Tuesday, August 25, 2015

Volatility Updates Summer 2015

Summer 2015 has been quite a busy time for the memory forensics community. We wanted to write a quick update to talk about some recent events and research as well as upcoming news.


Black Hat Vegas 2015

We wanted to again thank everyone who came out and supported us during Black Hat. Between our Arsenal demo, book signing, and party, we met hundreds of Volatility users and fans. Your support and enthusiasm is greatly appreciated. Come back next year for twice the champagne, twice the suite size, and twice the fun!

HTCIA International Conference (Orlando) 

We're putting on a lab session at HTCIA's International Conference in Orlando next week. You can also stop by the Volexity booth for a chance to win a free seat at any upcoming Windows Malware and Memory Forensics Training course.

Open Source Digital Forensics Conference (OSDFC) 2015

The Volatility team will once again be presenting the latest in memory forensic research at OSDFC 2015. This year we will be focusing on the anti-forensic capabilities of PlugX as well as new Volatility capabilities that can auto-detect them. We will also be discussing the results of the 2015 Volatility Plugin contest. 

OSDFC has a great lineup this year so you should try and attend. We hope to see many Volatility users while we are out there.


A New Paper on OS X Memory Forensics

At DFRWS 2015, Dr. Golden Richard and I published a paper on OS X memory forensics entitled: Advancing OS X Rootkit Detection. The purpose of this paper was to document gaps in existing OS X rootkit detection techniques and then develop new methods, in the form of Volatility plugins, to close these gaps. The plugins introduced in the paper will be committed to GitHub in the coming weeks.

DFRWS had a number of good submissions this year, and we recommend browsing the program for other interesting forensics research.

Volatility vs Hacking Team

The malware used by Hacking Team to control victim's computers is known as Galileo RCS, and in a well done blog post, Joe Greenwood shows how to use Volatility to detect RCS in a number of ways.

RCS now joins a long list (Stuxnet, Careto, Flame, and more) of 'advanced', 'stealthy' malware that immediately falls to inspection by memory forensics.

Volatility at PyCon

At PyCon 2015, Ying Li showed how to use newly developed Volatility capabilities in order to find artifacts of Python scripts that were executing on the system. This was very interesting work, and we suggest watching the video of her talk.

Projects Building on Volatility


VolDiff is a project that compares the results of a number of Volatility plugins against two memory samples and automatically the reports the differences. Compared to manually running and comparing the plugins, this can save a substantial amount of time.

The purpose of VolDiff is to compare in-memory artifacts both before (clean state) and after (post-install state) an application, such as a malware sample, has executed. The new artifacts that appear post-installation can be immediately isolated for further analysis and/or for the creation of highly-effective IOCs.

If you wanted to get started with VolDiff then you should read the author's post on analyzing DarkComet with VolDiff.


Evolve is an open source web interface to Volatility. It is under very active development and is constantly having new features added. Consult the README on GitHub for the latest features, and be sure to follow the tool's author on Twitter.

To see Evolve in action, check out a video showing the basic features here and advanced features here.

As much as we love the command line, it is sometimes nice to have a GUI visualize and shuffle data for you!

Plugin Contest

The 2015 Volatility Plugin Contest is underway and accepting submissions until October. The contest is a great way to win cash and other prizes, gain recognition in the community and become more familiar with Volatility and Python. We feature the research submitted to the contest on this blog, during conferences, presentations, and all throughout social media and our mailing lists.

New Volatility Capabilities

Windows 10 Support

While not merged in the official Volatility branch (yet), the Windows 10 branch is currently under active development. Nearly all of the plugins are working at the current time, and we would be very appreciative of any bug reports you may have when testing the branch. Please post any bugs to the GitHub issue tracker. Currently supported functionality includes process and kernel module listing, all pool scanning plugins (files, mutexes, processes, drivers, etc.), handles, DLLs, PE file extraction, process memory (VAD) parsing, service enumeration, cached file extraction, and memory signature scanning with Yara.

OS X 10.10.x Support and New Plugins

Volatility now has official support for OS X 10.10.4 and 10.10.5, which are the latest two versions. We have also tested Volatility on a preview release of 10.11, and it appears that all of the plugins work as expected. We will release an official profile for 10.11 once Apple releases debug kits (we are currently using special custom built profiles).

Volatility also has a new plugin named mac_get_profile. This plugin allows Volatility to auto-detect which profile (OS version) matches the given memory sample. To use this plugin you do NOT need any OS X profiles installed. Instead, you can run a fresh checkout of Volatility, determine the profile by using mac_get_profile, and then download the correct profile from our profiles repository.

To use mac_get_profile, simply pass the path to your memory sample as the -f option and then put mac_get_profile after it:
$ python vol.py -f <path to memory sample> mac_get_profile


Volatility Linux support has now been tested through kernel version 3.19. As many of the data structures do not change between versions, we expect that most or all of the plugins will work with bleeding edge developments kernels as well. Please file an issue if you encounter any bugs.

Memory Forensic Trainings

Our memory forensics training class in Amsterdam is now SOLD OUT.  We appreciate the support and word of mouth praise from past attendees as well as fans of the project.

Our current course is 5 days of memory forensics and malware analysis training against Windows systems. Full information on the course, as well as upcoming dates and locations, can be found here. If our current set of public offerings does not work for your company then please contact us about conducting a private training at one of your facilities.

Saturday, August 1, 2015

Recovering TeamViewer (and other) Credentials from RAM with EditBox

I recently stumbled upon the TeamViewer-dumper-in-CPP project, which shows just how easy it is to recover TeamViewer IDs, passwords, and account information from a running TV instance by enumerating child windows (on a live machine). The method is based on sending a WM_GETTEXT message to the TV GUI controls that contain the credentials. In particular, we're looking for the two fields under the "Allow Remote Control" heading (Your ID: 567 744 114 and Password q16jp7).

The equivalent of TeamViewer-dumper for memory forensics analysts is Adam Bridge's EditBox plugin for Volatility. Adam's submission won 3rd place in last years Volatility Plugin Contest, but I still feel like many people don't realize the full potential of this plugin. While TeamViewer-dumper is specific to TV, the EditBox plugin recovers text from editbox controls for all applications (that depend on Microsoft Common Controls) across all user sessions (local or remote via RDP/VNC), even for "special" editboxes that contain passwords and show up as asterisks on the screen.

Here's an example of the editbox plugin's output when TV is running:

$ python vol.py -f memory.dmp --profile=Win7SP1x64 editbox Volatility Foundation Volatility Framework 2.4 41 processes to check. ******************************************************* Wnd context : 1\WinSta0\Default Window title : - pointer-to tagWND : 0xfffff900c062b510 [0x67dc6510] pid : 2524 imageFileName : TeamViewer.exe wow64 : Yes atom_class : 6.0.7601.17514!Edit address-of cbwndExtra: 0xfffff900c062b5f8 [0x67dc65f8] value-of cbwndExtra : 4 (0x4) address-of WndExtra : 0xfffff900c062b638 [0x67dc6638] value-of WndExtra : 0x46e0480 [0x67302480] pointer-to hBuf : 0x46af000 [0x67e28000] hWnd : 0x10228 parenthWnd : 0x1020a nChars : 6 (0x6) selStart : 0 (0x0) selEnd : 0 (0x0) text_md5 : 7a62c5fa901ff86a1562b9c7075674f8 isPwdControl : No q16jp7 ******************************************************* Wnd context : 1\WinSta0\Default Window title : - pointer-to tagWND : 0xfffff900c062b150 [0x67dc6150] pid : 2524 imageFileName : TeamViewer.exe wow64 : Yes atom_class : 6.0.7601.17514!Edit address-of cbwndExtra: 0xfffff900c062b238 [0x67dc6238] value-of cbwndExtra : 4 (0x4) address-of WndExtra : 0xfffff900c062b278 [0x67dc6278] value-of WndExtra : 0x46a0f98 [0x689d7f98] pointer-to hBuf : 0x46bf390 [0x6769d390] hWnd : 0x10224 parenthWnd : 0x1020a nChars : 11 (0xb) selStart : 0 (0x0) selEnd : 0 (0x0) text_md5 : b45dfe635940d5490276a5ae41e1422f isPwdControl : No 567 744 114 ******************************************************* Wnd context : 1\WinSta0\Default Window title : - pointer-to tagWND : 0xfffff900c0631a50 [0x552cea50] pid : 2524 imageFileName : TeamViewer.exe wow64 : Yes atom_class : 6.0.7601.17514!Edit address-of cbwndExtra: 0xfffff900c0631b38 [0x552ceb38] value-of cbwndExtra : 4 (0x4) address-of WndExtra : 0xfffff900c0631b78 [0x552ceb78] value-of WndExtra : 0x4781678 [0x6648b678] pointer-to hBuf : 0x46fac80 [0x68493c80] hWnd : 0x801aa parenthWnd : 0x70186 nChars : 15 (0xf) selStart : 0 (0x0) selEnd : 0 (0x0) text_md5 : 2cbe388f82d11af92a8d4950e24db799 isPwdControl : No WIN-948O8I1DO91 [snip]
As you can see, the ID, password, computer name, and various other fields are recovered. This is a powerful way to reconstruct the state of the user interface from memory. Although technically you could also find the values by brute force string scanning in process memory, but there's no need to brute force when you can use a structured, focused approach. Kudos to Adam for creating such a useful extension to last year's plugin contest.