AZHTCIA

Many of you may have seen Moyix’s video demonstrating how you can use Volatility to reconstruct a Windows desktop from a sample of physical memory. He has finally decided to release his plugins for extracting information about on-screen windows. He also shows “screenshots” from two public memory samples. Shoutz to Moyix!

I’m privileged to work with such an amazing team of innovators…not imitators (new T-shirt? ;). Doesn’t there seem to be a lot of activity related to Volatility development recently? I wonder……

Lenny Zeltser recently released REMnux, a lightweight Linux distribution based on Ubuntu, which provides a platform to assist in reverse-engineering malicious code. The memory forensics capabilities of the platform are built on The Volatility Framework.  Shoutz to Gleeda for sending the link!

For those who may have missed it, moyix recently decided to release a robust process scanner, psscan3. This plugin was originally developed in conjunction with a research project focused on building “Robust Signatures for Kernel Data Structures”, which he presented at CCS 2009. Similar to its predecessors, the psscan3 plugin scans the physical address space looking for memory resident data structures associated with processes.  In this project, moyix leveraged a novel operating system fuzzing infrastructure, built with Volatility, to develop signatures for kernel data structures that rely on “essential” or “robust” members. Unlike previous signatures, attempts to modify these “essential” members will cause the system to enter an unstable state and thus are harder for an attacker to systematically manipulate. 

It’s pretty amazing that most of Volatility’s plugins and architecture are supported by peer reviewed and published research. As others have found, this can be extremely useful if you are ever called upon to present scientific evidence in court. Shoutz to moyix!

If you happen to be one of the few people who does not get inundated by SANS spam, you are probably blissfully unaware that next week is the 2010 Digital Forensics and Incident Response Summit.  You will also be disappointed to learn that this year the Order of Volatility (OOV) has respectfully declined all invitations to participate. While we believe that the Digital Forensics and Incident Response Summit has the potential to be a great forum, there are a number of disturbing trends which we hope SANS will eventually address. Until that happens, it will continue to be just another forensics venue for furthering the agenda of a particular company (look which vendor has been unproportionally represented each year). If you are interested in a vendor neutral forum we recommend you consider attending Richard Bejtlich’s Incident Detection Summit.

It should come as no surprise, given the vendor involved, that a major theme of this years Summit is the Advanced Persistent Threat (APT). While the underlying threats (Persistent External Targeted Threats:(PETTs)) are real and have been plaguing organizations for a long time, it has recently garnered a lot of attention, in part, because of aggressive marketing campaigns by companies who want to sell you the “the APT solution”.  Unfortunately, the way that certain vendors are characterizing the threat is creating a mentality of paralysis.  This paralysis is a serious threat to the Digital Forensics and Incident Response communities.  Increasingly, companies feel they don’t have the capabilities or expertise to deal with the “Advanced” nature of the threat. As anyone who has actually been fighting this threat knows, the real solution involves taking basic steps to improve your information security posture, taking the time to actually develop an incident response plan/capability, and investing resources in the internal security staff that actually understand your business. Before you invest money in Another Propaganda Term (APT), take a stroll in the graveyard of threat specific security solutions (Rootkits, BotNets, Worms). In this challenge, it is up to you to help the community fight THE Advanced Persistent Sale (TAPS).

This Volatile Challenge involves finding the Advanced Persistent Sales Threat (APST) at the 2010 Digital Forensics and Incident Response Summit.  Your mission, if you choose to accept it, is to find the presenters or panelists who pose the biggest threats to the digital forensics and incident response community (DFIRT). The title of “Biggest Threat” will be awarded to both the speaker who uses “the APT” acronym most frequently and the speaker who makes the most sensationalist, ridiculous, or uninformed claims about “the APT”. Submissions need to include:

1.  The number of times each speaker at the summit used the APT acronym.
2.  The most disturbing/hilarious quote about the APT (quote attribution required).

These submission will be accepted in real time via Twitter or they can be emailed anonymously to the Order of Volatility at the conclusion of the Summit.  Submissions will be judged based on accuracy and thoroughness ;).  Additional consideration will be given to those submissions that include charts, caricatures, or cartoons. Winning submissions will be given their choice of the highly coveted limited edition Volatility t-shirts:

1.  ”emPOWERing investigators”
2.  ”integrity matters” 
3. “no BS”  
4. “Beware the MANHole”.

DISCLAIMER:  The idea for this challenge came from the “Usual Suspects” who are the creators of the original “THE APT Drinking Game”.  This is game is not recommended for Summit attendees.

If you are a supporter of The Volatility Project and plan to be at FIRST next week, please send us a note. We have a couple special events planned for supporters and members of the Volatility family!!  See you in the MIA!

If you happen to be attending the Sleuth Kit and Open Source Digital Forensics Conference (or happen to be in the DC area) on June 9, 2010 and have some time to meet up, please send us a note. While The Volatility Project was unfortunately unable to accept the inivitation to present, we have been able to free up some time and have accepted Brian’s gracious invitation to attend.  In particular, we’re hoping this will prove a good venue to discuss a disturbing trend, “Companies that are exploiting open source forensics communities/projects”.  See you on the 9th!

As we saw with the 2010 SSTIC Challenge, there is a growing interest in performing memory analysis of mobile devices.  The latest DFRWS Forensic Challenge involves the development of tools and techniques for analyzing physical memory of mobile devices. In particular, the DFRWS challenge scenario involves analyzing memory samples taken from a Sony Ericsson K800i Cybershot, which belonged to a suspected arms dealer.

While we are aware of a number of groups who have been attempting to extend Volatility to support mobile devices, none of these projects have been made available to the forensics community. In order to encourage research and development in the area of memory forensics, The Order of Volatility plans to augment the prizes awarded to those submissions in the top three, as determined by the Challenge organizers, which leverage The Volatility Framework. We will also recognize the submission that extends The Volatility Framework in the most unique or creative way (i.e., plugins, visualizations, etc). As always, feel free to reach out to the OOV if you need guidance on getting started (#volatility on freenode).  Submissions are due by July 25, 2010.

May’s toolsmith article in the ISSA Journal discusses using Volatility and PTK to analyze a memory sample infected with “Banload”.  In the article, Russ Mcree discusses how running even the basic Volatility commands can help an investigator “get right to the bottom of an incident”.  He then goes to discuss how the results of Volatility can be combined with the capabilities of PTK (should we let him know that PTK’s memory analysis capabilities are built on Volatility as well?). It’s also great to see that other projects are benefiting from the hard work of the OOV. Shoutz to Russ and thanks for the following quote:

“Have I mentioned how much I love Volatility?”

In case you may have missed it, the results for the Honeynet Forensic Challenge (Challenge 3- Banking Troubles) have recently been posted. It is exciting to report that ALL three winning submissions and the Sample Solution leveraged The Volatility Framework!  We would like to take this opportunity to recognize Mario Pascucci (Italy), Tyler Hudak (USA), and Carl Pulley (UK). We would also like to thank The Honeynet Project for putting the challenge together and encouraging research and development in the area of memory forensics. As promised, we will augment the prizes awarded to the winning individuals for helping demonstrate the power of Volatility.  We also encourage those who may have submitted, but did not win, to send us their submissions so that we can recognize the submission that extended Volatility in the most unique or creative way.

PS to a certain company (you know who you are): Despite the fact that you stooped so low as to steal our blog post (besides everything else you have stolen in the past), you can’t steal our community!

The OOV is emPOWERing investigators.  

The 2010 SSTIC Challenge involves analyzing a sample of physical memory acquired from an Android. To once again encourage research and development in the area of memory forensics, The Order of Volatility (OOV) plans to augment the prizes awarded to those submissions in the top three for quality of response, as determined by the Challenge organizers, which:

• Leverage The Volatility Framework.
• Translate their response into English.
• Submit a copy of the English version of their response to the OOV before the deadline.

We will also recognize the submission that extends The Volatility Framework in the most unique or creative way (i.e., plugins, visualizations, etc). As always, feel free to reach out to the OOV if you need guidance on getting started (#volatility on freenode). Shoutz to Matthieu and Nicolas for forwarding the link!

The latest installment of CyberSpeak interviews Nick Furneaux. Nick discusses the advantages of leveraging physical memory analysis during investigations and his new tool, Skypeex. Shoutz to Nick and thanks for the Volatility references!

Nick Furneaux, a Volatility supporter from the UK, has recently released Skypeex. Skypeex allows you to extract Skype chat lines with their associated meta-data. It’s great to see training organizations who are benefitting from open source software actually giving back to the open source community. Other organizations (please don’t send me an email asking if we are talking about you; you know who you are) should take note! Shoutz to Nick!  We look forward to your continued involvement in the Volatility project!

The latest forensics challenge for The Honeynet Project involves investigating a memory sample of an infected virtual machine.  In order to encourage research and development in the area of memory forensics, The Order of Volatility plans to augment the prizes awarded to those submissions in the top three which leverage The Volatility Framework. Even if you are a Volatility power-user who doesn’t find the questions particularly interesting, we still encourage you to participate. To that end, we are also planning to recognize the submission that extends the Volatility Framework in the most unique or creative way (i.e., plugins, visualizations, etc).  Submissions are due by 17:00 EST, Sunday, April 18th 2010.

Shoutz to Josh Smith, a Volatility supporter, for helping to encourage research in the area of memory forensics!

A message from Order of Volatility (OOV) colleague and friend Brian Carrier:

“We are thinking about hosting the first ever Sleuth Kit and
Open Source Forensics Users Conference this year on June 9 in
Chantilly, VA (USA). It would be held in conjunction with the
Basis Technology Government Users Conference (but it will be
open to non-Government users). The goal of the conference would
be to announce some new Sleuth Kit features, learn about how
Sleuth Kit is integrated into other tools, learn about other
open source forensics tools, and get some ideas on future
directions of the tools.

We have commitments from some companies who are willing to talk
about how they are using TSK and I next wanted to get an idea
about who was interested in attending or giving a presentation.
Can you send me an e-mail (off list) if you would be interested
in attending or presenting? If there is enough interest, then
we’ll see you in June!

For those who want more location details, here is a link to the
Basis conference site:
http://www.basistech.com/conference/2010/directions.html”

While the majority of the Volatility developers are not EnCase users, we are cognizant of the fact that there are some within the Forensics community that are. We firmly believe that these members of our community should also benefit from the power of Volatility. We are pleased to announce the “Memory Forensics Toolkit”. This is a collection of EnScripts, written by Takahiro Haruyama, which are derived from the Volatility Framework. Now, it is possible to leverage the power of Volatility directly within EnCase. As an added bonus, Takahiro has also extended these EnScripts to support Windows 7. We are excited to welcome Takahiro Haruyama to the Order of Volatility (OOV) and look forward to his continued contributions to the project. Shouts to Takahiro for emPOWERing our EnCase bretheren!! Please contact Takahiro with any feedback you may have.

It’s great to see the growing number of projects building on top of Volatility and the impact Volatility has had on the forensics community!

In case you may have missed it, Matthieu Suiche gave an interesting presentation about performing Mac OS X memory forensics.  Both his presentation slides and the associated white paper are available for download from the BlackHat website. Shoutz to msuiche!  You should expect to see a lot of exciting stuff from Matthieu in the upcoming months….

Jesse Varsalone and Steven Bolt, from the Defense Cyber Investigations Training Academy (DCITA), are teaching a training course at the DoD Cyber Crime Conference about open source forensics tools, which includes The Volatility Framework. It’s encouraging to see that the defense community has come to appreciate the power of memory forensics!

Who schedules a conference in St. Louis during the month of January? After a little coaxing from the Order of Volatility, I’m considering making the trip out to the Cyber Crime Conference next week.  If you are planning to be in St. Louis between January 25-29th and you want to catch up, send me a note!! Should be entertaining if not interesting…..

Volatility has been added to BackTrack 4. Shouts to Sean for sending the link!

In case you may have missed it, I wanted to draw you attention to some exciting work being done by Gleeda. In her blog post, Gleeda demonstrates how an investigator can leverage the powerful output rendering capabilities found within Volatility.  In particular, she shows how Volatility plugins can be modified to store their output within a database (ie SQLite).  Just imagine the interesting queries you can make. Shouts to scudette for the work put into Volatility’s output modularity and shouts to Gleeda for the great write up!