Wednesday, August 27, 2014

Volatility 2.4 at Blackhat Arsenal - Reverse Engineering Rootkits

This video demonstrates how you can leverage Volatility and memory forensics to detect kernel rootkits, assist with reverse engineering, and use the results for developing additional indicators.

The video is narrated by Apple's text to speech and you can find the actual text on the Youtube page. The live/in-person demo was given at the @Toolswatch Blackhat Arsenal.

Thursday, August 21, 2014

Volatility 2.4 at Blackhat Arsenal - Tracking Mac OS X User Activity

This demo shows how to track Mac OS X user activity by examining artifacts in physical memory with Volatility. 

The video is narrated by Apple's text to speech and you can find the actual text on the Youtube page. The live/in-person demo was given at the @Toolswatch Blackhat Arsenal.

Monday, August 18, 2014

New Volatility 2.4 Cheet Sheet with Linux, Mac, and RTFM

Our Windows Malware and Memory Forensics Training class is intense and rigorous, because its designed to reflect real world investigations. When you have a limited amount of time and you're being pressured for reliable answers - every minute counts. Sometimes you just gotta cheat...and when you do, you might as well use an Official Volatility Memory Analysis Cheat Sheet!

The 2.4 Edition features an updated Windows page, all new Linux and Mac OS X pages, and an extremely handy RTFM-style insert for Windows memory forensics.

For in-depth examples and walk-throughs of using the commands in this cheat sheet, make sure to get your copy of The Art of Memory Forensics!

Thursday, August 14, 2014

New Paper: In Lieu of Swap: Analyzing Compressed RAM in Mac OS X and Linux

A research paper (slides here) that I worked on with Golden G. Richard was recently published at DFRWS 2014 and received the Best Paper award! The paper, In Lieu of Swap: Analyzing Compressed RAM in Mac OS X and Linux, analyzed the in-memory, compressed swapped stores on recent Mac and Linux versions.

As you are likely aware, operating systems will traditionally swap unneeded pages out to disk in order to free the pages for currently running applications to use. This swapping process has historically presented issues for forensics analysis as attempting to acquire both physical memory and the swap file(s) in a consistent state can be a daunting task outside of virtual machine environments. Furthermore, Mac has provided encrypted swap (Secure virtual memory) since Mountain Lion and Linux users could optionally utilize encrypted swap for years. Similarly, Windows has the EncryptPagingFile option that can be turned on by administrative users. Recovering the keying materials for these encrypted stores can require modification to existing acquisition tools as well as specialized research.

A new advancement in operating system design, the creation of memory-only, compressed swap stores, presents both challenges and opportunities for memory forensics practitioners. When enabled, these stores attempt to avoid writing swapped pages to disk for performance reasons and instead compresses and stores them into a reserved pool of memory. When a page is later recalled from the pool, a simple decompression operation is all that is needed to be performed. This is much quicker than reading from even the fastest PCI-E storage provided by Apple devices.

At first, this store can be challenging to investigators as simple methods of investigation, such as strings analysis or file carving, will fail since the data is in its compressed state. This store can be helpful though as normal physical memory capture techniques will completely collect the store. This is opposed to traditional swap collection that required timing memory acquisition with disk acquisition to avoid smearing.

The paper presents the algorithms used by both Mac and Linux to implement the compressed stores. We also describe our Volatility plugins that can fully locate and decompress all pages kept within the stores. Finally, we present data sets from sample machines that we tested the plugins and analysis on.

If you have any questions on the paper feel free to reach out to either myself or Golden.

Wednesday, August 13, 2014

Presenting Volatility Foundation Volatility Framework 2.4

The release of this new Volatility version coincides with the publication of The Art of Memory Forensics. It adds support for Windows 8, 8.1, 2012, and 2012 R2 memory dumps, Mac OS X Mavericks (up to 10.9.4), and Linux kernels up to 3.16. New plugins include the ability to extract cached Truecrypt passphrases and master keys from Windows and Linux memory dumps, investigate Mac user activity (such as pulling their contact database, calendar items, PGP encrypted mails, OTR Adium chat messages, etc), and analyze advanced Linux rootkits. See below for a detailed change log.

Binary releases, including pre-built executables for Windows and Mac OS X can be found on the Volatility Foundation website: We've also now moved our source code repository to Github: Note that there's a separate repository containing over 160 Linux profiles for 32- and 64-bit OpenSuSE, Redhat, Debain, Ubuntu, Fedora, and CentOS (thanks Kevin!); and all Mac OS X profiles from 10.5 to 10.9.4. 

The detailed change log is below:

Windows Memory Forensics 
  • Truecrypt plugins (summary, cached passphrases, master keys)
  • Apihooks support for 64-bit memory images 
  • Apihooks plugin detects JMP FAR hook instructions 
  • Hashdump, Cachedump, and Lsadump plugins updated for x64 and Win8/2012
  • Callbacks and timers plugins work on 64-bit memory images 
  • Mftparser identifies NTFS alternate data streams 
  • Mftparser -D option extracts MFT-resident files to disk
  • Ability to scan for multiple executive object types concurrently with a single pass through the memory dump 
  • Procmemdump and procexedump condensed into "procdump" (and --memory option available)
  • Envars plugin has a --silent flag to ignore common/default environment variables 
  • Vadtree plugin in graphviz output mode (--output=dot) color codes nodes per heap, stack, mapped file, DLL, etc.
  • Getsids plugin automatically resolves user and service SIDs 
  • Timeliner plugin supports --machine to identify the source in multi-source timelines 
  • Verinfo (PE version info) plugin updated and moved into core framework 
  • Strings translator prints "FREE MEMORY" for data found in deallocated regions (used to skip them)
  • Vadinfo plugin allows --addr to specify one region rather than printing them all 
  • Yarascan plugin allows you to control --size (bytes in preview) and --reverse (show data *before* a hit)
  • Volshell plugin has new APIs proc(), addrspace(), getprocs(), and getmods() for easy access
  • All process based plugins accept --name (process name regular expression filter)
  • Added the auditpol plugin to check audit policies 
  • Added the cmdline plugin to show process command line arguments 
  • Volshell plugin can recursively print structure members (similar to windbg's dt /r)
  • New pooltracker plugin allows analysis of kernel pool tag statistics 
  • New bigpools plugin allows finding big page pool allocations 
  • Svcscan plugin prints service start type (manual, automatic, disabled, etc)
  • Added a plugin to find and print text on the Notepad application's heap
  • PE dumping plugins (procdump, dlldump, moddump) support --fix to fix the image base value 
  • Joblinks plugin for getting information for job objects
Address Spaces / File Formats
  • Support for QEMU virtual machine memory images 
  • Support for "split" VMware files (memory in .vmem and metadata in .vmss/.vmsn)
  • Support for Windows BitMap crash dumps (created by Windows 8 / 2012 on BSOD)
Mac Memory Forensics 
  • Support for Mavericks through 10.9.4
  • Mac string translation added 
  • Recover sent and received Adium messages, including those protected by OTR 
  • Enumerate contacts from the Contact application's database
  • Extract the HTML content of notes from the Notes application 
  • Ability to reveal clear-text PGP emails sent or received with the Mail application 
  • Locate Apple Keychain encryption keys in memory (for cracking with Chainbreaker)
  • Find API hooks in both the kernel and process memory
  • List IP and socket filters
  • Extract loaded kernel extension to disk
  • Find suspicious process mappings (i.e. injected code) 
  • Find hidden kernel extensions
  • Recovered files cached in memory
Linux Memory Forensics 
  • Support for Linux kernels through 3.16
  • Linux string translation added
  • Detect API hooks in both userland processes and the kernel
  • Detect GOT/PLT overwrites
  • Find hollowed executables
  • Find suspicious process mappings
  • Library listing using the loader’s data structures
  • Extract process ELF executables and libraries to disk
  • List network interfaces in promiscuous mode
  • List processes that are using raw sockets
  • Find hidden kernel modules
  • List Netfilter hooks
  • Extract cached Truecrypt passphrases 

Tuesday, August 12, 2014

Art of Memory Forensics Picture Contest Winners!

If we were running a book picture contest, these would be the winners. Keep in mind, we actually do have a contest brewing where you can win large cash prizes and/or free training, Volatility swag, etc.

The following "retro cover" was submitted by Didier Stevens (@DidierStevens).

The following "I'm too sexy for my book" was submitted by Jonathan Zdziarski (@JZdziarski).

The following "white sangria and object headers" was submitted by Erika Noerenberg (@gutterchurl).

The following was submitted from The Disassembler (@Disassembler).

The following "don't leave home without it on ALL your devices" was submitted by Dennis York (@LDRydr). 

The following "third eye wide open" was submitted by Golden G. Richard (@nolaforensix).

The following "back from defcon" was submitted by Mariano Graziano (@emd3l). 

The following was submitted by Bob Dobalina (@northTtown) - not sure what this is, but it looks interesting. 

The following "part of the cannon" was submitted by Troy Larson. 

The following was submitted by Brian Moran (@brianjmoran).

The following "twins, almost" was submitted by by Andy Magnusson.

The following "Volatility, on the job" was submitted by Ken Pryor (@KDPryor). I thought I'd only see AMF in an officer's car if I got arrested while holding it!

The following "Vanity, thy name is @moyix" was submitted by Brendan Dolan-Gavitt (@moyix).

The following was submitted by Frankie Li (@Espionageware).

The following was submitted by Andrew Case (@attrc).

We'd love to see other readers in action with the book! Tweet them to @volatility to enter the contest (be aware, there are no prizes, except smiles).