Tuesday, May 27, 2014

Volatility - Update All The Things

The Art of Memory Forensics

Our book is cleared for release at the Blackhat USA conference this August. You can preorder hard copies and Kindle editions on Amazon now. Huge thanks to our publisher, Wiley, for allowing us to exceed 900 pages after we initially estimated 650...without raising the price of the book.

Malware and Memory Forensics Training

Corey Harrell (@corey_harrell) shared a few words about his recent experience in our training class on his blog (not to mention a really nice analysis of using timelines to analyze malware infections). 
The training is not just about a single memory forensics tool named Volatility. The training goes in-depth in numerous topics including Windows internals, malware reversing, Windows data structures, how those structures are parsed, and bypassing encryption. I was looking for an in-depth course and I found it with Volatility. It walks you through exploring the Windows internals, the structures, how they can be parsed, and then actually doing it in labs. This layout results in knowing not just how to use tools for memory forensics but understanding what they are doing and what they are suppose to be doing. To top it off, the content is put into context as it relates to Digital Forensics and Incident Response (DFIR). All in all, it was a great training and  I highly recommend it to anyone looking to get more memory forensics knowledge and skills.
To see what other people think about the class, see our testimonial page. Upcoming training events include:
Contact us at voltraining [at] memoryanalysis.net or leave a note on the web form for information on how to register.

KnTTools / KnTDD Memory Acquisition 

We've partnered with GMG Systems, Inc. to promote what we believe is the most reliable, robust, and full featured memory acquisition software available. A few important notes accompany this announcement:

  • This offer applies to those who participate in our training course. If you are not an alumni or currently registered for an upcoming class, please contact GMG Systems, Inc. directly.
  • You must supply either an X.509 certificate or PGP key for encrypted delivery of the software. 
  • GMG Systems, Inc. reserves the right to refuse orders. 
Once we get KnTTools into the hands of more investigators, we're confident the number of "HELP, my memory dump is corrupt!" situations will decrease. If you know what we mean, its probably time you start using KnTTools. 

The Volatility Foundation 

We've launched a new website for The Volatility Foundation, an independent 501(c) (3) (pending) non-profit organization that maintains and promotes open source memory forensics with The Volatility Framework.

2014 Volatility Plugin Contest 

The contest has begun! You can find official rules and documentation on the contest's homepage. This is the 2nd annual contest where you get to show off your creativity and design skills, win cash prizes, and contribute to open source memory forensics software (while retaining all rights to your code). Submissions are due no later than September 1, 2014.

Volatility 2.4 Release Coming Up

If you've been looking forward to the next Volatility release, you're not alone! We've been working on the 2.4 code base and we expect it to be available on or before the date our books starts shipping. There are 30-40 (lost count at this point) new plugins just for Linux and Mac, not to mention some really awesome new capabilities for Windows. In fact, just yesterday we added the ability to extract cached Truecrypt passphrases from Linux memory dumps.

$ python vol.py --profile=LinuxUbuntux86 
        -f memory.lime 
Volatility Foundation Volatility Framework 2.4 (Beta)
Process          Pid      Address    Password
---------------- -------- ---------- --------
truecrypt            5724 0x09277a24 password123
truecrypt            5724 0x092c4b4c password456