Wednesday, December 31, 2014

Acquiring Memor(ies) from 2014

2014 is extremely volatile. Any minute now, it will be gone. Thus, we wanted to take a minute and preserve some of the more exciting memories. Specifically, we wanted to summarize how the memory forensics field and Volatility community has progressed this year.
  • Volatility 2.4 was released - our most stable and fully featured code base, supporting all of the major versions of Windows, Linux, and Mac. The release includes Windows 8 and Server 2012 support, despite the encrypted debugging structures. Windows 10 beta support is also available.
  • We also moved to Github, which makes it easier for other developers to submit patches and pull requests. A separate repository stores Linux and Mac profiles. The 2.5 release is also under way. 
  • Extraction of TrueCrypt cached passwords and master keys become even easier than it was before, with new plugins that execute a structured approach at locating and recovering the data. The capability was also ported to Linux, and a member of the community completed a similar plugin for dm-crypt.
  • Our 5-day hands-on Malware and Memory Forensics training course proliferated to over 10 events (public and private) across the United States, Europe, and Australia. Testimonials from attendees are available here and registration is open for classes in 2015.
  • The Volatility Foundation was established as a 501(c)(3) non-profit organization. A new website was created to aggregate the foundation's resources. Among other things, the site describes the various ways to get involved with the community. The Volatility(R) name also became a registered trademark of the Volatility Foundation.
  • Volexity, LLC became a corporate sponsor of the Volatility Foundation and named core developer Michael Hale Ligh as its CTO. Volexity is a security firm based out of the Washington, D.C. area that specializes in assisting organizations with threat intelligence, incident response, forensics, and trusted security advisory.
  • The Volatility Plugin Contest received an extremely generous donation from Facebook and generated an enormous amount of new capabilities from various talented developers and researchers. 
  • The Volatility Team partnered with GMG Systems, Inc. to offer KnTTools (incl. KnTDD) at a discounted rate to students in our training course. KnTTools is the most reliable, robust, and fully featured memory acquisition suite for Windows. 
  • Volatility and memory forensics were represented at almost all security and technology related conferences, including (but not limited to) Blackhat USA, Defcon, OMFW, OSDFC, API Cybersecurity, SecTor, Archc0n, Alabama Cyber Security Summit, National Cyber Crime Conference, RSA USA, BSides, and Recon.
  • Volatility was used by Det. Michael Chaves to track down high profile ATM skimmers. It was used by European law enforcement to produce the primary source of evidence that put away a child sex offender for over 10 years. It was used by the United States Government on various occasions to investigate cases involving espionage, cyber terrorism, and major botnet rings.
  • Volatility developer Andrew Case and Golden G. Richard III won best paper at DFRWS 2014 for In lieu of swap: Analyzing compressed RAM in Mac OS X and Linux.
  • We enjoyed a record breaking number of attendees at Open Memory Forensics Workshop (OMFW) 2014 and a serious group of awesome talks. Later that week, Next Generation Memory Forensics was presented at OSDFC
  • The Art of Memory Forensics was published in August, a 900-page book that covers Windows, Linux, and Mac topics in depth. To date, its the most thorough and illustrative written source of memory forensics knowledge. Please remember to check the errata page and also the sample memory images that are accompanied with lab questions and answers (free online download). 
  • A Reddit Ask Me Anything (AMA) was conducted on Art of Memory Forensics. We appreciate all the great questions!  
  • An entire chapter of Black Hat Python was devoted to using Volatility for offensive purposes during pentests (extracting password hashes, injecting code, etc). 
  • We presented some Volatility capabilities at Blackhat Arsenal and later created a YouTube channel with recordings of the demos. There was also a book signing in the Blackhat bookstore, which was an exciting way for us to meet new Volatility users in person.
 Thanks to all who played a part! We look forward to an even more productive 2015!

Wednesday, October 29, 2014

Announcing the 2014 Volatility Plugin Contest Results!

The competition this year was fierce! We received a total of nearly 30 plugins to the contest. Ranking the submissions was one of the hardest things we’ve had to do. Each plugin is unique in its own way and introduces a capability to open source memory forensics that didn’t previously exist. Although a few people will receive prizes for their work, the real winners in this contest are the practitioners and investigators in the community that perform memory forensics. We’re talking about the federal government who used Volatility on some of the nation’s most prominent cases and the law enforcement groups that used it as the primary tool to force a child pornographer into a guilty plea (see you in about 10 years, wish it were more!). We’re talking about Det. Michael Chaves who used memory forensics to help crack a case involving POS breaches that lead to losses of over $100K. We’re talking about all the analysts who rely on open source forensics to identify and track malicious code and threat actors in their networks and those of their clients. 

Needless to say, we're very proud of everyone who submitted to the contest. Also a huge thanks goes out to Facebook for doubling the contest's cash prizes and supporting the research and development  of open source memory forensics. 

Here are this year’s rankings:
  1. Dave Lasalle wins first place and his choice of $2500 or free training. Dave submitted 14 plugins for recovering Firefox and Chrome activity (history, search terms, cookies, downloads) from memory, carving Java IDX files, and using fuzzy hashing to whitelist injected code and API hooks. 
  2. Curtis Carmony wins second place and $1250 for his plugin to extract dm-crypt disk encryption keys from Linux (and potentially Android) memory dumps.
  3. Adam Bridge wins third place and $750 with editbox – a plugin to recover the text within edit controls of GUI applications on Windows (including but not limited to notepad contents, username and password fields, browser URL and search forms, etc). 
  4. Thomas Chopitea wins fourth place for his autoruns plugin that enumerates automatically starting applications on Windows systems – a common first step in many different types of investigations.
  5. Takahiro Haruyama wins fifth place with openioc_scan, a plugin that combines the flexibility of the IOC language with the power of Volatility to give analyst’s quick and easy malware triage capabilities.

Here is a detailed summary of the submissions. We've included a link to the respective submissions on the Volatility Foundation website for archive purposes, however we recommend getting the code from the author's own GitHub repositories if that option exists. If you have feedback for the authors, we're sure they'd love to hear your thoughts.

(1st) Dave Lasalle: Forensic Suite

Dave’s 14 plugins are immediately useful for various different scenarios, from tracking user activity to parsing special file formats and whitelisting injected code and API hooks.

Previously, if you needed to inspect a suspect or victim’s browsing activity from memory in a structured manner (i.e. not brute forcing with regular expressions), you were limited to the iehistory (Internet Explorer) plugin. Now you can do the same, and more, for Firefox and Chrome. The two browsers use sqlite3 databases, but due to several reasons (including paging), you’re not likely to succeed in carving complete sqlite3 files from memory. Dave’s plugins leverage his sqlite3 memory API, which handles missing chunks of database files gracefully.

Dave’s Twitter: @superponible
Dave’s GitHub:
Dave's Blog:
Dave’s Submission:

Most wanted follow up(s): A plugin to extract the most recent Internet Explorer history records.  Porting Firefox and Chrome plugins to Linux and Mac memory dumps. 

(2nd) Curtis Carmony: Dmcrypt

The dm_dump plugin brings an exciting new capability to open source memory forensics. In his own words, “given a memory dump from a Linux system using full disk encryption and access to the disk, the output of this plugin gives you the arguments to pass to the dmsetup command to remount the original unencrypted file system on a different machine.” In addition, Curtis provided support for Linux kernels 3.0 to 3.14 and instructions on how to extend Volatility’s profile generation mechanism for future systems.

A unique aspect of this plugin is that the data it recovers can only be found in RAM. As such, it accomplishes something that no form of disk or network forensics can do and it really showcases the power of memory forensics. Similar to the existing truecrypt plugins, the dm_dump plugin works by traversing the internal data structures used by device-mapper to keep track of its devices. Thus it pinpoints the data in memory without scanning for constants or patterns in key schedules.

Curtis’ GitHub:
Curtis’ Submission:

Most wanted follow up(s): Testing the methodology on Android disk encryption. 

(3rd) Adam Bridge: Editbox

Adam’s submission provides powerful new capabilities for tracking suspect user activity. It recovers text from EditBox controls in the GUI subsystem, with experimental support of ComboBox and ListBox. As a result, it can extract the following data types:
  • Notepad window.
  • Run dialog.
  • Username and server name fields of Remote Desktop Connection.
  • Address bar and search bar of Internet Explorer.
  • Search bar of Windows Media Player.
  • Username field of Create New Account wizard.
  • Password of Change Password dialog.
In general, it is effective on any applications that leverage Microsoft's Common Control APIs. This plugin is particularly interesting, because the data it recovers is not available anywhere besides RAM. On a multi-user system, there would be no way to collect the data this plugin enumerates without logging into each account and taking a screen shot.

Adam’s Twitter: @bridgeythegeek
Adam’s Submission:

Most wanted follow up(s): Integration of edit box labels into the screenshot plugin.

(4th) Thomas Chopitea: Autoruns

In Thomas' own words, "Finding persistence points (also called "Auto-Start Extensibility Points", or ASEPs) is a recurring task of any investigation potentially involving malware." The plugin currently covers several of the most common registry locations, including services, appinit DLLs, winlogin notification packages, and scheduled tasks. After finding ASEPs, the plugin matches them with running processes in memory.

Thomas’ Twitter: @tomchop
Thomas’ GitHub:
Thomas’ Blog:
Thomas’ Submission:

Most wanted follow up(s): Adding Linux and Mac support.

(5th) Takahiro Haruyama: OpenIOC Scan

This plugin combines the flexibility of the IOC language with the power of Volatility to give analyst’s quick and easy malware triage capabilities. Takahiro solved several problems that he (and most certainly other analysts) faced when using the existing tools, such as ability to automate the tasks outside of a GUI and scan for terms with regular expressions and case sensitivity. Takahiro’s blog (below) shows several practical examples of quickly finding malicious code in memory. We’re really excited for investigators to start taking advantage of Takahiro’s work.

Takahiro’s Twitter: @cci_forensics
Takahiro’s Blog:
Takahiro’s Submission:

Most wanted follow up(s): A repository of memory related indicators. Also for performance reasons, using the Registry API to scan for keys, values, etc.

The following submissions appear in the order they were received. As previously mentioned, everyone succeeded in solving a specific problem that they (and undoubtedly others) faced. For this, they deserve huge props. We look forward to seeing future work by these authors!

Monnappa KA: Gh0stRat Decryption  

Monnappa’s plugin focuses on detecting and analyzing Gh0stRat in memory. In his own words, “Gh0stRat is a RAT (Remote Access Trojan) used in many APT/targeted attacks. This plugin detects the encrypted Gh0stRat communication, decrypts it and also automatically identifies the malicious Gh0stRat process, its associated network connections and the loaded DLL's. This can help the digital forensic investigators and incident responders to quickly narrow down on the Gh0stRat artifacts without having to spend time on the manual investigation.”

Although a chopshop module exists for decrypting Gh0stRat communications in packet captures, Monnappa’s Volatility plugin aims to solve several specific problems that analysts may regularly face, including the absence of a full packet capture from the victim machine and needing to trace connections in the pcap back to the suspect process or DLL.

Monnappa’s Twitter: @monnappa22
Monnappa’s Submission:

Most wanted follow up(s): Continued research into other malware families.

Jamaal Speights: MsDecompress

The msdecompress plugin by Jamaal Speights has high potential. It allows investigators to find and extract data compressed with the LZNT1 algorithm (Xpress and XpressH coming soon) from memory dumps and it reports the process in which the data was found. The RtlDecompressBuffer API is heavily used by malware authors to pack their code and minimize the size of command and control traffic before sending it across the network. Many kernel components and popular applications also use this compression algorithm, and we look forward to hearing about all the types of forensic evidence that can be uncovered using this plugin.

Jamaal’s Twitter: @jamaalspeights
Jamaal’s Blog:
Jamaal’s Code: 
Jamaal’s Submission:

Most wanted follow up(s): An analysis of the different types of compressed data frequently found in memory.

Cem Gurkok: Mac Rootkit and Bitcoin

Cem submitted a total of four plugins: two for detection of rootkit hooks in Mac OSX memory, one for in-depth investigation of Mac OSX threads, and one for finding bitcoin private keys and addresses.
  • mac_bitcoin allows for recovery of bitcoin keys and addresses. This can greatly help investigators that need to determine which transactions and activity a particular user was involved with. Due to the nature of bitcoin, this activity can be very well hidden within the network and only examination of a user’s system can put the pieces back together
  • The mac_check_call_reference plugin is used to check for modified call instructions in the kernel. This can catch a wide array of rootkits that directly modify control flow in order to manipulate the system.
  • The mac_threads plugin is able to enumerate threads of each running Mac task. The examination of thread state can lead to determination of which portions of code a thread was using and which operations it performed. This capability had been missing from Volatility’s Mac support while being supported by the Windows and Linux side in the last two releases.
  • mac_check_shadow_trustedbsd enables the detection of rootkits that modify a reference to the TrustedBSD policy list. Such a modification can allow a rootkit to add, modify, and delete system activity returned to other kernel components and user land tools that rely on TrustedBSD for a set of system state.
Cem’s Twitter: @CGurkok
Cem’s GitHub:
Cem’s Blog:
Cem’s Submission: and

Most wanted follow up(s): Support for bitcoin addresses found in any process (not just Multibit) on any memory dump (Windows, Linux, Mac) and also in free/deallocated memory.

Csaba Barta: Malware Analysis 

The plugins in this submission are focused on helping analysts perform malware investigations and malware research.  The first set of plugins highlight the differences between an infected memory sample and its baseline image.  This can help an analyst quickly determine the types of changes the malware has made to the system.   The current plugins focus on four important components of the operating system: processes,  DLLs, services, and drivers.  The final plugin, malprocfind, attempts to codify the rules an investigator may use to look for suspicious artifacts on a system.   The plugins help automate common analysis techniques used by analysts during malware investigations.

Csaba’s GitHub:
Csaba’s Submission:

Most wanted follow up(s): Further extension of the baseline artifacts and malprocfind rules.

Philip Huppert: OpenVPN 

Philip’s submission is the result of his University paper “Extracting private information of virtual machines using VM introspection.” In the paper, Philip described how to recover openvpn 2.x.x usernames and passwords entered by the user in addition to the password required for unlocking the private key. The submission also includes a plugin to extract base64/PEM encoded RSA private keys from memory.

The openvpn plugin is effective against any memory dump format (not just live VM memory using libvmi). Philip also did a really nice job of narrowing the search space for finding the usernames and passwords. He isolates the .data and .bss segments of openvpn.exe and looks for signs of a specific data structure (named “user_pass”).

Philip’s GitHub:
Philip’s Submission:

Most wanted follow up(s): A summary of the steps for decrypting an openvpn session from a packet capture, given the private key.  Also the ability to scan for the data structures in physical space (for example if the openvpn.exe process is no longer running).

Wyatt Roersma: Hyper-V Tools

Wyatt’s plugins will extract Hyper-V artifacts from a host system’s memory.  The first plugin hpv_vmconnect is used to extract information about which users were accessing virtual machines using the virtual connect console. The second plugin, hpv_vmwp, is used to map each virtual machine to its associated process on the host and extract temporal information about when the machine was started last. The final plugin hpv_clipboard is used to extract memory resident Hyper-V clipboard and hotkey artifacts. The plugins provide some insights into the types of artifacts that can be extracted from Hyper-V host memory and set the stage for future research.

Wyatt’s Twitter: @WyattRoersma
Wyatt’s Blog:
Wyatt’s GitHub:
Wyatt’s Submission:

Most wanted follow up(s): Further research into other Hyper-V artifacts and conversion tools.

Sunday, October 19, 2014

Memory Forensics Training in Amsterdam

We are excited to announce that the next Europe-based Malware and Memory Forensics Training by The Volatility Project will take place in Amsterdam (August 31st - September 4th, 2015). Our last class in Amsterdam sold out, so sign up early to reserve your seat. You can register by sending an email to voltraining [at] memoryanalysis [dot] net or by requesting an invite here.

Here's what some of our students from the Reston 2014 class said about the training:
"The deepest, most thorough technical course I have ever taken - not only did I learn how to use one of the best memory analysis tools available, I learned an incredible amount of Windows internals. Most important, I understand both enough to extend the functionality to meet any future requirements. Highly recommended - immediately useful and practical information to use in any incident response and malware analysis work!" - James P. 

"The Volatility course is absolutely excellent and should be taken by any individuals performing IR services and forensics. The course covers  not only the Volatility Framework, but the inner workings of malware and how it interacts with the Windows OS." - Kyle P (Sr. Digital Forensic Examiner)

"Amazingly useful information. If you do forensic work, you need to understand and use memory forensics. This course is the best one I've seen so far." - Anonymous 

"Excellent course. Instructors are knowledgeable, technical, and present the material very well. This course will expand your skills and help you see all the valuable data that you can gather. One of the best courses I've been to" - Chad W. (SOC Analyst)

Friday, October 3, 2014

Windows Malware and Memory Forensics Training in April and May 2015

We're excited to announce the dates and locations for two new public offerings of Windows Malware and Memory Forensics Training by The Volatility Project.

The following courses are now open for registration:
  • December 8th - 12th, 2014 in Austin, TX 
  • January 12th - 16th, 2015 in San Francisco, CA
  • February 2nd - 6th, 2015 in São Paulo, Brazil 
  • April 13th - 17th, 2015 in Reston, VA (NEW)
  • May 11th - 15th, 2015 in New York, NY(NEW)
You can request an invite through our web form or contact us via voltraining @ memoryanalysis [dot] net. Stay tuned for the next Europe-based training event.

Also, students in our Australia class wanted to share some of their feedback with you:
Very technical and in-depth course covering windows internals from memory. The best course I've taken so far in my entire career.
Fernando (DFIR/Malware Analyst)

Be ready to have your mind blown!
Dion W. (Incident Responder)

Invaluable for law enforcement and cyber crime investigators.
Jon C. (Australian Federal Police)
We look forward to meeting all the talented analysis and investigators that attend our classes!

Tuesday, September 30, 2014

The Volatility Foundation: Fighting for Open Source Forensics

We are excited to announce that the Volatility Foundation was officially granted 501(c)(3) status by the IRS and the application was approved in less than a year.  This comes as great news when you consider the recent “BOLO” list controversies and the Yorba situation.  We believe this is an encouraging sign for the future of free and open source software. 

As an added benefit of the Volatility Foundation’s new status, supporters can now make tax-exempt donations to the foundation! Based on your generosity and the hard work of our developers, Volatility will continue to develop innovative software and fight against those who exploit open source forensics developers!

Shouts to Patrick and the Volatility legal team! We would also like to thank the IRS for their swift response.

Wednesday, September 17, 2014

Detective Michael Chaves Shares A Memory Forensics Success Story

Detective Michael Chaves from the Monroe CT Police Department shares the following story regarding his experiences with Memory Forensics, Volatility Training, KnTTools, and POS breaches. Michael was also recently quoted in Brian Krebs' article Card Wash: Card Breaches at Car Washes for the key role that he played in that investigation.

Shouts to Michael - keep up the great work!
Before attending this class I had a strong digital forensic background, but lacked an understanding of the "under the hood" workings of RAM and the stuff running in RAM.  I knew I was in for a challenge and boy did I get one.  I always had a desire to learn about memory analysis and I had some knowledge of what it contained, but it was the significant increase in POS breaches that I was investigating that I realized I needed this class sooner than later.

After taking this class in May of 2014 I began investigating a POS breach involving a local business chain.  The chain was a Common Point of Purchase for thousands of credit/debit that were compromised that lead to more than $100,000 in losses from fraudulent use. From the class, I learned of a new memory acquisition tool from GMG Systems, Inc. called " KnTTools".  I tested it out and found it to be an extremely reliable, fast and efficient program that has a very small footprint.  I used KnTTools to acquire numerous RAM dumps from several locations.

Now came the time to figure out what I had.  Going in blind, not knowing where to look or even what I was looking for was a daunting task.  Referring to my notes and the student handbook, I began to use Volatility to try and understand what I had.  I began to use plugins such as pslist, psxview, malfind, apihooks and connections and I started to get some information to look more into.  Understanding the PID/PPID relationship and what process should call another was very helpful.  Working with the business I learned what programs were legit and white listed them.  This was important to me since I did not know what programs and applications were supposed to be running on those computers.  I located three running processes that turned out to be malware.  I used dlllist, dlldump, procdump and dumpfiles to extract out the processes, files and dll's and ran strings on them.  From there I located great information including the POST/GET commands that show where the cards were going to... BINGO!

I located the same malware on ALL other RAM acquisitions.  Although I do not know exactly how the malware got onto the system or fully how it works, I located the necessary information I needed to proceed with my investigation. Without this class or the Volatility tool, I would never have been able to further my investigation.  Volatility is a game changer in memory forensics.  With more and more POS breaches being reported every day both on a local and national scale, responders need the ability to efficiently and effectively analyze the RAM where the malware attempts to run.... and hide.  But you can't hide from Volatility!

Thursday, September 4, 2014

Volatility 2.4 at Blackhat Arsenal - Defeating Truecrypt Disk Encryption

This video shows how to use Volatility’s new Truecrypt plugins to defeat disk encryption on suspect computers running 64-bit Windows 8 and server 2012.

The video is narrated by Apple's text to speech and you can find the actual text on the Youtube page. The live/in-person demo was given at the @Toolswatch Blackhat Arsenal.