Thursday, October 31, 2013

2014 Malware and Memory Forensics Training Schedule Part 2

The Volatility Team would like to announce that our first public training on the East Coast for 2014 will take place in New York City on May 5th - 9th, 2014.

Instructors: Michael Ligh (@iMHLv2), Andrew Case (@attrc), Jamie Levy (@gleeda)

To request a link to the online registration site or to receive a detailed course agenda/outline, please send an email voltraining [[ at ]]

We have some more feedback from our Amsterdam class to share with you:

"An excellent technical malware course, highly recommended!" - Tom (Price Waterhouse Cooper)
"I find I have much more ways of success in my work with malware analysis.  Volatility is a great tool, keep up the good work!!!" - Goran (CERT-SE)
 "Great contents, expert teachers, hands on examples" - Boudewijn (NCSC-nl) 
 "It was great experience and mind blowing info.  The thing I appreciated the most were the graphics to help with visualisation and putting the Windows internals info in a goal and purpose view." - Anonymous 
"I think this is a really nice course and the best course I have had so far" -  Monnappa (Cisco)

As always, we constantly update our course materials and this course will include new modules on Windows 8 and structured memory analysis of TrueCrypt.These represent some of the latest advances in memory forensics, and by taking the class you can be among the first to learn the new skills firsthand.

This is the only memory forensics course officially designed, sponsored, and taught by the Volatility developers. One of the main reasons we made Volatility open-source is to encourage and facilitate a deeper understanding of how memory analysis works, where the evidence originates, and how to interpret the data collected by the framework's extensive set of plugins. Now you can learn about these benefits first hand from the developers of the most powerful, flexible, and innovative memory forensics tool.

If studying in the "Big Apple" doesn't suit you remember that we also have offerings in San Diego, CA (January 20th - 24th) and London, UK (June 9th - 13th) in 2014!

Friday, October 25, 2013

Volatility 2.3 Released! (Official Mac OS X and Android Support)

The Volatility Foundation is thrilled to announce the official release of Volatility 2.3! While the main goal of this release was Mac OS X (x86, x64) and Android Arm support, we also included a number of other exciting new capabilities! Highlights of this release include:

Mac OS X:
    * New MachO address space for 32-bit and 64-bit Mac memory samples
    * Over 30+ plugins for Mac memory forensics

    * New ARM address space to support memory dumps from Linux and Android devices on ARM hardware
    * Plugins to scan Linux process and kernel memory with yara signatures, dump LKMs to disk, and check TTY devices for rootkit hooks
    * Plugins to check the ARM system call and exception vector tables for hooks

    * New plugins:
        - Parse IE history/index.dat URLs
        - Recover shellbags data
        - Dump cached files (exe/pdf/doc/etc)
        - Extract the MBR and MFT records
        - Explore recently unloaded kernel modules
        - Dump SSL private and public keys/certs
        - Display details on process privileges
        - Detect poison ivy infections
        - Find and decrypt configurations in memory for poison ivy, zeus v1, zeus v2 and citadelscan

    * Plugin Enhancements:
         - Apihooks detects duqu style instruction modifications
         - Crashinfo displays uptime, systemtime, and dump type
         - Psxview plugin adds two new sources of process listings from the GUI APIs
         - Screenshots plugin shows text for window titles
         - Svcscan automatically queries the cached registry for service dlls
         - Dlllist shows load count to distinguish between static and dynamic loaded dlls

New Address Spaces
    * VirtualBox ELF64 core dumps
    * VMware saved state (vmss)
    * VMware snapshot (vmsn) files
    * FDPro's non-standard HPAK format
    * New plugins: vboxinfo, vmwareinfo, hpakinfo, hpakextract

We also wanted to take this opportunity to recognize those on the development team who's continued dedication to open source forensics and the Volatility community has made this release possible: Mike Auty, Andrew Case, Michael Hale Ligh, Jamie Levy, and AAron Walters. These people volunteer their time and skills to bring you the most advanced and innovative memory forensics framework in the world! If you appreciate the hard work they put into Volatility, I encourage you help defend the rights of open source developers and support developer endorsed events! Finally, shoutz to the Volatility Community for their continued support and feedback! In particular, the following members of the Volatility Community made significant contributions to this release:

    - Cem Gurkok for his work on the privileges plugin for Windows
    - Nir Izraeli for his work on the VMware snapshot address space (see also the vmsnparser project)
    - @osxmem of the volafox project (Mac OS X & BSD Memory Analysis Toolkit)
    - @osxreverser of for his help with OSX memory analysis
    - Carl Pulley for numerous bug reports, example patches, and plugin testing
    - Andreas Schuster for his work on poison ivy plugins for Windows
    - Joe Sylve for his work on the ARM address space and significant contributions to linux and mac capabilities
    - Philippe Teuwen for his work on the virtual box address space
    - Santiago Vicente for his work on the citadel plugins for Windows

If you want to learn more about Volatility 2.3 or just hang out with the Volatility development team, I encourage you to register for the Open Memory Forensics Workshop 2013.  Please register quickly, we will be ending registration by COB Friday, October 25 (Today). There have been a couple last minute cancellations, so you may still have a chance to reserve a seat!

Thursday, October 10, 2013

Sampling RAM Across the (EnCase) Enterprise

One thing that people may or may not realize is that you can mount memory with EnCase and use Volatility directly against the mounted memory "file". This can be especially useful for checking your enterprise for infected machines in order to narrow your focus. This is a quick post on how to accomplish this.

NOTE: One of the most common questions we receive is how to process memory that has been acquired with EnCase (EWF format). Volatility has an address space to work with EWF format, however it requires the installation of libewf, which some people have trouble installing on Windows. It is worth noting that everything in this blog can be used in order to process memory samples that were acquired or saved in EWF format. These samples must have been saved as "RAM" and not as a disk image, otherwise EnCase will not mount it correctly. (This can happen if a raw sample was reacquired with the incorrect type.)

Accessing RAM

First you need to connect to the machines of interest, either using EnCase Enterprise (EE) or some kind of hybrid approach (OK, if you're using the hybrid approach, you probably don't even need EnCase, unless you are using EnScripts or keyword searching etc). For EE, make sure that you click the "Physical Memory" checkbox before connecting to each of the machines.

At this point, you should have a list of all the items available from those machines that you can pull back (RAM and Disks). You can choose the items that you want to preview. Below you can see that I have selected one machine's RAM:

After you have pulled back all devices, you will see them in the pane on the left. Below you can see a disk image and two RAM samples, in this case one from a live machine and one acquired sample. You can, however, pull back several RAM and disk previews with EE. (I'm just giving you an example, since I don't currently have EE with which to create nice screenshots).

Mounting Memory Using VFS

EE or EnCase Forensic (EF) with the VFS/PDE modules (or EF v7) all have the ability to mount disk and RAM in a way that can be accessed by the local machine. This is accomplished through EnCase's Virtual File System (VFS) module. You can mount all RAM samples and disk images from live machines or evidence files as a network share. In order to do so, you have to mount at the case level and not one piece of evidence at a time. To do so, right-click on "Entries" in the left pane and choose "Mount as Network Share..." from the menu:

At this point, you will be presented with options for mounting the share. Pick the options most appropriate for you:

Once you hit "OK" you will see a message box that states where the evidence was mounted:

You may or may not receive a warning from Windows firewall, if so, allow EnCase access

At this point you can explore to the share and process as desired. You can even share out and process with a linux machine if you so wish. If you have mounted several items, they will be contained inside their own separate folder. Disk images will look as you would expect on a Windows system and RAM is exposed as a "file" called "PhysicalMemory".

You can run Volatility over this exposed PhysicalMemory file as you would any other memory sample. This can be useful for triage or "sampling" of a machine without having to pull back the entire memory, which can be quite large. Plus you can script out Volatility to run over every memory sample that is mounted at once. The caveat of course is that you are interacting with the machine and therefore changing its state. You might overwrite evidence as you process the memory live. This is something that you have to consider in your IR plan and outside the scope of this tutorial.

To unmount, simply double-click "Virtual File System" in the bottom right-hand corner and choose "Yes" and "OK".

I hope you have enjoyed this brief tutorial. If you have any questions, feel free to send me an email or find me on twitter (@gleeda).