Given the number of deserving submissions we received, the judging took a little longer than we originally anticipated. We wanted to make sure that we were able to thoroughly test and verify each submission. We would like to thank all the participants for their submissions. A number of these submissions will be highlighted in upcoming blog posts and at OMFW 2013!
The winners of the 1st Annual Volatility Framework Plugin Contest are:
- Mariano Graziano from EURECOM with Actaeon, Intel VT-x introspection.
- Cem Gurkok with OS X rootkit detection and Window's security auditing plugins.
- Jeff Bryner with the Facebook and Twitter artifact extraction.
- Carl Pulley with a plugin to find the nearest function/method within a symbol table & Edwin Smulders with his Linux process information, stack analysis, and syscall register plugins [Note: Carl and Edwin tied for 4th place, this is not a joint submission]
- Jamaal Speights with extracting networking packets from memory samples.
1st Place
Mariano Graziano from EURECOM with Actaeon, Intel VT-x introspection.
Description:
This submission enables memory forensics of guest operating systems in virtualization environments using Intel VT-x technology. This includes the ability to locate memory resident hypervisors and nested virtualization. It's current implementation enables virtual machine instrospection of 32-bit Windows guests. It was tested with KVM, Xen, VMware Workstation, VirtualBox and HyperDbg.
Download Link:
downloads.volatilityfoundation.org/contest/2013/MarianoGraziano_Actaeon.zip
Related Links:
http://www.s3.eurecom.fr/tools/actaeon/
https://github.com/eurecom-s3/actaeon
http://www.s3.eurecom.fr/docs/raid13_graziano.pdf
Author's Twitter: @emd3l
Description:
This submission enables memory forensics of guest operating systems in virtualization environments using Intel VT-x technology. This includes the ability to locate memory resident hypervisors and nested virtualization. It's current implementation enables virtual machine instrospection of 32-bit Windows guests. It was tested with KVM, Xen, VMware Workstation, VirtualBox and HyperDbg.
Download Link:
downloads.volatilityfoundation.org/contest/2013/MarianoGraziano_Actaeon.zip
Related Links:
http://www.s3.eurecom.fr/tools/actaeon/
https://github.com/eurecom-s3/actaeon
http://www.s3.eurecom.fr/docs/raid13_graziano.pdf
Author's Twitter: @emd3l
2nd Place
Cem Gurkok with the Window's security permission plugin
Description:
This plugin displays the security permission information for files, processes, services, tokens, threads, devices, and registry keys. The information includes DACLs, SACLs (Discretionary/System access control lists), object integrity level, and object ownership. Security permission information is obtained from the object’s security descriptor. This plugin can help administrators proactively assess the security of their systems and can also help determine possible "holes" that led to successful privilege escalation attacks. This plugin dumps verbose information that you can categorize and filter for your needs, and it also supports all major 32-bit and 64-bit Windows operating systems.
Download Link:
downloads.volatilityfoundation.org/contest/2013/CemGurkok_WindowsSecurity.zip
Author's Twitter: @CGurkok
Cem Gurkok with the OS X rootkit detection plugins
Description:
This submission provides detection capabilities for a number of rootkit hooking techniques within 64 bit OS X:
Download Link:
downloads.volatilityfoundation.org/contest/2013/CemGurkok_OSXDetect.zip
Related Links:
http://siliconblade.blogspot.com/2013/07/idt-hooks-and-detecting-them-in-osx.html
http://siliconblade.blogspot.com/2013/07/back-to-defense-finding-hooks-in-os-x.html
http://siliconblade.blogspot.com/2013/07/offensive-volatility-messing-with-os-x.html
http://siliconblade.blogspot.com/2013/05/checkdtrace-volatility-plugin-arises.html
Description:
This plugin displays the security permission information for files, processes, services, tokens, threads, devices, and registry keys. The information includes DACLs, SACLs (Discretionary/System access control lists), object integrity level, and object ownership. Security permission information is obtained from the object’s security descriptor. This plugin can help administrators proactively assess the security of their systems and can also help determine possible "holes" that led to successful privilege escalation attacks. This plugin dumps verbose information that you can categorize and filter for your needs, and it also supports all major 32-bit and 64-bit Windows operating systems.
Download Link:
downloads.volatilityfoundation.org/contest/2013/CemGurkok_WindowsSecurity.zip
Author's Twitter: @CGurkok
Cem Gurkok with the OS X rootkit detection plugins
Description:
This submission provides detection capabilities for a number of rootkit hooking techniques within 64 bit OS X:
- Direct syscall table modification
- Syscall function inlining (ie DTrace hooks)
- Patching the syscall handler (ie, shadow sycall table)
- Hooked functions in kernel/kext symbol tables
- Modified IDT descriptors
- Modified IDT handlers
Download Link:
downloads.volatilityfoundation.org/contest/2013/CemGurkok_OSXDetect.zip
Related Links:
http://siliconblade.blogspot.com/2013/07/idt-hooks-and-detecting-them-in-osx.html
http://siliconblade.blogspot.com/2013/07/back-to-defense-finding-hooks-in-os-x.html
http://siliconblade.blogspot.com/2013/07/offensive-volatility-messing-with-os-x.html
http://siliconblade.blogspot.com/2013/05/checkdtrace-volatility-plugin-arises.html
3rd Place
Jeff Bryner with the Facebook and Twitter artifact extraction
Description:
This submission provides plugins for carving Twitter and Facebook artifacts from a process' address space. This is accomplished by scanning the address space for the json/html structures that are used by the social media applications. Examples of information extracted include: Twitter direct messages, identifying user information, Facebook direct messages, etc.
Download Link:
downloads.volatilityfoundation.org/contest/2013/JeffBryner_FacebookTwitter.zip
Related Links:
https://github.com/jeffbryner/volatilityPlugins
http://www.youtube.com/watch?v=K_gBpdK936o
Author's Twitter: @0x7eff
4th Place (tie)
Carl Pulley with a plugin to find the nearest function/method within a symbol table.
Description:
This submission demonstrates the usefulness of being able to dynamically extract Window's symbol information. It includes a plugin that will automatically extract symbol information from PDB files associated with memory resident modules. The submission also includes a "profile modification" that creates a new member of the _EPROCESS object, which facilitates "nearest symbol" lookups of addresses. This can be very useful when investigating unknown pointers or the control flow history of a corrupted execution stack.
Download Link:
downloads.volatilityfoundation.org/contest/2013/CarlPulley_Symbols.zip
Related Links:
https://github.com/carlpulley/volatility/blob/master/symbols.py
https://code.google.com/p/pdbparse/issues/detail?id=13
Author's Github: https://github.com/carlpulley
Edwin Smulders with his Linux process information, stack analysis, and syscall register plugins
Description:
This submission provides plugins for extracting information from x86_64 Linux memory samples. They provide extensive insight into the state of the system at the time of the memory samples. Examples of the extracted information include:
- Detailed process information
- Networking data structures
- Detailed analysis and annotation of the execution stacks
- System call context
downloads.volatilityfoundation.org/contest/2013/EdwinSmulders_Symbols.zip
Related Links:
https://github.com/Dutchy-/volatility-plugins
5th Place
Jamaal Speights with a plugin that extracts networking packets from memory samples.
Description:
The ethscan plugin provides the ability to recover Ethernet frames from memory samples. It provides extraction support for both IPV4 and IPV6. It also provides the option to extract the frame data to either binary files or to a pcap file. It should work against any binary file (not just memory dumps).
Download Link:
downloads.volatilityfoundation.org/contest/2013/JamaalSpeights_Network.zip
Related Links:
https://code.google.com/p/jamaal-re-tools/source/browse/volplugins/ethscan.py
Author's Twitter: @jamaalspeights
Honorable Mention
Jeremy Jones from Delphix with a plugin to convert VMware suspended state to Illumos debug format
Description:
This submission includes a plugin that converts a VMware suspended state file (.vmss) into a format supported by Illumos debugging tools (mdb, adb, etc.). It was tested on an OpenIndiana VM, which it converted successfully and whose files worked well when anaylzed with mdb. This plugin was created to solve a real world system administration challenge of collecting a crash dump from a system that was hanging during the boot process. It demonstrates the power of memory analysis beyond just forensics and security.
Download Link:
downloads.volatilityfoundation.org/contest/2013/JeremyJones_Illumos.zip
The Volatility Foundation would like to thank everyone who participated in this year's contest. Memory analysis is one of the most exciting and important fields in information security and digital forensics. It requires a deep technical skill set and an investigative mindset that are often rare to find. The participants in the plugin contest were not only competing for prizes but they were also contributing pioneering research that will help shape the future of the field. While this page highlighted research that was officially submitted to the contest, there were also a few other efforts worth mentioning: a new Xen address space written by Nehal Bandi from Citrix Systems and patches to mftparser and timeliner that facilitate including memory artifacts into Plaso and log2timeline by David Nides and Kristinn Gudjonsson.
If you have any questions about a particular submission, please contact the participant directly.
Description:
This submission includes a plugin that converts a VMware suspended state file (.vmss) into a format supported by Illumos debugging tools (mdb, adb, etc.). It was tested on an OpenIndiana VM, which it converted successfully and whose files worked well when anaylzed with mdb. This plugin was created to solve a real world system administration challenge of collecting a crash dump from a system that was hanging during the boot process. It demonstrates the power of memory analysis beyond just forensics and security.
Download Link:
downloads.volatilityfoundation.org/contest/2013/JeremyJones_Illumos.zip
The Volatility Foundation would like to thank everyone who participated in this year's contest. Memory analysis is one of the most exciting and important fields in information security and digital forensics. It requires a deep technical skill set and an investigative mindset that are often rare to find. The participants in the plugin contest were not only competing for prizes but they were also contributing pioneering research that will help shape the future of the field. While this page highlighted research that was officially submitted to the contest, there were also a few other efforts worth mentioning: a new Xen address space written by Nehal Bandi from Citrix Systems and patches to mftparser and timeliner that facilitate including memory artifacts into Plaso and log2timeline by David Nides and Kristinn Gudjonsson.
If you have any questions about a particular submission, please contact the participant directly.
No comments:
Post a Comment