MoVP for Volatility 2.2 and OMFW 2012 Wrap-Up

The Month of Volatility Plugins and Open Memory Forensics Workshop 2012 have now come to an end. Volatility 2.2 has been released. We hope you enjoyed spending time with us learning about the new features and innovative research that's being built into the framework. At the same time, we'd like to thank everyone who *contributes to the framework in one way or another; especially those who write code (see CREDITS.txt in the source package) and share their analyses.

* this excludes people who write plugins that implement a subset of the functionality of existing plugins and then charge excessive fees to teach you about it. You know who you are!

In the meantime, we've already started development on Volatility 2.3 and expect an RC1 date in December 2012. Will there be enough new features in 2.3 for another Month of Volatility Plugins? Action packed is how we like it, so you'll have to wait and see!

Open Memory Forensics Workshop 

• Datalore: Android Memory Analysis by Joe Sylve (@jtsylve)
• Malware in the Windows GUI Subsystem by Michael Ligh (@iMHLv2)
• Reconstructing the MBR and MFT from Memory by Jamie Levy (@gleeda)
• Analyzing Linux Rootkits with Volatility by Andrew Case (@attrc)
• More online slides are expected soon

Month of Volatility Plugins 

Week One:

• MoVP 1.1 Logon Sessions, Processes, and Images
• MoVP 1.2 Window Stations and Clipboard Malware
• MoVP 1.3 Desktops, Heaps, and Ransomware
• MoVP 1.4 Average Coder Rootkit, Bash History, and Elevated Processes
• MoVP 1.5 KBeast Rootkit, Detecting Hidden Modules, and sysfs 

Week Two:

• MoVP 2.1 Atoms (The New Mutex), Classes, and DLL Injection 
• MoVP 2.2 Malware In Your Windows
• MoVP 2.3 Event Logs and Service SIDs
• MoVP 2.4 Analyzing the Jynx Rootkit and LD_PRELOAD
• MoVP 2.5 Investigating In-Memory Network Data with Volatility 

Week Three:

• MoVP 3.1 Detecting Malware Hooks in the Windows GUI Subsystem
• MoVP 3.2 Shellbags in Memory, SetRegTime and TrueCrypt Volumes
• MoVP 3.3 Analyzing USER Handles and the Win32k.sys Gahti 
• MoVP 3.4 Recovering tagCLIPDATA: What's In Your Clipboard?
• MoVP 3.5 Analyzing the 2008 DFRWS Challenge with Volatility

Week Four:

• MoVP 4.1 Detecting Malware with GDI Timers and Callbacks
• MoVP 4.2 Taking Screenshots From Memory Dumps
• MoVP 4.3 Recovering Master Boot Records (MBRs) from Memory
• MoVP 4.4 Cache Rules Everything Around Me(mory)
• MoVP 4.5 Phalanx 2 Revealed: Using Volatility to Analyze an Advanced Linux Rootkit