Friday, November 16, 2018

Results from the 2018 Volatility Contests are in!

Let’s begin by thanking all of the participants in this year’s contests! This year we hosted the 6th Annual Volatility Plugin Contest, and we introduced the Inaugural Analysis Contest. We were encouraged to see submissions from our community members around the globe. As in previous years of the Plugin Contest, there were a lot of exciting submissions spanning tools created by practitioners in the field to published academic research. Participation in these contests demonstrates the importance of memory analysis and provides a platform for the innovative research being done in the field.

Volatility continues to thrive because of its active community of contributors. These contributors sacrifice their time and resources to make the world’s most advanced memory forensics platform free and open source. You can show your appreciation for the participants hard work and contributions to the community by following them on Twitter/GitHub/LinkedIn, providing feedback on their ideas, and helping to improve their code with testing, documentation, or contributing patches.


We would also like to thank our sponsors: Magnet Forensics and Volexity. When looking for a new job or searching for forensics tool vendors, we definitely recommend considering companies that demonstrate continued support for open source forensics!


Placements and Prizes for the 2018 Volatility Plugin Contest:

1st place and $1500 USD cash or One Free Seat at Malware and Memory Forensics Training by the Volatility Team goes to:

Aliz Hammond for Gargoyle

2nd place and $750 USD cash goes to:

Aleksander Østerud for MemoryDecompression

3rd place and $250 USD cash goes to:

Lorenz Liebler et al. for the Volatility Plugin for Approxis

4th place and Volatility swag goes to:

David Quesada for CSV and Splunk Dashboard

5th place and Volatility swag goes to:

Peter Casey for Vivedump

Placements and Prizes for the 2018 Volatility Analysis Contest:
1st place and $1500 USD cash or One Free Seat at Malware and Memory Forensics Training by the Volatility Team goes to:

Team Decepticon (South Korea) for 2018 VAC Report

2nd place and $750 USD cash goes to:

Team MalGround (South Korea) for 2018 PyeongChang Olympic Destroyer 


Here is a detailed summary of the submissions. If you have feedback for the participants, we're sure they'd love to hear your thoughts!

Plugin Contest

1st: Gargoyle by Aliz Hammond

In the author's words, "Gargoyle works by placing malicious code inside a non-executable area of memory. It then creates a system timer, configuring it to execute a ROP chain on expiry. The ROP chain calls VirtualProtectEx, marking the malicious code as executable, calls the malicious code, and then calls VirtualProtectEx a second time – this time, marking the malicious code as non-executable. The timer is then reinitialised and the cycle starts anew." Gargoyle has the potential to evade live memory scanners (such as AVs, EDRs, etc.) if the security tools only look for payloads in executable memory.

This Volatility plugin builds on the existing timers plugin (to which the author also submitted a patch) and inspects timer APCs (instead of just the DPCs). The plugin uses Unicorn to emulate the APC's instructions and detect (and then follow) the ROP chain to the VirtualProtectEx call. The plugin inspects parameters passed to VirtualProtectEx on the stack and can then pivot to the newly executable payload.

Related References:
https://www.countercept.com/blog/hunting-for-gargoyle-memory-scanning-evasion
https://github.com/countercept/volatility-plugins
https://www.linkedin.com/in/aliz-hammond-704b688a/

2nd: MemoryDecompression by Aleksander Østerud

The MemoryDecompression tool submission provides a mechanism for decompressing memory regions that were compressed during memory management. Instead of paging memory directly to disk, the Windows 10 memory manager provides a mechanism to compress private and pagefile backed pages to reduce memory pressure. This improves performance, since writing to disk is more expensive, and reduces the number of disk operations which improves their longevity. The tool leverages a brute-force approach to decompress memory pages and can be used on both memory samples and page files. By preprocessing the data with Volatility's vaddump and memdump, it is also possible to extract the compressed memory and reduce the processing time. The MemoryDecompression tool requires a system running either Windows 8 or Windows 10.

Related References:
https://www.linkedin.com/in/aleksost/

3rd: Volatility Plugin for Approxis by Lorenz Liebler et al.

Lorenz Liebler, Patrick Schmitt, and Harald Baier implemented Approxis, a tool for quickly processing a large number of on-disk binaries and subsequently matching/identifying parts of those binaries, or related code, in physical memory images. The technique combines approximate matching (a.k.a. fuzzy hashing or similarity hashing) with an additional layer of approximate disassembling. The tool is able to distinguish code from data even in light of significant variation between the original binary and the target memory image. Approxis has two components: (1) a C/C++ tool for creating and querying a binary database, and (2) a Volatility plugin for presenting context-specific information about matches.

Related References:
https://www.dasec.h-da.de/staff/lorenz-liebler/
https://github.com/Hardknox

4th: CSV and Splunk Dashboard by David Quesada

The Splunk dashboard presents over 30 prepared searches across the output of various Volatility plugins. After running the desired plugins and ingesting the CSV output into Splunk, a Volatility user can load this dashboard and start looking for anomalous activity within the memory sample. Over time, a dashboard like this could be built up with more queries for finding and alerting on malicious activity in memory samples. David was inspired to create this tool after attending Malware and Memory Forensics Training taught by Andrew Case.

Related References:
https://github.com/DvAu26

5th: Vivedump by Peter Casey

Vivedump is a plugin to extract and recreate visual scene information from virtual reality (VR) device memory captures. The plugin's ability to create 3D still images of VR scenes gives the investigator a precise look at a user's actions inside of the virtual world. This novel research opens many possibilities into the under-explored topic of VR memory forensics. The tool is only a small piece of larger scale research that analysts at University of New Haven have been doing to help users better understand the risks of using VR, and to help investigators learn the associated artifacts.

Related References:

https://www.linkedin.com/in/peter-casey1/
https://twitter.com/UNewHaven/status/1060261903774167045
https://hackablepodcast.com/#/episodes/virtually-vulnerable
https://www.researchgate.net/publication/324224216_Forensic_Analysis_of_Immersive_Virtual_Reality_Social_Applications_A_Primary_Account

Analysis Contest

1st: 2018 VAC Report by Team Decepticon (South Korea)

The authors of this report put together a realistic lab scenario modeled after Korean APT investigations they have performed. We were not only impressed by the number of Volatility plugins represented in the analysis efforts, but also that the infected systems spanned multiple operating systems (Windows and Linux). Memory analysis was leveraged to shed light on the toolkits and methodologies used by the attackers, including Eternal Blue, Dark Comet, Spear Phishing, HWP exploits, DLL injections, MongoDB vulnerabilities, and more. Evidence from Outlook PSTs were reconstructed from RAM and shellcode was explored and identified in memory using Yarascan, Volshell, and various other capabilities provided by Volatility.

2nd: 2018 PyeongChang Olympic Destroyer by Team MalGround (South Korea)

This analysis report, written by the MalGround team from South Korea, describes a scenario based on the Olympic Destroyer events surrounding the 2018 PyeongChang Winter Olympic Games. Before the Olympics officially began, the attackers attempted to disrupt the opening ceremonies by intercepting the event's critical computer systems and infrastructure offline. The cyber attack was initiated with a targeted spear phish and then leveraged a "network worm" to propagate using network shares and stolen passwords. The simulated scenario involved three systems: an Active Directory server running Windows Server 2008 R2 Standard 64-bit, a victim PC running Windows 7 Ultimate K x86, and an attacker PC running Kali Linux 64-bit. In the simulated scenario, a file-less malware attack, leveraging Empire (Mimikatz, BypassUAC), is combined with the actual Olympic Destroyer malware. The authors leveraged memory analysis to find supporting temporal artifacts, identify suspicious characteristics of processes, and extract memory resident strings and executables. This submission includes the analysts’ report and a memory sample from the Windows 7 machine where the Olympic Destroyer malware was executed.

Related References:
https://www.kaspersky.com/blog/olympic-destroyer/21494/
https://securelist.com/olympicdestroyer-is-here-to-trick-the-industry/84295/
https://blog.talosintelligence.com/2018/02/olympic-destroyer.html
https://blog.talosintelligence.com/2018/02/who-wasnt-responsible-for-olympic.html


Here are a few additional resources regarding previous contests and community-driven plugins:


Volatility Foundation Contest Home Page: http://www.volatilityfoundation.org/contest

Volatility 2017 Plugin Contest Results: http://www.volatilityfoundation.org/2017
Volatility 2016 Plugin Contest Results: http://www.volatilityfoundation.org/2016
Volatility 2015 Plugin Contest Results: http://www.volatilityfoundation.org/2015
Volatility 2014 Plugin Contest Results: http://www.volatilityfoundation.org/2014-cjpn
Volatility 2013 Plugin Contest Results: http://www.volatilityfoundation.org/2013-c19yz

Volatility Community GitHub Repository: https://github.com/volatilityfoundation/community

Tuesday, May 22, 2018

The 6th Annual Volatility Plugin Contest and the Inaugural Volatility Analysis Contest!

We are excited to announce that the 2018 Volatility Plugin Contest and the 2018 Volatility Analysis Contest are now accepting submissions until October 1, 2018. Winners of each contest will be receiving over $2500 in cash prizes and the highly coveted Volatility swag (t-shirts, stickers, etc.)!

Volatility Plugin Contest

Heading into its sixth year, the Volatility Plugin Contest encourages research and development in the field of memory analysis. The contest provides an opportunity for people to get industry-wide visibility for their work, to put groundbreaking capabilities immediately into the hands of investigators, and to contribute back to the open source forensics community. Not to mention, the opportunity to win cash and prizes. We are thankful to Magnet Forensics for donating $2500 in support of this year’s Volatility Plugin Contest.
If you are looking for inspiration for the Volatility Plugin Contest, please check out the previous results.

Volatility Analysis Contest

As a result of Magnet Forensic’s contribution, we decided to use the original prize money to launch the first Volatility Analysis Contest. The Volatility Analysis Contest is intended to encourage people to share the creative ways they are using Volatility to augment their analysis efforts. For example, it may include techniques for augmenting their malware analysis, expediting reverse engineering, finding critical artifacts during an investigation, or triaging new indicators. The goal is to write an analysis report detailing how Volatility was used to find relevant artifacts within memory. If you are looking for ideas for the Volatility Analysis Contest, find a sophisticated malware sample or attack framework and document how Volatility can be used to find its artifacts in memory. Previous examples from the Volatility team include: Stuxnet, Phalanx, and Careto.


Thanks again to Magnet Forensics for their generous donation and support! We would also like to thank Volexity and our other sustaining donors for their continued support.

If you have any questions, please feel free to reach out to us!

Wednesday, February 28, 2018

Malware and Memory Forensics Training Headed to Herndon and Amsterdam!

After another highly successfully year of our Malware and Memory Forensics training, which included sold-out public trainings in Herndon, VA and London as well as several private trainings, we are excited to announce our lineup of public trainings for 2018.

Our first offering will be back in Herndon in April from the 16th to the 20th. This class is already over 80% full, so please contact us ASAP if you wish to attend this offering.

We will also be back in Herndon for the week of October 15th to the 19th.  Our Fall classes in the Herndon/Reston area have consistently been the fastest to sell out, so please lock in your seat as early as possible.

Finally, we will be returning to Europe with an offering in Amsterdam in September from the 4th to the 7th. Please note that this class will run Tuesday-Friday instead of the normal Monday-Friday. To make up for the missing time, the Tuesday-Friday sessions will each run until 6PM. 

Our course is constantly evolving in order to cover the latest operating system updates, malware techniques, and attacker tactics. The following highlights some of the new material for our 2018 offerings:
  • The effects of Meltdown  and Spectre on memory forensic acquisition and analysis
  • The effects of Intel’s SGX, TME, and MPX extensions on memory forensic acquisition and analysis
  • The latest tactics of highly advanced threat groups against whom we have performed real-world analysis, such as OceanLotus
  • The introduction of Surge Collect Pro for Linux 
  • Updated coverage of the security features introduced in Windows 10

As we have in years' past, we will continue to give out tons of swag, including a copy of the Art of Memory Forensics in either digital or printed form:


As well as running our highly popular CTF on the last day of class:



In closing this update, we would again like to thank the DFIR community for its continued support of the Volatility project and our associated training course.   If you will be at BSidesNOLA, Black Hat Vegas, or OSDFCon later this year then please come introduce yourself in person!

-- The Volatility Team