Wednesday, February 19, 2014

Training by The Volatility Project Now Available In Three Continents!

The Volatility Team is very happy to announce that we have a new website ( and a number of upcoming training courses this year. With opportunities across three different continents, its now easier than ever before to learn about the most exciting realms of digital forensics from instructors who pioneered the field and developed some of the industry's most powerful tools.

You can visit our new website to learn details about our offerings, including the popular Malware & Memory Forensics class, our Digital Forensics & Incident Response class at BlackHat Vegas, and our online Registry Forensics training.

The next public offerings of the Malware & Memory Forensics class include:
To provide fair warning, the New York and London classes WILL SELL OUT SOON. We've already exceeded our seating capacity in invites for both events - and its first-come-first-served to those who complete the registration. Please contact us ASAP if you would like to attend these courses. We're also nearly at capacity for private/closed training events - with one slot remaining for 2014. If you want dedicated training on-site at your place of business, drop us a line.

The course in Australia is still currently being planned, but we expect it to be in either one of the last two weeks of August or the first week of September. It will be held in Canberra or Sydney. If you are interested in being put on the notification list for when registration opens for this course, then please contact us.

Here are a few other short cuts to our new website for you:
Reviews of our past Malware & Memory Forensics offerings can be found here. Ian Ahl (@tekdefense) also wrote a blog post of his experience here.

Our most recent public offering in San Diego received very high praise as well:
"This was the most in depth forensic course I've ever taken. The instructors are top notch and really know the material and concepts behind it. If you're serious about protecting your network, you need to take this course" - Ryan G. 
"This is the best forensics training I have ever participated in. You don't just learn what commands you blindly punch in; you gain deep insight into win internals, understand how malware can subvert the OS, and how to detect these abuses. Also, tons of stuff I can bring home to continue training and apply to my work." - Christian B.  
"This was hands down the best (technical, useful, well explained, and relevent to current investigations) DFIR course/materials I have taken in the last 10 years! This is a must take class for anyone in DFIR. Aside from the knowledge + lab experience, the tools provided may be worth the class attendance alone. If you don't take this course, you're doing Windows DFIR wrong!" - Anonymous
If you are serious about learning memory forensics and want to learn it from the researchers and developers of The Volatility Project then you should consider taking our course. If you do take the course, you will not only be able to conquer advanced threats and malware, but you will also understand how your tool is operating every step of the way.

Monday, February 3, 2014

ADD: The Next Big Threat To Memory Forensics....Or Not

Similar to a rootkit, an anti-forensics tool or technique must possess two critical traits in order to be significant:

1. It must do something
2. It must get away with it

Satisfying #1 is the easy part. You can hide a process, hide a kernel module, or in the case of ADD - create fake, decoy objects to lead investigators down the wrong path. Although ADD is just a proof-of-concept, we're not convinced there's a concept that needs proving. The idea of creating decoy objects was presented in 2007:
Another area of concern is the susceptibility of these tools to false positives or decoys. It is possible for a malicious adversary to dramatically increase the noise to signal ratio and keep the digital investigator busy. Unfortunately, using this [the pool tag scanning method] makes it extremely easy for a malicious adversary to create "life-like" decoys. 
In other words, tools that use object carving (i.e. pattern matching, scanning) as an analysis technique are implicitly susceptible to attacks that create objects that look like the ones being carved. This is a well-understood consequence of the analysis technique and is true of file carving, internet artifact extraction, and various other types of forensic data.  It would not be responsible for a forensics analyst to ignore legitimate artifacts found using these techniques because they are susceptible to false positives. An analyst should understand the limitations of their tools/techniques and know how to validate or refute their findings with supporting artifacts.

Let's pretend for a moment that the decoy idea is new, however. Indeed it may be new, to some people, who have not seen the previous research. Yet, regardless of what action(s) are carried out in #1, the real challenge is satisfying #2. Once you've done what you want to do, can you clean up after yourself and not get busted?

Think of it this way - a suspect wants to rob a bank. It is implied that this crime is possible to commit - no proof is required. In fact its quite easy, as several very unintelligent people have shown in the past. The suspect gets so far as to take physical possession of the cash, but either gets trapped inside the bank or leaves a trail of money all the way back to his front door.

As the suspect sits in prison, he wonders "what have I accomplished?" and comes up blank. By failing to achieve #2, his efforts toward #1 are futile. Even if he came up with a completely new way of robbing a bank, one that had never been considered by another criminal, he still got caught.

The authors of ADD will argue that the time investigators spend pursuing the criminal makes the decoy concept worthwhile. They make absolutely no attempt to achieve #2. As a result, a talented memory analyst (who happens to be alumni of our training class) made short work of the anti-forensics tool - finding various ways to determine what happened, when it happened, and how it happened in a matter of minutes. In this case, it took the adversary considerably longer (probably weeks) to develop the tool, and it took the investigator the amount of time it takes to eat a bag of chips to blow the case wide open.

Another goal of ADD is to "reset the bar" and convince investigators not to trust what they find in memory. In an online recording, the author stated that the tool serves to teach a valuable lesson to people in the "point and click" forensics mindset. First of all, to reset the bar, you don't scale back and create a tool that only tricks the least skilled investigator. That may indeed reset the bar, but in the wrong direction.

Similarly, no investigators are so naive as to base their conclusions on one piece of data alone. There are various components to the digital crime scene, and one main reason we perform memory forensics is to corroborate evidence. If the supporting data isn't there (i.e. network connections in the firewall, packet captures, file system artifacts, etc), then the fake artifact is quickly exposed.

In fact, ADD doesn't even do a good job of creating fake objects. The fake connections are created without process association, so you see an ESTABLISHED TCP connection with no owner. The fake processes stick out like a sore thumb, because they're only found by one of the 7 techniques that psxview uses to identify process objects. Attempting to dump the fake processes results in an error (expectedly), which raises even more suspicion. Also, the fake files it creates are found floating off a device that doesn't exist rather than a real physical drive.

The sheer amount of nonsense artifacts that this tool disperses in memory just begs for it to be noticed.  While stealth is admittedly not the motivation for this particular technique, increasing the noise becomes a liability when it can be easily triaged.

Perhaps the most astonishing aspect of ADD is that the author(s) failed to advise the audience on how their tool, or any anti-forensics method, could be detected. The question was posed once during the Q&A session at Shmoocon and again nearly two weeks later at about 40:40 into the online recording.

Host: What would you think the signs are [that someone should be looking for] whether or not there is in fact some reason to believe that you should go in and check for these [anti-forensics attacks]?

ADD Author: You know, unfortunately I don't have a good answer for that. I think this is going to be prohibitively difficult. 

After reading Forensic Analysis of Anti-Forensic Activities, you be the judge - is it prohibitively difficult to detect? This exemplifies the value of learning memory forensics techniques from the actual developers who performed the research and intimately understand the limitations of their tools. 

To conclude, in its current state, ADD creates poorly faked objects on one version of Windows (32-bit Windows 7) and draws more attention to itself than any other anti-forensics tool. There is a significant amount of work that needs to be done for this to change, so while the attackers are spending their weeks and months trying to build things up to spec, rest assured that with proper training and the right tools, you won't need to worry about future versions.