Sunday, October 19, 2014

Memory Forensics Training in Amsterdam

We are excited to announce that the next Europe-based Malware and Memory Forensics Training by The Volatility Project will take place in Amsterdam (August 31st - September 4th, 2015). Our last class in Amsterdam sold out, so sign up early to reserve your seat. You can register by sending an email to voltraining [at] memoryanalysis [dot] net or by requesting an invite here.

Here's what some of our students from the Reston 2014 class said about the training:
"The deepest, most thorough technical course I have ever taken - not only did I learn how to use one of the best memory analysis tools available, I learned an incredible amount of Windows internals. Most important, I understand both enough to extend the functionality to meet any future requirements. Highly recommended - immediately useful and practical information to use in any incident response and malware analysis work!" - James P. 

"The Volatility course is absolutely excellent and should be taken by any individuals performing IR services and forensics. The course covers  not only the Volatility Framework, but the inner workings of malware and how it interacts with the Windows OS." - Kyle P (Sr. Digital Forensic Examiner)

"Amazingly useful information. If you do forensic work, you need to understand and use memory forensics. This course is the best one I've seen so far." - Anonymous 

"Excellent course. Instructors are knowledgeable, technical, and present the material very well. This course will expand your skills and help you see all the valuable data that you can gather. One of the best courses I've been to" - Chad W. (SOC Analyst)

Friday, October 3, 2014

Windows Malware and Memory Forensics Training in April and May 2015

We're excited to announce the dates and locations for two new public offerings of Windows Malware and Memory Forensics Training by The Volatility Project.

The following courses are now open for registration:
  • December 8th - 12th, 2014 in Austin, TX 
  • January 12th - 16th, 2015 in San Francisco, CA
  • February 2nd - 6th, 2015 in São Paulo, Brazil 
  • April 13th - 17th, 2015 in Reston, VA (NEW)
  • May 11th - 15th, 2015 in New York, NY(NEW)
You can request an invite through our web form or contact us via voltraining @ memoryanalysis [dot] net. Stay tuned for the next Europe-based training event.

Also, students in our Australia class wanted to share some of their feedback with you:
Very technical and in-depth course covering windows internals from memory. The best course I've taken so far in my entire career.
Fernando (DFIR/Malware Analyst)

Be ready to have your mind blown!
Dion W. (Incident Responder)

Invaluable for law enforcement and cyber crime investigators.
Jon C. (Australian Federal Police)
We look forward to meeting all the talented analysis and investigators that attend our classes!

Tuesday, September 30, 2014

The Volatility Foundation: Fighting for Open Source Forensics

We are excited to announce that the Volatility Foundation was officially granted 501(c)(3) status by the IRS and the application was approved in less than a year.  This comes as great news when you consider the recent “BOLO” list controversies and the Yorba situation.  We believe this is an encouraging sign for the future of free and open source software. 

As an added benefit of the Volatility Foundation’s new status, supporters can now make tax-exempt donations to the foundation! Based on your generosity and the hard work of our developers, Volatility will continue to develop innovative software and fight against those who exploit open source forensics developers!

Shouts to Patrick and the Volatility legal team! We would also like to thank the IRS for their swift response.

Wednesday, September 17, 2014

Detective Michael Chaves Shares A Memory Forensics Success Story

Detective Michael Chaves from the Monroe CT Police Department shares the following story regarding his experiences with Memory Forensics, Volatility Training, KnTTools, and POS breaches. Michael was also recently quoted in Brian Krebs' article Card Wash: Card Breaches at Car Washes for the key role that he played in that investigation.

Shouts to Michael - keep up the great work!
Before attending this class I had a strong digital forensic background, but lacked an understanding of the "under the hood" workings of RAM and the stuff running in RAM.  I knew I was in for a challenge and boy did I get one.  I always had a desire to learn about memory analysis and I had some knowledge of what it contained, but it was the significant increase in POS breaches that I was investigating that I realized I needed this class sooner than later.

After taking this class in May of 2014 I began investigating a POS breach involving a local business chain.  The chain was a Common Point of Purchase for thousands of credit/debit that were compromised that lead to more than $100,000 in losses from fraudulent use. From the class, I learned of a new memory acquisition tool from GMG Systems, Inc. called " KnTTools".  I tested it out and found it to be an extremely reliable, fast and efficient program that has a very small footprint.  I used KnTTools to acquire numerous RAM dumps from several locations.

Now came the time to figure out what I had.  Going in blind, not knowing where to look or even what I was looking for was a daunting task.  Referring to my notes and the student handbook, I began to use Volatility to try and understand what I had.  I began to use plugins such as pslist, psxview, malfind, apihooks and connections and I started to get some information to look more into.  Understanding the PID/PPID relationship and what process should call another was very helpful.  Working with the business I learned what programs were legit and white listed them.  This was important to me since I did not know what programs and applications were supposed to be running on those computers.  I located three running processes that turned out to be malware.  I used dlllist, dlldump, procdump and dumpfiles to extract out the processes, files and dll's and ran strings on them.  From there I located great information including the POST/GET commands that show where the cards were going to... BINGO!

I located the same malware on ALL other RAM acquisitions.  Although I do not know exactly how the malware got onto the system or fully how it works, I located the necessary information I needed to proceed with my investigation. Without this class or the Volatility tool, I would never have been able to further my investigation.  Volatility is a game changer in memory forensics.  With more and more POS breaches being reported every day both on a local and national scale, responders need the ability to efficiently and effectively analyze the RAM where the malware attempts to run.... and hide.  But you can't hide from Volatility!

Thursday, September 4, 2014

Volatility 2.4 at Blackhat Arsenal - Defeating Truecrypt Disk Encryption

This video shows how to use Volatility’s new Truecrypt plugins to defeat disk encryption on suspect computers running 64-bit Windows 8 and server 2012.

The video is narrated by Apple's text to speech and you can find the actual text on the Youtube page. The live/in-person demo was given at the @Toolswatch Blackhat Arsenal.

Wednesday, September 3, 2014

Facebook Donation Doubles the Volatility Plugin Contest Prizes

As mentioned earlier this week, we have a very exciting announcement to share. One of the primary reasons we extended the deadline for the 2014 Volatility Plugin Contest to October 1st is due to an extremely generous donation from Facebook. Facebook's sponsorship doubles the total cash prizes from $2250 USD to $4500 USD!

As mentioned on the Volatility Tumblr: If you have already submitted to the contest, you can use this extra time to fine-tune your submission. If you were considering submitting, you now have an extra month to demonstrate your creativity and implement an innovative, interesting, and useful Volatility extension!

It’s great to see some of the largest companies in the world showing their support for and giving back to the memory forensics community! Thank you, Facebook, and good luck to all participants in the contest - the stakes have literally just doubled!

Monday, September 1, 2014

Heads Up! 2014 Volatility Plugin Contest Deadline Extended!

Good news folks. Due to a very exciting and unexpected development, we're extending the deadline for the 2014 Volatility Plugin Contest to October 1st, 2014.

This not only gives you an extra month to work on your plugins, but the reason for the extension (to be announced later this week) will directly impact the contest winners.