entropy calculations, Yara-based detections, and whether the executable is digitally signed or not. Leveraging these plugins, investigators can quickly find the "evil" executables that are active on a system being investigated and immediately focus their analysis on them.

Tyler's Twitter: @tylerph3

Tran Vien Ha: Open Source Intelligence & MISP Integration

The osint plugin submits URLs or IP addresses found in a memory sample to open source intelligence platforms. Data is submitted using a SOCKS proxy, generally Tor, to provide a degree of anonymity. osint currently supports Blue Coat, Virus Total, and MISP. Your data sources and respective API tokens are stored in a configuration file, and a text file allows you to whitelist commonly seen domains.

The author also contributed an HTML plugin using JQuery for rendering tree views (such as pstree), which is quite handy.

Tran's GitHub: https://github.com/tranvienha


Here are a few additional resources regarding previous contests and community-driven plugins:


Volatility Foundation Contest Home Page: http://www.volatilityfoundation.org/contest

Volatility 2015 Plugin Contest Results: http://www.volatilityfoundation.org/2015
Volatility 2014 Plugin Contest Results: http://www.volatilityfoundation.org/2014-cjpn
Volatility 2013 Plugin Contest Results: http://www.volatilityfoundation.org/2013-c19yz

Volatility Community GitHub Repository: https://github.com/volatilityfoundation/community

Thursday, September 29, 2016

Volatility Update: Core team is growing!


Next year marks the 10-year anniversary of the first public release of Volatility! This would not have been possible without the friendship and support of the amazing Volatility Community.  One of the original goals of Volatility was to create a project that would help bring together technical talent in the forensics and incident response communities. We also wanted to create a unifying framework that would bring together academics, practitioners, government, and law enforcement from around the world. A platform where the latest cutting edge research being presented at the top academic security conferences could be immediately transitioned into the hands of digital investigators.  In celebration of the past 10 years, we have a number of exciting things planned for 2017.  Along those lines, you may have noticed on the mailing list or on github that the Volatility Core development team is continuing to expand.

For those who have been part of the Volatility Community since the beginning, I’m excited to say that Dr. Nick Petroni has rejoined the team. Nick’s pioneering academic research laid the groundwork for much of the modern work in memory analysis.  He was also one of the original developers of Volatility and his design decisions continue to provide the foundation upon which most modern tools are based.  Similarly, I’m also excited to introduce Anthony Colatrella.  Anthony is one of the best computer scientists I’ve had the pleasure to work with.  During his career, he has focused his time on operating system and security development, including contributions to SELinux.  Both Nick and Anthony are working on a number of impressive projects and I’m sure you will see more of them in the coming months.

Wednesday, August 10, 2016

Malware and Memory Forensics 2017 Schedule (Now with Linux, Mac, and Surge Collect Pro)

Our most popular training course just got even better! We're happy to announce the curriculum for Malware and Memory Forensics by The Volatility Project now includes the following:
  • Linux and Mac OS X memory analysis
  • Windows memory acquisition with Volexity Surge Collect Pro
  • Several new and challenging hands-on labs based on high profile, real world incidents
We currently have 5 MMF courses open for registration, including our first wave of events in 2017. Registrants of all classes will receive a free copy of The Art of Memory Forensics in hard/paper or electronic (eBook, Mobi, or PDF) format.

2016

August 29th - September 2nd, 2016 in Amsterdam (**nearly sold out)
October 3rd - 7th, 2016 in Herndon, VA (**nearly sold out)

2017

April 3rd - 7th, 2017 in Herndon, VA
September 18th - 22nd, 2017 in London, UK (**our first UK class in 3 years)
October 16th - 20th, 2017 in Herndon, VA

Starting with the 2017 courses, we're offering discounts on Volexity Surge Collect Pro (for Windows) at the time of registration. For more information on this package deal, see our Memory Forensics Training FAQ.

If you're interested in attending, contact us. We look forward to meeting and training with everyone!