Friday, November 15, 2019

Results from the 2019 Volatility Contests are in!

We would like to begin by thanking the participants in this year’s contests! This was one of the hardest years for our panel of judges since it had so many outstanding submissions. In the Plugin Contest, there were 11 submissions, which included over 30 new plugins across 3 operating systems. It was also great to see repeat contestants in both the Plugin Contest and the Analysis Contest, and submissions from community members around the globe. Despite the contest going into its 8th year, it’s inspiring to see all the exciting innovation still happening in the field of memory forensics. 

Independent open source projects and communities only remain viable because of contributors who are willing to sacrifice their time and resources. Please show your appreciation for the contestants’ contributions by following them on Twitter/GitHub/LinkedIn, providing feedback on their ideas, and helping to improve their code with testing, documentation, or contributing patches. Looking forward, we are excited to announce that next year’s contest will focus on Volatility 3!


We would also like to thank Volexity for being a sustaining sponsor of the Volatility Foundation and, in particular, for sponsoring this year’s contests.


Placements and Prizes for the 2019 Volatility Plugin Contest:
1st place and $1500 USD cash or One Free Seat at Malware and Memory Forensics Training by the Volatility Team goes to:

Antoine Brodin for FreeBSD Support

2nd place and $750 USD cash goes to:

Blaine Stancill for Windows 10 Memory Compression

3rd place and $250 USD cash goes to:

Shusei Tomonaga for MalConfScan

4th place and Volatility swag goes to:

Shachaf Atun for Winobj and Tokenimp

5th place and Volatility swag goes to:

Fabio Pagani for Linux kallsyms

Placements and Prizes for the 2019 Volatility Analysis Contest:
1st place and $1500 USD cash or One Free Seat at Malware and Memory Forensics Training by the Volatility Team goes to:

TEAM. HSLFL (South Korea) for “Memory Analysis in Data Leakage Cases”


Here is a detailed summary of the submissions. If you have feedback for the participants, we're sure they'd love to hear your thoughts!

Analysis Contest

1st: Memory Analysis in Data Leakage Cases by TEAM. HSLFL (South Korea)

This analysis report, written by TEAM. HSLFL (Hope Seyoung Lee Find Love) from South Korea, focuses on exploring how memory analysis with Volatility can be used during data breach investigations. In particular, they present three scenarios involving a remote administration tool (QuasarRAT), FTP, and cloud storage (Google Drive). The simulated scenarios involved two systems, an attacker machine, and a victim machine. The report authors leveraged memory analysis to find suspicious commands, processes, and network activity. They also used memory analysis techniques to extract memory-resident strings and executables. Finally, they demonstrated how numerous types of memory-resident files, including prefetch, hosts, FTP logs, and browser history, could be extracted and post-processed to reveal valuable insights about the attackers’ activities. The submission includes the analysis report and memory samples from each of the three targeted Windows 7 systems.

Related References:
https://github.com/volatilityfoundation/community/tree/master/Team_HSLFL
https://drive.google.com/open?id=1zibtCsFDQg1esf-dgQH40o0O4BUL8B-Y

Plugin Contest

1st: Antoine Brodin: FreeBSD Support

This submission provides a very complete toolkit for performing memory analysis on modern FreeBSD systems. In addition to adding support to Volatility 2.6.1 for a new operating system and writing 13 new plugins, the author has also written a memory acquisition tool for FreeBSD and integrated full profile support. One of the factors that judges consider is the “analysis curve” or the difference in analytical capabilities with and without the author’s work. Prior to this submission, investigations would either not be able to capture RAM or they’d be limited to strings and grep. They now can leverage the full power of Volatility! Amazing and useful!

Related References:
https://people.freebsd.org/~antoine/2019-vpc/volatility.diff
https://github.com/volatilityfoundation/volatility/tree/freebsd_support
http://distcache.FreeBSD.org/local-distfiles/antoine/2019-vpc/FreeBSD-12.1-PRERELEASE-GENERIC-amd64.lime https://people.freebsd.org/~antoine/2019-vpc/FreeBSD-12.1-PRERELEASE-GENERIC-amd64.zip

2nd: Blaine Stancill (FireEye): Windows 10 Memory Compression

This submission enabled the automatic incorporation of the compressed stores created by Windows 10 to implement in-memory paging. By incorporating analysis of these stores in a new Volatility address space, compressed pages are transparently decompressed as plugins access them. The clever use of inheritance and caching by the authors minimizes the performance impact of the decompression routines and makes the benefits far outweigh the impact. Aleksander Østerud pioneered some of these capabilities in last year’s plugin contest, and it is exciting to see Blaine and the FireEye team dive deeper into what we consider one of the most drastic changes to memory analysis that any OS vendor has made in the past couple years.

Related References:
https://github.com/fireeye/win10_volatility 
https://www.fireeye.com/blog/threat-research/2019/07/finding-evil-in-windows-ten-compressed-memory-part-one.html
https://www.fireeye.com/blog/threat-research/2019/08/finding-evil-in-windows-ten-compressed-memory-part-two.html
https://www.fireeye.com/blog/threat-research/2019/08/finding-evil-in-windows-ten-compressed-memory-part-three.html
https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/finding-evil-in-windows-10-compressed-memory-wp.pdf
https://twitter.com/MalwareMechanic

3rd: Shusei Tomonaga (JPCERT): MalConfScan

This suite of plugins dumps configuration data, decoded strings or DGA domains from over 25 common malware families and red team tool kits. The plugins can be launched individually or in batch mode by the main entry point, malconfscan. Most configurations are identified with yara signatures (which, too, can be leveraged outside of the framework, if desired) and then parsed out of process memory, using freely available decompression libraries (i.e., aPLib), custom decoding functions, or encryption algorithms – using keys hard-coded within the malware or dynamically referenced from elsewhere in the memory sample. The authors also provide a Cuckoo Sandbox integration, which can save analysts a significant amount of time. We'd love to see the broader community submit merge requests to this project and help upkeep the (already extensive) library of decoders.

The authors also thought one step ahead and developed a generic malware string extractor (malstrscan plugin) that works independently of specific malware families. By default, the string extractor searches for injected code regions (similar to how malfind works), disassembles the code, and follows pointers/references to strings. In "full" mode, it extracts strings from bordering memory regions that were possibly allocated contiguously, but that might not appears as injected on their own (for example, if they're RW and not RWX).

Related References:
https://github.com/JPCERTCC/MalConfScan
https://blogs.jpcert.or.jp/en/2019/08/malconfscan.html
https://twitter.com/shu_tom
https://github.com/JPCERTCC/MalConfScan-with-Cuckoo

4th: Shachaf Atun (KSL Group): Winobj and Tokenimp

The winobj and tokenimp plugins introduce some powerful new capabilities. As always, plugins built to satisfy a particular deficiency (amongst existing plugins) during investigations are pretty much guaranteed to be valuable. In this case, the authors wanted to determine which processes elevated via UAC or UAC bypasses, and to hunt instances of token impersonation. Tools such as Mimikatz, Tokenvator, and Invoke-TokenManipulation were used for testing, and pointers were provided in the documentation to threat groups and malware variants that leverage the same techniques. We were impressed by this plugin because it also required analyzing a fair amount of undocumented data structures and flags. The winobj plugin allows extracting artifacts from the object directories. One of the documented use cases is detecting attacks against KnownDlls, which has been exploited heavily in the past. It also provides a valuable alternate method for finding drivers, devices, file systems, mutexes, symbolic links, and various other artifacts relevant to forensics. Allowing interactive browsing of object name spaces was also a nice touch.

Related References:
https://github.com/kslgroup/WinObj
https://github.com/kslgroup/TokenImp-Token_Impersonation_Detection
https://github.com/kslgroup/WinObj/blob/master/WinObj%20documentation.pdf
https://github.com/kslgroup/TokenImp-Token_Impersonation_Detection/blob/master/TokenImp%20documentation.pdf

5th: Fabio Pagani: Linux Kallsyms

This submission provided several new capabilities to Volatility. First, new algorithms for enumerating processes in kernel memory were discussed and implemented as Volatility plugins. What is particularly interesting about these new methods is that they were derived from an automated system that can determine where and how data structures are accessed during runtime and then translate these accesses to memory forensic capabilities. The second part of the submission involved automatically finding and reconstructing the full set of kernel symbols from a memory sample. This also had an interesting twist in that it used the Unicorn emulation engine to perform the decompression of the symbol sets instead of code implemented in Volatility. The use of emulation allowed for the exact algorithm from the kernel to be used.

Related References:
http://s3.eurecom.fr/~pagabuc/
https://twitter.com/pagabuc
https://github.com/volatilityfoundation/community/tree/master/FabioPagani


The following submissions appear in the order they were received. As previously mentioned, these developers deserve huge props. We look forward to seeing future work by these authors!


Cesare Pizzi (Sorint.Lab): Powershell

Powershell has become increasingly common as a malicious payload in real malware samples. The goal of this plugin is to assist analysts in finding Powershell processes and narrowing down the amount of related data to focus on for subsequent analysis. The submitted plugin accomplishes this by first using a yara rule, rather than relying on a filename, for finding Powershell processes in memory. Additionally, the plugin provides an advanced scanning option that filters the VADs of found Powershell processes, looking for ones that may contain Powershell-related commands or scripts.

Related References:
https://twitter.com/red5heep
https://github.com/volatilityfoundation/community/tree/master/CesarePizzi

Or Chechik and Inon Weber: Ropfind

The ropfind and linux_ropfind plugins find evidence of return oriented programming, or ROP, and stack pivoting in a memory sample. The plugins scan thread stacks for evidence of ROP gadgets and small memory allocations for evidence of stack pivoting. There are a number of checks performed to reduce the number of false positives reported. The plugins additionally provide a means for whitelisting gadgets based on opcodes and make them more specific by whitelisting based on specific symbols.

Related References:
https://github.com/orchechik/ropfind
https://twitter.com/orchechik
https://twitter.com/InonWeber

Rolf Govers and Max de Bruijn (Fox IT): Windows Toast Notifications

The ToastPlugin is the first Volatility plugin to extract Windows notification artifacts. In particular, the plugin focuses on a particular type of notification called toast notifications. Toast notifications allow an application to relate relevant information and timely events to users that may require actions. A toast notification can contain text, images, and custom actions. For example, this could include information about connected devices, calendar events, friend requests, or email/messaging notifications. As a result, they can provide investigators with valuable insights into historical user activity and context about how the system was being used. The ToastPlugin searches though memory samples for the toast XML structures. It also lays the groundwork for a lot of future work related to Windows notifications.

Related References:
https://blogs.msdn.microsoft.com/tiles_and_toasts/2015/07/08/toast-notification-and-action-center-overview-for-windows-10/
https://twitter.com/Rolf_Govers
https://twitter.com/Maxdebruijn
https://github.com/volatilityfoundation/community/tree/master/WindowsToastNotifications

Elmar Nabigaev: VMware Tools

Virtualization platforms have become exceedingly common and typically provide capabilities to perform various actions on a guest operating system from the host. VMware's vmtools is one example and this plugin can help analysts by finding recently executed commands run on a guest through vmtools. These include operations such as copying files to and from the guest, listing files, running processes, etc. This plugin can also capture credentials an attacker may have used on the guest OS when executing a command.

Related References:
https://twitter.com/tlp_red
https://github.com/volatilityfoundation/community/tree/master/ElmarNabigaev

Angelo Mirabella: Linux Coredump

linux_coredump is a new Volatility 2.6.1 plugin that extracts detailed information about individual processes and generates a core dump file for the process. The resulting core file can be loaded into GDB or other debuggers that support the core file format. This plugin is particularly useful for situations where an analyst wants to dig into the details of a particular process found in a Linux memory dump and needs to leverage capabilities provided by debuggers but not memory analysis tools.

Related References:
https://github.com/Angelomirabella/linux_coredump

Ryan D. Maggio, Raphaela Mettig, Sweta Ghimire (LSU): Shemu

shemu (shell + emulator) allows for the emulation of in-memory code directly inside volshell. With current Volatility capabilities, analysts who wish to perform reverse engineering inside of volshell must instead use the dis() function, which simply provides static disassembly listing. Automated emulation of code provides for much deeper, accurate, and efficient analysis of memory resident code and will be a great feature for users of the framework.

Related References:
https://twitter.com/4kb0mb https://twitter.com/rmettig_
https://twitter.com/ryandmaggio
https://github.com/volatilityfoundation/community/tree/master/Shemulator


Here are a few additional resources regarding previous contests and community-driven plugins.


Volatility Foundation Contest Home Page: http://www.volatilityfoundation.org/contest

Volatility 2018 Plugin Contest Results: https://www.volatilityfoundation.org/2018
Volatility 2017 Plugin Contest Results: http://www.volatilityfoundation.org/2017
Volatility 2016 Plugin Contest Results: http://www.volatilityfoundation.org/2016
Volatility 2015 Plugin Contest Results: http://www.volatilityfoundation.org/2015
Volatility 2014 Plugin Contest Results: http://www.volatilityfoundation.org/2014-cjpn
Volatility 2013 Plugin Contest Results: http://www.volatilityfoundation.org/2013-c19yz

Volatility Community GitHub Repository: https://github.com/volatilityfoundation/community

Tuesday, October 29, 2019

Announcing the Volatility 3 Public Beta!

The Volatility Team is very excited to announce the first public beta release of Volatility 3!

We presented this beta for the first time to OSDFCon attendees and received a very warm reception both during and after our presentation. As always, we are very grateful to our community for the years of support given to our trainings, book, invited speaking engagements, plugin contests, and other activities.

With this blog post, we now want to document the beta release for the entire community.

This beta release is meant to give an early view of the future direction of Volatility along with the ability to experience the new framework well in advance of its first official release next summer.

Motivation
Since being initially developed in the mid-2000s, Volatility 2 has become the de-facto framework for memory analysis research, development, and real-world analysis. Parallel to this rise in popularity, significant changes have occurred in the memory forensic landscape, including the:
  • Large increases in the size of RAM samples to be analyzed
  • Inclusion of multiple RAM samples in common investigative scenarios
  • Number of analysis tasks (plugins) that are available and utilized in investigations
  • Introduction of rapid kernel development cycles across Windows, Linux, and OS X
These changes, along with others, drove the decision to redesign and reimplement Volatility 3 as a completely new framework - meaning that every line of code has been written from scratch. This decision gave us the full ability to design a framework that not only meets the needs of current analysis, but also of analysis for years to come.

New Features
During the design phase of Volatility 3, it became clear that the choice to design the framework from scratch provided the flexibility to fulfill many of the requests made over the years by members of our community. We are happy to say that a number of these requests have now been satisfied with Volatility 3 and will be fully realized in the first official release.

For users, the highlights of the new features include:
  • Major performance boosts
  • The removal of reliance on --profile in order for the framework to determine which symbol table (profile) is needed to match the operating system version in the memory sample 
  • Proper evaluation of 32bit code on 64bit systems, such as Window's wow64 
  • Automatic evaluation of in-memory code to avoid as much manual reverse engineering on part of the analyst as possible
For developers:
  • Much simpler integration into user 3rd-party interfaces and libraries
  • Extensive API documentation
  • The ability for plugins to directly call other plugins
  • Plugin versioning
  • Direct integration of custom symbol tables and data structures
Code and Documentation

The official repository for Volatility 3 is on Github within the same organization as Volatility 2.

The official documentation can be found on our Read the Docs page.

Roadmap

In order to fully meet the needs of our community, including keeping Volatility 2 stable and up-to-date with the latest operating system versions, along with the rapid development of Volatility 3, we have decided on a dual framework development cycle.

For Volatility 3, our goal is to have the first full release in August 2020. This release is slated to have complete feature parity (plugins, address spaces, etc.) with Volatility 2 as well as a number of completely new analysis features. We then expect official periodic releases to continue for years after.

For Volatility 2, the core development team will keep it fully up-to-date with features and plugins until August 2021.

In August 2021, the core development team will stop work on Volatility 2 and all efforts will be given to Volatility 3. 

This means that, for the roughly next two years, Volatility users can expect a fully featured framework in Volatility 2 while we work to bring Volatility 3 to full realization.

Getting Involved!

By releasing a beta version of Volatility 3 in the middle of the development cycle, we hoped to inspire members of the community to help with our efforts related to development, documentation, testing, and everything else involved with making Volatility 3 become the new de-facto framework of the field. While the core of Volatility 3 is implemented and stable, there is much work to be done in porting plugins and adding the envisioned brand new features.

Whether you are a college student looking to gain real-world development experience or a seasoned professional looking to have a major impact on your field, there are many tasks where help would be appreciated and recognized.

If you would like to discuss these possibilities with us, then please see our community resources, described next.

Community Resources

For the members of our community who wish to engage directly with the core development team as well as other members, we now have two resources available:
Both of these resources can be used to ask questions, get help with analysis or development tasks, keep up with our latest announcements, and for anything else related to Volatility and memory forensics.

Final Thoughts

We would again like to thank our community for the continued support!

The huge, warm reception at OSDFCon made for a very nice experience, and we always enjoy being able to engage directly with Volatility users.

Our 2020 calendars are already packed with trainings, conferences, and other community events. If you see an announcement of us participating at an event that you will also be attending, then please stop by and say hello.



-- The Volatility Team

Tuesday, October 22, 2019

Volatility Malware and Memory Forensics Training in 2020!

We are excited to announce that in 2020 we will have 4 public offerings of our highly popular Malware and Memory Forensics training course. These offerings include:
  • March 9-13, San Diego, CA
  • April 20-24, Herndon, VA
  • September, Europe (location TBD) *
  • October 12-16, Herndon, VA
* We are currently finalizing the details of September training and will update the post once complete. Please contact us if you would like to be notified directly when this occurs.

Our incident-driven, cutting-edge material is one of the main reasons students value our course. We don't teach the same concepts year after year. Instead, we update our class regularly to stay in sync with (and in some cases, ahead of) rapidly changing attack surfaces, advances in defense technologies, malware hiding tricks, and operating system forensics artifacts. A few recent additions include:
  • Updated memory analysis techniques for ongoing Windows 10 changes
  • Analysis of "stealthy" mechanisms to hide memory-only code
  • Automatic comparisons of live forensics data to memory forensics data for detection of malware
  • Scalable and automated memory acquisition of Linux systems
  • Memory acquisition challenges from OS X Catalina systems
Not only only will you be learning these memory forensics topics directly from the authors of the Volatility Framework and the Art of Memory Forensics, but you will also receive Volatility stickers, a branded USB drive, a copy of the Art of Memory Forensics (digital or print), and various opportunities to win SyncStops - all nicely documented by a few past students:

One of the most popular class contests is our CTF that pits individuals (or teams of two) against the rest of the class, in a challenge that involves analyzing Windows and Linux memory samples in a scenario resembling events that unfolded during the 2016 U.S. Presidential Election.

To continue providing the most up-to-date memory forensics training available anywhere in the world, our instructors constantly perform high-impact, real-world DFIR  (1, 2 3456789). The knowledge gained during these investigations is immediately transitioned into content and labs for our training courses.

Besides the core knowledge needed to perform effective memory forensics, we also teach the latest tools and techniques for reliable memory acquisition. Students will gain experience using Volexity Surge Collect Pro for robust, fast, and secure collection of Windows, Linux, and OS X memory to local and remote/network-based destinations. Students can purchase Surge licenses at a discounted price during course registration (see Memory Forensics Training FAQ) or separately after the class.

In closing this update, we would again like to thank the DFIR community for its continued support of the Volatility project, including the recent warm reception at OSDFCon 2019. It was great seeing and meeting so many users around the world this year, particularly at OSDFCon, Black Hat, DFRWS, BSidesNOLA, BSidesAustin, BSidesLV, and in Herndon and London.

-- The Volatility Team

Wednesday, July 3, 2019

Helping to Build the Next Generation of Memory Forensics Researchers and Practitioners

The Volatility Foundation strives to help build and enhance the memory forensics field. This includes funding and supporting the Volatility Plugin and Analyst Contestssponsoring conferences significant to the open source digital forensics community, such as OSDFCON and BSidesNOLAand maintaining the Volatility Memory Analysis Framework.

For the past year and a half, we have collaborated with Louisiana State University (LSU) to help develop the next generation of researchers and practitioners. This effort, which is funded by the National Science Foundation (NSF) and officially known as SaTC: CORE: Medium: Robust Memory Forensics Techniques for Userland Malware Analysisis a three-year grant focused on the development of cutting-edge techniques for reliable and robust memory analysis of userland (process memory) malware.  Our work on this effort is being coordinated and performed with Dr. Golden Richardthe technical editor of the Art of Memory Forensicsand several of his Master’s and PhD students.

Our contributions to this project have included mentoring students, conducting research, and presenting the results of our research to a wide variety of academic and industry security professionals. The project is now halfway complete and has led to conference presentations and peer-reviewed papers already published or pending publication. Several students whose research was sponsored by the grant have successfully earned their degrees.

We will be presenting the initial results of one recent research project on July 17, 2019, at DFRWS in Portland, OR. Our accepted paper, titled HookTracer: A System for Automated and Accessible API Hooks Analysis, discusses research to create a system for accessible analysis of userland API hooks. Previously, such analysis was mostly accessible to expert investigators who possessed deep knowledge of operating system internals and reversing engineering skills. To reduce those requirements, HookTracer performs emulation of in-memory code, such as an API hook, in order to present the investigator with automated reports of the code’s behavior.  Not only does it make these techniques more practical for digital investigators, it also provides the foundation for more scalable analysis. We believe this approach will allow for the development of a wide range of automated and accessible analysis techniques aimed at memory-resident malware, and we have several new research projects underway to further the work of this first HookTracer effort.

We plan to make several announcements over the coming months as all of our pending research efforts are published and presented. We also plan to continue using our resources to help ensure that future generations of memory forensic professionals are well prepared.

UPDATE: The paper is available for download.

Monday, June 17, 2019

The 7th Annual Volatility Plugin Contest & the 2nd Annual Volatility Analysis Contest!

It’s that time again! We are happy to announce that the 2019 Volatility Plugin Contest and the 2019 Volatility Analysis Contest are now accepting submissions until October 1, 2019. Winners of each contest will be receiving over 2500 USD in cash prizes and, of course, the highly coveted Volatility swag (t-shirts, stickers, etc.)!

Volatility Plugin Contest

Heading into its seventh year, the Volatility Plugin Contest encourages research and development in the field of memory analysis. The contest provides an opportunity for people to get industry-wide visibility for their work, put groundbreaking capabilities immediately into the hands of investigators, and contribute back to the open source forensics community. Not to mention, the opportunity to win cash and prizes!

If you are looking for inspiration for the Volatility Plugin Contest, check out the previous results.

Volatility Analysis Contest

Back again for a second year, the Volatility Analysis Contest encourages people to share the creative ways they are using Volatility to augment their analysis efforts. Entries might include techniques for augmenting malware analysis, expediting reverse engineering, finding critical artifacts during an investigation, or triaging new indicators. You can also find a sophisticated malware sample or attack framework and document how Volatility can be used to find its artifacts in memory. The goal here is to write an analysis report detailing how Volatility was used to find relevant artifacts within memory.

If you are looking for ideas, be sure to look back at last year’s noted entries. Previous examples from the Volatility team include: Stuxnet, Phalanx, and Careto.


We would like to thank Volexity and our other sustaining donors for their continued support.

If you have any questions, please feel free to reach out to us!