Wednesday, April 24, 2013

Memory Forensics Training - The Netherlands - September 2013

If you've never been to the Netherlands, now there's one more awesome reason to plan a trip. We are pleased to announce the 4th public offering of the Windows Malware and Memory Forensics Training by The Volatility Project. This is the only memory forensics course officially designed, sponsored, and taught by the Volatility developers. Its also our only training session held outside of the US this year. The Netherlands is home to a large forensics community and its pleasantly situated near the U.K., Germany, and France. 

One of the main reasons we made Volatility open-source is to encourage and facilitate a deeper understanding of how memory analysis works, where the evidence originates, and how to interpret the data collected by the framework's extensive set of plugins. Now you can learn about these benefits first hand from the developers of the most powerful, flexible, and innovative memory forensics tool

Dates: Monday, September 9th through Friday, September 13th 2013
Location: The Netherlands (exact location will be shared upon request)
Instructors: Michael Ligh (@iMHLv2), Andrew Case (@attrc), Jamie Levy (@gleeda)

Curious what our past attendees have been saying about the class? See the testimonials in our previous announcements for training in Reston and training in Chicago. There's also a new review online by one of our Chicago attendees saying: 
"I really can't say enough about the quality of the training. Michael, Andrew, and Jamie were able to masterfully explain core Windows functionality and how it applies to memory forensics. Each day I left training with an immense amount of new information and techniques to apply in my daily DFIR role."
Another recent description of the course comes from Jamie Levy, one of our instructors:
"This training will not disappoint even the most proficient of forensic/malware analysts.  It includes real-world scenarios that are reinforced with hands-on labs.  All students will leave with skills and confidence to conduct investigations involving RAM samples from acquisition to the final report.  Students also leave with more than just being Volatility power users, they leave with a deeper knowledge of memory forensics and malware analysis methodologies."
For more information about the course, view the Volatility Training Flyer (to download a copy of the PDF, click File > Download). To request a link to the online registration site or to receive a detailed course agenda/outline, please send an email voltraining [at]

Monday, April 1, 2013

Android Application (Dalvik) Memory Analysis & the Chuli Malware

This blog serves to highlight a recent collaborative effort between myself and Joe Sylve and Vico Maziale of 504ensics Labs. In this effort, we added to Volatility the capability to perform deep, per-application analysis of running Android applications. Each application runs in its own instance of Dalvik, which is Android's version of the Java Virtual Machine (JVM). This analysis leads to the recovery of all loaded classes, including the values of static and instance variables for each instance. This will often include data such as usernames and passwords, data read from the network and disk, and parameters used by malware to perform operations. 504ensics has made their own blog post on this work, where they not only explain the project in more detail, but also show analysis of the recently disclosed Chuli malware. If you perform Android malware analysis or are interested in the subject, I highly recommend reading their post here.

The Volatility Team is very happy to continue to see leading researchers in the memory forensics field focus their efforts towards the framework.  This will continue to make Volatility the leading memory forensics tool, and give it all the capabilities investigators need.