Thursday, September 4, 2014

Volatility 2.4 at Blackhat Arsenal - Defeating Truecrypt Disk Encryption

This video shows how to use Volatility’s new Truecrypt plugins to defeat disk encryption on suspect computers running 64-bit Windows 8 and server 2012.

The video is narrated by Apple's text to speech and you can find the actual text on the Youtube page. The live/in-person demo was given at the @Toolswatch Blackhat Arsenal.

Wednesday, September 3, 2014

Facebook Donation Doubles the Volatility Plugin Contest Prizes

As mentioned earlier this week, we have a very exciting announcement to share. One of the primary reasons we extended the deadline for the 2014 Volatility Plugin Contest to October 1st is due to an extremely generous donation from Facebook. Facebook's sponsorship doubles the total cash prizes from $2250 USD to $4500 USD!

As mentioned on the Volatility Tumblr: If you have already submitted to the contest, you can use this extra time to fine-tune your submission. If you were considering submitting, you now have an extra month to demonstrate your creativity and implement an innovative, interesting, and useful Volatility extension!

It’s great to see some of the largest companies in the world showing their support for and giving back to the memory forensics community! Thank you, Facebook, and good luck to all participants in the contest - the stakes have literally just doubled!

Monday, September 1, 2014

Heads Up! 2014 Volatility Plugin Contest Deadline Extended!

Good news folks. Due to a very exciting and unexpected development, we're extending the deadline for the 2014 Volatility Plugin Contest to October 1st, 2014.

This not only gives you an extra month to work on your plugins, but the reason for the extension (to be announced later this week) will directly impact the contest winners.

Wednesday, August 27, 2014

Volatility 2.4 at Blackhat Arsenal - Reverse Engineering Rootkits

This video demonstrates how you can leverage Volatility and memory forensics to detect kernel rootkits, assist with reverse engineering, and use the results for developing additional indicators.

The video is narrated by Apple's text to speech and you can find the actual text on the Youtube page. The live/in-person demo was given at the @Toolswatch Blackhat Arsenal.

Thursday, August 21, 2014

Volatility 2.4 at Blackhat Arsenal - Tracking Mac OS X User Activity

This demo shows how to track Mac OS X user activity by examining artifacts in physical memory with Volatility. 

The video is narrated by Apple's text to speech and you can find the actual text on the Youtube page. The live/in-person demo was given at the @Toolswatch Blackhat Arsenal.

Monday, August 18, 2014

New Volatility 2.4 Cheet Sheet with Linux, Mac, and RTFM

Our Windows Malware and Memory Forensics Training class is intense and rigorous, because its designed to reflect real world investigations. When you have a limited amount of time and you're being pressured for reliable answers - every minute counts. Sometimes you just gotta cheat...and when you do, you might as well use an Official Volatility Memory Analysis Cheat Sheet!

The 2.4 Edition features an updated Windows page, all new Linux and Mac OS X pages, and an extremely handy RTFM-style insert for Windows memory forensics.


For in-depth examples and walk-throughs of using the commands in this cheat sheet, make sure to get your copy of The Art of Memory Forensics!

Thursday, August 14, 2014

New Paper: In Lieu of Swap: Analyzing Compressed RAM in Mac OS X and Linux

A research paper (slides here) that I worked on with Golden G. Richard was recently published at DFRWS 2014 and received the Best Paper award! The paper, In Lieu of Swap: Analyzing Compressed RAM in Mac OS X and Linux, analyzed the in-memory, compressed swapped stores on recent Mac and Linux versions.

As you are likely aware, operating systems will traditionally swap unneeded pages out to disk in order to free the pages for currently running applications to use. This swapping process has historically presented issues for forensics analysis as attempting to acquire both physical memory and the swap file(s) in a consistent state can be a daunting task outside of virtual machine environments. Furthermore, Mac has provided encrypted swap (Secure virtual memory) since Mountain Lion and Linux users could optionally utilize encrypted swap for years. Similarly, Windows has the EncryptPagingFile option that can be turned on by administrative users. Recovering the keying materials for these encrypted stores can require modification to existing acquisition tools as well as specialized research.

A new advancement in operating system design, the creation of memory-only, compressed swap stores, presents both challenges and opportunities for memory forensics practitioners. When enabled, these stores attempt to avoid writing swapped pages to disk for performance reasons and instead compresses and stores them into a reserved pool of memory. When a page is later recalled from the pool, a simple decompression operation is all that is needed to be performed. This is much quicker than reading from even the fastest PCI-E storage provided by Apple devices.

At first, this store can be challenging to investigators as simple methods of investigation, such as strings analysis or file carving, will fail since the data is in its compressed state. This store can be helpful though as normal physical memory capture techniques will completely collect the store. This is opposed to traditional swap collection that required timing memory acquisition with disk acquisition to avoid smearing.

The paper presents the algorithms used by both Mac and Linux to implement the compressed stores. We also describe our Volatility plugins that can fully locate and decompress all pages kept within the stores. Finally, we present data sets from sample machines that we tested the plugins and analysis on.

If you have any questions on the paper feel free to reach out to either myself or Golden.