Thursday, August 21, 2014

Volatility 2.4 at Blackhat Arsenal - Tracking Mac OS X User Activity

This demo shows how to track Mac OS X user activity by examining artifacts in physical memory with Volatility. 

The video is narrated by Apple's text to speech and you can find the actual text on the Youtube page. The live/in-person demo was given at the @Toolswatch Blackhat Arsenal.

Monday, August 18, 2014

New Volatility 2.4 Cheet Sheet with Linux, Mac, and RTFM

Our Windows Malware and Memory Forensics Training class is intense and rigorous, because its designed to reflect real world investigations. When you have a limited amount of time and you're being pressured for reliable answers - every minute counts. Sometimes you just gotta cheat...and when you do, you might as well use an Official Volatility Memory Analysis Cheat Sheet!

The 2.4 Edition features an updated Windows page, all new Linux and Mac OS X pages, and an extremely handy RTFM-style insert for Windows memory forensics.

For in-depth examples and walk-throughs of using the commands in this cheat sheet, make sure to get your copy of The Art of Memory Forensics!

Thursday, August 14, 2014

New Paper: In Lieu of Swap: Analyzing Compressed RAM in Mac OS X and Linux

A research paper (slides here) that I worked on with Golden G. Richard was recently published at DFRWS 2014 and received the Best Paper award! The paper, In Lieu of Swap: Analyzing Compressed RAM in Mac OS X and Linux, analyzed the in-memory, compressed swapped stores on recent Mac and Linux versions.

As you are likely aware, operating systems will traditionally swap unneeded pages out to disk in order to free the pages for currently running applications to use. This swapping process has historically presented issues for forensics analysis as attempting to acquire both physical memory and the swap file(s) in a consistent state can be a daunting task outside of virtual machine environments. Furthermore, Mac has provided encrypted swap (Secure virtual memory) since Mountain Lion and Linux users could optionally utilize encrypted swap for years. Similarly, Windows has the EncryptPagingFile option that can be turned on by administrative users. Recovering the keying materials for these encrypted stores can require modification to existing acquisition tools as well as specialized research.

A new advancement in operating system design, the creation of memory-only, compressed swap stores, presents both challenges and opportunities for memory forensics practitioners. When enabled, these stores attempt to avoid writing swapped pages to disk for performance reasons and instead compresses and stores them into a reserved pool of memory. When a page is later recalled from the pool, a simple decompression operation is all that is needed to be performed. This is much quicker than reading from even the fastest PCI-E storage provided by Apple devices.

At first, this store can be challenging to investigators as simple methods of investigation, such as strings analysis or file carving, will fail since the data is in its compressed state. This store can be helpful though as normal physical memory capture techniques will completely collect the store. This is opposed to traditional swap collection that required timing memory acquisition with disk acquisition to avoid smearing.

The paper presents the algorithms used by both Mac and Linux to implement the compressed stores. We also describe our Volatility plugins that can fully locate and decompress all pages kept within the stores. Finally, we present data sets from sample machines that we tested the plugins and analysis on.

If you have any questions on the paper feel free to reach out to either myself or Golden.

Wednesday, August 13, 2014

Presenting Volatility Foundation Volatility Framework 2.4

The release of this new Volatility version coincides with the publication of The Art of Memory Forensics. It adds support for Windows 8, 8.1, 2012, and 2012 R2 memory dumps, Mac OS X Mavericks (up to 10.9.4), and Linux kernels up to 3.16. New plugins include the ability to extract cached Truecrypt passphrases and master keys from Windows and Linux memory dumps, investigate Mac user activity (such as pulling their contact database, calendar items, PGP encrypted mails, OTR Adium chat messages, etc), and analyze advanced Linux rootkits. See below for a detailed change log.

Binary releases, including pre-built executables for Windows and Mac OS X can be found on the Volatility Foundation website: We've also now moved our source code repository to Github: Note that there's a separate repository containing over 160 Linux profiles for 32- and 64-bit OpenSuSE, Redhat, Debain, Ubuntu, Fedora, and CentOS (thanks Kevin!); and all Mac OS X profiles from 10.5 to 10.9.4. 

The detailed change log is below:

Windows Memory Forensics 
  • Truecrypt plugins (summary, cached passphrases, master keys)
  • Apihooks support for 64-bit memory images 
  • Apihooks plugin detects JMP FAR hook instructions 
  • Hashdump, Cachedump, and Lsadump plugins updated for x64 and Win8/2012
  • Callbacks and timers plugins work on 64-bit memory images 
  • Mftparser identifies NTFS alternate data streams 
  • Mftparser -D option extracts MFT-resident files to disk
  • Ability to scan for multiple executive object types concurrently with a single pass through the memory dump 
  • Procmemdump and procexedump condensed into "procdump" (and --memory option available)
  • Envars plugin has a --silent flag to ignore common/default environment variables 
  • Vadtree plugin in graphviz output mode (--output=dot) color codes nodes per heap, stack, mapped file, DLL, etc.
  • Getsids plugin automatically resolves user and service SIDs 
  • Timeliner plugin supports --machine to identify the source in multi-source timelines 
  • Verinfo (PE version info) plugin updated and moved into core framework 
  • Strings translator prints "FREE MEMORY" for data found in deallocated regions (used to skip them)
  • Vadinfo plugin allows --addr to specify one region rather than printing them all 
  • Yarascan plugin allows you to control --size (bytes in preview) and --reverse (show data *before* a hit)
  • Volshell plugin has new APIs proc(), addrspace(), getprocs(), and getmods() for easy access
  • All process based plugins accept --name (process name regular expression filter)
  • Added the auditpol plugin to check audit policies 
  • Added the cmdline plugin to show process command line arguments 
  • Volshell plugin can recursively print structure members (similar to windbg's dt /r)
  • New pooltracker plugin allows analysis of kernel pool tag statistics 
  • New bigpools plugin allows finding big page pool allocations 
  • Svcscan plugin prints service start type (manual, automatic, disabled, etc)
  • Added a plugin to find and print text on the Notepad application's heap
  • PE dumping plugins (procdump, dlldump, moddump) support --fix to fix the image base value 
  • Joblinks plugin for getting information for job objects
Address Spaces / File Formats
  • Support for QEMU virtual machine memory images 
  • Support for "split" VMware files (memory in .vmem and metadata in .vmss/.vmsn)
  • Support for Windows BitMap crash dumps (created by Windows 8 / 2012 on BSOD)
Mac Memory Forensics 
  • Support for Mavericks through 10.9.4
  • Mac string translation added 
  • Recover sent and received Adium messages, including those protected by OTR 
  • Enumerate contacts from the Contact application's database
  • Extract the HTML content of notes from the Notes application 
  • Ability to reveal clear-text PGP emails sent or received with the Mail application 
  • Locate Apple Keychain encryption keys in memory (for cracking with Chainbreaker)
  • Find API hooks in both the kernel and process memory
  • List IP and socket filters
  • Extract loaded kernel extension to disk
  • Find suspicious process mappings (i.e. injected code) 
  • Find hidden kernel extensions
  • Recovered files cached in memory
Linux Memory Forensics 
  • Support for Linux kernels through 3.16
  • Linux string translation added
  • Detect API hooks in both userland processes and the kernel
  • Detect GOT/PLT overwrites
  • Find hollowed executables
  • Find suspicious process mappings
  • Library listing using the loader’s data structures
  • Extract process ELF executables and libraries to disk
  • List network interfaces in promiscuous mode
  • List processes that are using raw sockets
  • Find hidden kernel modules
  • List Netfilter hooks
  • Extract cached Truecrypt passphrases 

Tuesday, August 12, 2014

Art of Memory Forensics Picture Contest Winners!

If we were running a book picture contest, these would be the winners. Keep in mind, we actually do have a contest brewing where you can win large cash prizes and/or free training, Volatility swag, etc.

The following "retro cover" was submitted by Didier Stevens (@DidierStevens).

The following "I'm too sexy for my book" was submitted by Jonathan Zdziarski (@JZdziarski).

The following "white sangria and object headers" was submitted by Erika Noerenberg (@gutterchurl).

The following was submitted from The Disassembler (@Disassembler).

The following "don't leave home without it on ALL your devices" was submitted by Dennis York (@LDRydr). 

The following "third eye wide open" was submitted by Golden G. Richard (@nolaforensix).

The following "back from defcon" was submitted by Mariano Graziano (@emd3l). 

The following was submitted by Bob Dobalina (@northTtown) - not sure what this is, but it looks interesting. 

The following "part of the cannon" was submitted by Troy Larson. 

The following was submitted by Brian Moran (@brianjmoran).

The following "twins, almost" was submitted by by Andy Magnusson.

The following "Volatility, on the job" was submitted by Ken Pryor (@KDPryor). I thought I'd only see AMF in an officer's car if I got arrested while holding it!

The following "Vanity, thy name is @moyix" was submitted by Brendan Dolan-Gavitt (@moyix).

The following was submitted by Frankie Li (@Espionageware).

We'd love to see other readers in action with the book! Tweet them to @volatility to enter the contest (be aware, there are no prizes, except smiles).

Thursday, July 31, 2014

Announcing Windows Malware and Memory Forensics in Austin, San Francisco, and Brazil!

Along with the release of The Art of Memory Forensics, we are very happy to announce that we now have the following new Malware and Memory Forensics trainings scheduled:
This is the only memory forensics course officially designed, sponsored, and taught by the Volatility developers. One of the main reasons we made Volatility open-source is to encourage and facilitate a deeper understanding of how memory analysis works, where the evidence originates, and how to interpret the data collected by the framework's extensive set of plugins. Now you can learn about these benefits first hand from the researchers and developers of the most powerful, flexible, and innovative memory forensics tool.

Michael Ligh (@iMHLv2), Andrew Case (@attrc), and Jamie Levy (@gleeda)
Information on each instructor can be found here.

Registration Process
To request a link to the online registration site or to receive a detailed course agenda/outline, please send an email voltraining [[ at ]] or contact us through our web form.

Past Reviews
Many past reviews of the course can be found on our website here as well as a previous blog post here. We also have some additional feedback from our recent courses:

"Wonderful and mind blowing course" - Lakshmi R., Incident Response 

"that was the best training week that I have spent in my entire career" - Sean M. 

"As relevant (if not more) than any disk based forensics course. Should be required for incident responders / digital forensics investigators" - Christian R., Senior Member of Technical Staff

"A top-notch and highly skilled team presents students with more vaulable information and insight than any other source of info - effectively using the premier memory analysis tool" - Matthew G. 

"This was the most in-depth forensic course I've ever taken. The instructors are top notch and really know the material and concepts behind it. If you're serious about protecting your network, you need to take this course." - Ryan G.

"This is the best forensics training I have ever participated in. You don't just learn what commands to blindly punch in; you gain deep insight into Windows internals, understand how malware can subvert the OS, and how to detect these abuses. Also tons of stuff I can bring home to continue training and apply to my work." - Christian B.

"I've done my share of courses; yours has it all: "wow" factor in class, great expectations, great labs." - Jorge C., IT Security Expert

Monday, July 7, 2014

Volatility at Black Hat USA & DFRWS 2014

Due to another year of open research and giving back to the open source community, Volatility will have a strong presence at both Black Hat USA and DFRWS 2014. This includes presentations, a book signing, and even a party!

At Black Hat, the core Volatility Developers (@4tphi, @attrc, @gleeda, @iMHLv2, and Mike Auty) will be partaking in a number of events including:
  • Releasing Volatility 2.4 at Black Hat Arsenal: This release includes full support for Windows 8, 8.1, Server 2012, and Server 2012 R2, TrueCrypt key and password recovery modules, a switch to GitHub hosting, as well as over 30 new Mac and Linux plugins for investigating malicious code, rootkits, and user activity. 
  • Releasing The Art of Memory Forensics: AMF is over 900 pages of memory forensics and malware analysis across Windows, Mac, and Linux. It will be available for the first time in the bookstore during the pre-conference trainings and briefings.
  • Book Signing for AMF: On Wednesday, August 6th at 3:15PM, in the Black Hat book store, we will be on site for signing books. 
  • Volatility Happy Hour sponsored by The Hacker Academy: This will be an open bar party where you can meet our team, bring books to be signed, and get stickers, t-shirts, and other Volatility swag all while enjoying tasty beverages. You must register (free) if you wish to attend!

Friends of Volatility will also be leading a number of events at Black Hat including Briefing presentations from Silvio Cesare and Andrew Hay and Arsenal demos from Joe Grand, Vico Marziale, Joe Sylve, David Cowen, and Jeff Bryner

At DFRWS, Dr. Golden Richard (@nolaforensix) will be presenting a paper that he and I wrote: In Lieu of Swap: Analyzing Compressed RAM in Mac OS X and Linux. In this paper, we discuss the in-memory, compressed swap facilities of Mac OS X and Linux, their impact on memory forensics investigations, and how we developed Volatility plugins to decompress the caches transparently during the operation of Mac & Linux analysis plugins. 

We hope to see everyone at these events, and we are looking forward to an exciting August!