Tuesday, September 30, 2014

The Volatility Foundation: Fighting for Open Source Forensics

We are excited to announce that the Volatility Foundation was officially granted 501(c)(3) status by the IRS and the application was approved in less than a year.  This comes as great news when you consider the recent “BOLO” list controversies and the Yorba situation.  We believe this is an encouraging sign for the future of free and open source software. 

As an added benefit of the Volatility Foundation’s new status, supporters can now make tax-exempt donations to the foundation! Based on your generosity and the hard work of our developers, Volatility will continue to develop innovative software and fight against those who exploit open source forensics developers!

Shouts to Patrick and the Volatility legal team! We would also like to thank the IRS for their swift response.

Wednesday, September 17, 2014

Detective Michael Chaves Shares A Memory Forensics Success Story

Detective Michael Chaves from the Monroe CT Police Department shares the following story regarding his experiences with Memory Forensics, Volatility Training, KnTTools, and POS breaches. Michael was also recently quoted in Brian Krebs' article Card Wash: Card Breaches at Car Washes for the key role that he played in that investigation.

Shouts to Michael - keep up the great work!
Before attending this class I had a strong digital forensic background, but lacked an understanding of the "under the hood" workings of RAM and the stuff running in RAM.  I knew I was in for a challenge and boy did I get one.  I always had a desire to learn about memory analysis and I had some knowledge of what it contained, but it was the significant increase in POS breaches that I was investigating that I realized I needed this class sooner than later.

After taking this class in May of 2014 I began investigating a POS breach involving a local business chain.  The chain was a Common Point of Purchase for thousands of credit/debit that were compromised that lead to more than $100,000 in losses from fraudulent use. From the class, I learned of a new memory acquisition tool from GMG Systems, Inc. called " KnTTools".  I tested it out and found it to be an extremely reliable, fast and efficient program that has a very small footprint.  I used KnTTools to acquire numerous RAM dumps from several locations.

Now came the time to figure out what I had.  Going in blind, not knowing where to look or even what I was looking for was a daunting task.  Referring to my notes and the student handbook, I began to use Volatility to try and understand what I had.  I began to use plugins such as pslist, psxview, malfind, apihooks and connections and I started to get some information to look more into.  Understanding the PID/PPID relationship and what process should call another was very helpful.  Working with the business I learned what programs were legit and white listed them.  This was important to me since I did not know what programs and applications were supposed to be running on those computers.  I located three running processes that turned out to be malware.  I used dlllist, dlldump, procdump and dumpfiles to extract out the processes, files and dll's and ran strings on them.  From there I located great information including the POST/GET commands that show where the cards were going to... BINGO!

I located the same malware on ALL other RAM acquisitions.  Although I do not know exactly how the malware got onto the system or fully how it works, I located the necessary information I needed to proceed with my investigation. Without this class or the Volatility tool, I would never have been able to further my investigation.  Volatility is a game changer in memory forensics.  With more and more POS breaches being reported every day both on a local and national scale, responders need the ability to efficiently and effectively analyze the RAM where the malware attempts to run.... and hide.  But you can't hide from Volatility!

Thursday, September 4, 2014

Volatility 2.4 at Blackhat Arsenal - Defeating Truecrypt Disk Encryption

This video shows how to use Volatility’s new Truecrypt plugins to defeat disk encryption on suspect computers running 64-bit Windows 8 and server 2012.

The video is narrated by Apple's text to speech and you can find the actual text on the Youtube page. The live/in-person demo was given at the @Toolswatch Blackhat Arsenal.

Wednesday, September 3, 2014

Facebook Donation Doubles the Volatility Plugin Contest Prizes

As mentioned earlier this week, we have a very exciting announcement to share. One of the primary reasons we extended the deadline for the 2014 Volatility Plugin Contest to October 1st is due to an extremely generous donation from Facebook. Facebook's sponsorship doubles the total cash prizes from $2250 USD to $4500 USD!

As mentioned on the Volatility Tumblr: If you have already submitted to the contest, you can use this extra time to fine-tune your submission. If you were considering submitting, you now have an extra month to demonstrate your creativity and implement an innovative, interesting, and useful Volatility extension!

It’s great to see some of the largest companies in the world showing their support for and giving back to the memory forensics community! Thank you, Facebook, and good luck to all participants in the contest - the stakes have literally just doubled!

Monday, September 1, 2014

Heads Up! 2014 Volatility Plugin Contest Deadline Extended!

Good news folks. Due to a very exciting and unexpected development, we're extending the deadline for the 2014 Volatility Plugin Contest to October 1st, 2014.

This not only gives you an extra month to work on your plugins, but the reason for the extension (to be announced later this week) will directly impact the contest winners.

Wednesday, August 27, 2014

Volatility 2.4 at Blackhat Arsenal - Reverse Engineering Rootkits

This video demonstrates how you can leverage Volatility and memory forensics to detect kernel rootkits, assist with reverse engineering, and use the results for developing additional indicators.

The video is narrated by Apple's text to speech and you can find the actual text on the Youtube page. The live/in-person demo was given at the @Toolswatch Blackhat Arsenal.

Thursday, August 21, 2014

Volatility 2.4 at Blackhat Arsenal - Tracking Mac OS X User Activity

This demo shows how to track Mac OS X user activity by examining artifacts in physical memory with Volatility. 

The video is narrated by Apple's text to speech and you can find the actual text on the Youtube page. The live/in-person demo was given at the @Toolswatch Blackhat Arsenal.