Monday, December 5, 2016

Results from the 2016 Volatility Plugin Contest are in!

Congratulations to all the participants! This year we received more submissions than ever before (21 to be exact, from 16 different authors), so judging took longer than we expected. Sorry about that! The good news is...there's a LOT of new and exciting functionality available to law enforcement agents, DF/IR practitioners, malware analysts, and researchers around the globe, which can immediately be transitioned into their workflows. That's the whole spirit of open source memory forensics with Volatility, and we're once again very proud to sponsor a contest with such impressive results.

It may sound cheesy, but everyone is a winner in this contest. Although a few developers will walk away with prizes, they all solved a problem that they (and inevitably others) faced, gained experience writing Python plugins, and learned some intricacies of memory analysis internals. The capability to program around technical issues and design/implement solutions is a gift. You can applaud by following the authors on Twitter/GitHub/LinkedIn, providing feedback on their ideas, and helping to improve their code with testing, documentation, or contributing patches.

We also want to thank Airbnb for donating $999 to the cash prizes! When looking for a new job, we definitely recommend considering employers that support open source forensics and value the importance of memory analysis. Maybe you can be their next Security CSIRT Engineer!

Here is a break down of the placements and prizes

1st place and $1800 USD cash or a Free Seat at Malware and Memory Forensics Training by the Volatility Project goes to:
Monnappa for Hollow Process Detection and Analysis. Monnappa also participated in the 2015, so this is his second consecutive contest. Aside from the code itself, Monnappa's corresponding documentation was very impressive. Given Monnappa has already taken our training class, he'll likely take the cash prize!
2nd place and $800 USD cash goes to:
Kevin Breen for VolUtility and LastPass Credential Recovery. Although we've seen web interfaces in the past, Kevin's take on it has a lot of unique and helpful features. He's already integrated quite a number of new capabilities since the contest closed in October and he's showing no signs of slowing down. He's got Volatility plugin fever! 
3rd place and $450 USD cash goes to:
Dima Pshoul for Advanced Malware Hunter's Kit. Dima designed several creative ways to detect memory-only injected code, which is one of the major reasons why analysts rely on memory forensics. Say hello to malfind's two new best friends! 
4th place and $100 USD cash and Volatility Swag goes to:
Mariano Graziano for ROP Payload Analysis and Linux Kernel Symbol Finder. This is Mariano's second plugin contest - he previously won first place for Actaeon. Its great to see Mariano continuing to implement powerful capabilities like ROPMEMU. Likewise, the Linux kernel symbol finder preemptively solves issues that analysts will face in the absence of Linux profiles.
5th place and $100 USD cash and Volatility Swag goes to:
Bart Inglot for RDP Key Extraction and Replay. This is Bart's second plugin contest, but the first time he's made it to the top 5. We met Bart a few years ago when he attended one of our training classes in Amsterdam, and since then, he's been rapidly improving his memory forensics skills. Bart's submission highlights some really cool capabilities related to offline DPAPI data decryption and extraction of key data from RAM. 
Thomas White for Mac FileVault2 and Microsoft Bitlocker Key Extraction. Together with Volatility's existing plugins for Truecrypt and dm-crypt on Linux, investigators not only have quite thorough support for pulling FDE keys from RAM, but they can understand where and how the keys are stored in virtual memory. 

Here is a detailed summary of the submissions. If you have feedback for the authors, we're sure they'd love to hear your thoughts.

1st: Monnappa: Hollow Process Detection and Analysis

Monnappa's hollowfind is a Volatility plugin to detect different types of process hollowing techniques used in the wild to bypass, confuse, deflect and divert forensic analysis techniques. The plugin detects such attacks by finding discrepancies in the VAD, PEB, and other OS meta-data structures. The plugin also disassembles the address of entry point to detect any redirection attempts and also reports any suspicious memory regions which should help in detecting the injected code.

Monnappa's research on the process hollowing technique in general is very impressive. To design the plugins, he needed to reverse engineer various real-world malware samples that performed process hollowing, intimately study their subtle differences, and write code to handle each case. His blog below is complete with commented IDA screen shots and Volatility plugin output produced after executing the described malware.

Monnappa's Blog on Process Hollowing: detecting-deceptive-hollowing-techniques
Monnappa's GitHub:
Monnappa's Twitter: @monnappa22

2nd: Kevin Breen: VolUtility Web Interface

VolUtility is a web interface (written in Django) for Volatility. It runs plugins and stores the output, derived directly from the plugin's JSON rendering APIs, in a Mongo database. It extracts files from plugins (that support --dump-dir) and stores the binary content in the database as well, allowing searches across all plugins and file content with string search and Yara rules. In comparison with other web interfaces that we've seen in the past, VolUtility stands out due to its extensions, which allow integration with Cuckoo Sandbox, Exif, Floss, and VirusTotal. It also features a hex viewer, PST and SQLite viewers, registry hive browser, volshell-like input controls, etc. We found the documentation very thorough and installation/configuration on Linux was a breeze.

Kevin's Twitter: @kevthehermit
Kevin's Website:

2nd: Kevin Breen: LastPass Credential Recovery

LastPass is a highly popular and widely used password manager. Its ease of use and direct integration into major browsers allows for even non-technical users to maintain unique, strong passwords across a variety of websites and services. Since many users trust all of their passwords to LastPass, cleartext credentials from its database are highly valuable forensic targets. This newly submitted plugin, named lastpass, allows for targeting of LastPass user credentials that were stored in memory at the time of acquisition, allowing for rapid exploitation by forensic analysts.

Kevin leveraged the process VAD scanner API in Volatility along with custom Yara rules to locate signatures related to the cached LastPass credentials. Currently the plugin focuses on IE, Chrome, and FireFox, however Kevin plans to test additional browsers, extend support to additional password managers, and implement unified output so the data can be consumed/post-processed by other applications easily.

Kevin's Twitter: @kevthehermit
Kevin's Website:

3rd: Dima Pshoul: Advanced Malware Hunter's Kit

In Dima's own words, he is a "long time Volatility user who wanted to contribute to the framework and also improve it by writing unique and powerful plugins." Mission accomplished! The "Advanced Malware Hunter's Kit" includes plugins for reconstructing call stacks, detecting hollowed processes, finding malicious threads via code executed from dynamically allocated addresses, and locating injected code regions by analyzing return addresses on the stack.

Dima did a great job analyzing the current plugins in the Volatility Framework (namely malfind) and the associated weaknesses that malware can exploit to trick investigators. Conceptually, the techniques Dima introduced in his plugins will be invaluable supplements for detection of malware hiding in memory.

Dima's GitHub:

4th: Mariano Graziano: ROPEMU (ROP Payload Analysis)

ROPMEMU is a framework for analyzing return-oriented programming (ROP) payloads. It includes two Volatility plugins. The first plugin, ropemu, emulates a ROP payload gadget-by-gadget and produces a JSON trace of the affected machine state. The second plugin, unchain, transforms ROP gadget sequences into simplified non-ROP code for easier analysis and understanding. The plugins leverage the Unicorn emulator and the Capstone disassembler. In addition to the Volatility plugins, several interesting "helper" utilities are also included.

In addition to the Volatility plugins, Mariano also published an academic paper on his work and has presented it at conferences, undoubtedly inspiring countless other researches.

Mariano's AsiaCCS Slides: ROPMEMU_final.pdf
Mariano's Twitter: @emd3l
Mariano's Blog Post at Cisco Talos:
The Project's GitHub:
Mariano's GitHub:

4th: Mariano Graziano: Linux Kernel Symbol Finder

Mariano's ksfinder is a standalone Python script to retrieve exported kernel symbols from Linux physical memory dumps. The script is useful in a scenario in which the analyst does not have a Linux profile and cannot create it (for example, the suspect system was reformatted after memory collection, you simply no longer have access to it, you couldn't obtain the kernel headers, etc). In those cases, ksfinder recreates (or partially recreates) the file by parsing the __ksymtab_strings and __ksymtab of the Linux kernel image (aka vmlinux) solely from the memory sample.

Although the script is not technically a Volatility plugin, it can easily be imported or integrated with Volatility plugins to alleviate one of the biggest issues analysts face with regards to memory forensics of Linux systems.

Mariano's Twitter: @emd3l

5th (tie): Bart Inglot: RDP Key Extraction and Replay

The rdpkeys plugin extracts RC4 and SSL keys from a memory image that can be used for RDP replay. The keys are automatically converted into PEM format, but can be also saved in the native format (referred to as PVK). Bart also included instructions to decode an RDP session with WireShark using the SSL key extracted by the plugin, and examples of when the extraction works and when it can fail.

Bart's plugin makes excellent use of Volatility's APIs. For example, he leveraged the Registry API to recover LSA Secrets, and on platforms that require it - he used the Cached File APIs to recover the DPAPI Master Keys and SSL Private Keys. We also found it very valuable to see examples of using the Python DPAPI module to perform decryption based on resources found in memory - this will undoubtedly serve as a template for various other plugins in the future.

Bart's Writeup: BartInglot_RdpKeys.pdf
Bart's submission:
Bart's Twitter: @BartInglot

5th (tie): Thomas White: FileVault2 & Bitlocker Key Recovery

Thomas White's two FVE plugins are aimed at helping investigators recover the necessary keying information for decrypting/unlocking disks. In particular, the Bitlocker plugin targets recent versions of Microsoft Windows and recovers the FVEK, cipher information, and TWEAK key. One of the most impressive aspects of this plugin is the research and documentation that goes along with it. Thomas recorded the steps he took when live debugging the Windows kernel to identify differences in key storage locations starting with Windows 8. This is an extremely valuable tutorial on how Volatility plugins come to life, especially those that access undocumented structures and memory regions.

Likewise, the FileVault2 plugin targets Mac OSX and has even been tested on Sierra (10.12). The write up below includes a short tutorial on mounting the evidence with extracted master keys using fvdemount.

Thomas' Post on FileVault: extracting-filevault-2-keys-with-volatility
Thomas' Twitter: @triblchkn

The following submissions appear in the order they were received. As previously mentioned, these developers deserve huge props. We look forward to seeing future work by these authors!

Aim4r: VolDiff Memory Diffing and Malware Identification

VolDiff is a python script that leverages Volatility to identify malware artifacts in Windows 7 memory samples. It not only helps automate Volatility plugin execution but it also provides numerous built-in checks for suspicious artifacts typically associated with malware. Examples include child/parent process relationships, process sessions, execution paths, interesting imported APIs, suspicious strings, etc. Most of the checks are based on the output of Volatility plugins such as pslist, psscan, dlllist, impscan, and malfind. Analysts can easily extend the heuristics by editing regular expressions in the configuration area of the tool.

VolDiff also provides the ability to highlight the differences between a sample taken before and after malware execution. This can help an analyst rapidly triage the types of changes the malware may have made to the system. VolDiff helps automate common analysis techniques used by malware investigators.

Aim4r's Twitter: @aim4r
Aim4r's GitHub:
Example analysis: Memory-Analysis-of-DarkComet-using-VolDiff

Marcin Ulikowski: Bitlocker Key Recovery

This plugin finds and extracts Full Volume Encryption Key (FVEK) from memory dumps and/or hibernation files. This allows rapid unlocking of systems that had BitLocker encrypted volumes mounted at the time of acquisition. Architecturally, the plugin scans for BitLocker cryptographic allocations (memory pools) in virtual memory, covering both 32- and 64-bit systems running Windows Vista through Windows 8.1 (support for Windows 10 is in progress). Marcin notes that Windows 8 and newer use the Cryptography API: Next Generation (CNG), so the pool tags are different than previous versions. We found Marcin's AES key schedule validation routines particularly useful (to avoid false positives) in addition to his documentation on how to use bdemount to decrypt protected resources.

Marcin's Twitter: @elceef

Hemant Kumar and Sajeev Nair: Windows MemDiff Forensic Tool (WMDF)

This Windows GUI tool provides a front end to extracting memory related artifacts with Volatility. Additionally, analysts can compare those collected artifacts with a whitelisted artifacts database (generated by running the tool against a baseline system) of their choice. This comparison points out the changes made by malware on the system, helps provide analysts with crisp and low level information, and decreases the area of investigation an analyst needs to manually review.

WMDF Submission:
WMDF Documentation: WMDF.pdf
Hemant's Twitter: @hemantxcode
Sajeev's Twitter: @nairsaj

Nichlas Holm: Network Packets, IP/MAC, ARP

This submission, networkpackets, is a Volatility plugin for extracting network packets (IPv4 and ARP) out of memory samples. The plugin provides the ability to quickly identify memory-resident network packets, and based on those packets provides an analyst with context about the network environment. This context includes information about the IP/MAC address of the system, the network gateway, and an overview of other systems in the same network. Extracted packets are exported into PCAP format, which enables analysis with traditional network analysis tools.

Stanislas 'P1kachu' Lejay: Auto-Profile Detection

P1kachu addresses a real problem (OS and profile detection) that Volatility users frequently face with his profilescan plugin. This plugin uses a pattern-matching approach to infer the operating system of a target memory image. It then calls the corresponding OS-specific profile detection plugin. Since Volatility does not provide such a plugin for Linux images, the authors also developed a helpful a uname scanner plugin, linuxgetprofile, which also outputs details on the kernel and compiler versions.

We're confident that P1kachu's plugin and associated methodologies can become a critical piece in many investigators initial workflows, saving them valuable time and avoiding a lot of the typical "guess work" that has traditionally been done.

P1kachu's GitHub:
P1kachu's Website:
Post on ProfileScan: volatility-profile-finder

Martin Korman: VolatilityBot Malware Detonation Framework

VolatilityBot provides a modular malware "detonation" architecture that helps automate many of the manual and repetitive tasks associated with malware analysis. This includes the extraction of malicious binaries and any associated code injections or related artifacts (strings, IP address, etc.) that may be created during execution. Once the suspicious code has been extracted, it also provides numerous post-processing modules to help identify behavior patterns in the code and prepare the extracted code for in-depth static analysis. Finally, VolatilityBot also provides a number of capabilities for automated heuristic analysis and triaging memory samples at scale.

Martin's Twitter: @MartinKorman
Martin's VB 2015 Slides: Korman-VB2015.pdf
Martin's Code Repository:

James Hall and Kevin Breen: USBStor

The USBStor plugin scans registries for values relating to USB devices plugged into the system under investigation. Instead of the analyst needing to manually analyze each registry hive (USBSTOR, USB, MountedDevices etc.) the plugin will return all available information about previously connected USB devices in an easy to digest, collated format. This greatly decreases analysis time and ensures no mistakes are made and no information is overlooked. The plugin's output contains details such as USB serial number, vendor and product info, container ID, mounted volume name, drive letter, USB friendly name, the last connection timestamp, and more.

James' Website:
James' Twitter: @411hall

Tyler Halfpop: FindEvil Malware Analysis Automation 

The FindEvil project, along with its two new Volatility plugins, findevilproc and findevilmem, provide for automated extraction of executables (applications, DLLs, and kernel drivers) from memory as well as calculation of several attributes of interest to investigators – Virus Total scores, entropy calculations, Yara-based detections, and whether the executable is digitally signed or not. Leveraging these plugins, investigators can quickly find the "evil" executables that are active on a system being investigated and immediately focus their analysis on them.

Tyler's Twitter: @tylerph3

Tran Vien Ha: Open Source Intelligence & MISP Integration

The osint plugin submits URLs or IP addresses found in a memory sample to open source intelligence platforms. Data is submitted using a SOCKS proxy, generally Tor, to provide a degree of anonymity. osint currently supports Blue Coat, Virus Total, and MISP. Your data sources and respective API tokens are stored in a configuration file, and a text file allows you to whitelist commonly seen domains.

The author also contributed an HTML plugin using JQuery for rendering tree views (such as pstree), which is quite handy.

Tran's GitHub:

Here are a few additional resources regarding previous contests and community-driven plugins:

Volatility Foundation Contest Home Page:

Volatility 2015 Plugin Contest Results:
Volatility 2014 Plugin Contest Results:
Volatility 2013 Plugin Contest Results:

Volatility Community GitHub Repository:

No comments:

Post a Comment