Wednesday, July 3, 2019

Helping to Build the Next Generation of Memory Forensics Researchers and Practitioners

The Volatility Foundation strives to help build and enhance the memory forensics field. This includes funding and supporting the Volatility Plugin and Analyst Contestssponsoring conferences significant to the open source digital forensics community, such as OSDFCON and BSidesNOLAand maintaining the Volatility Memory Analysis Framework.

For the past year and a half, we have collaborated with Louisiana State University (LSU) to help develop the next generation of researchers and practitioners. This effort, which is funded by the National Science Foundation (NSF) and officially known as SaTC: CORE: Medium: Robust Memory Forensics Techniques for Userland Malware Analysisis a three-year grant focused on the development of cutting-edge techniques for reliable and robust memory analysis of userland (process memory) malware.  Our work on this effort is being coordinated and performed with Dr. Golden Richardthe technical editor of the Art of Memory Forensicsand several of his Master’s and PhD students.

Our contributions to this project have included mentoring students, conducting research, and presenting the results of our research to a wide variety of academic and industry security professionals. The project is now halfway complete and has led to conference presentations and peer-reviewed papers already published or pending publication. Several students whose research was sponsored by the grant have successfully earned their degrees.

We will be presenting the initial results of one recent research project on July 17, 2019, at DFRWS in Portland, OR. Our accepted paper, titled HookTracer: A System for Automated and Accessible API Hooks Analysis, discusses research to create a system for accessible analysis of userland API hooks. Previously, such analysis was mostly accessible to expert investigators who possessed deep knowledge of operating system internals and reversing engineering skills. To reduce those requirements, HookTracer performs emulation of in-memory code, such as an API hook, in order to present the investigator with automated reports of the code’s behavior.  Not only does it make these techniques more practical for digital investigators, it also provides the foundation for more scalable analysis. We believe this approach will allow for the development of a wide range of automated and accessible analysis techniques aimed at memory-resident malware, and we have several new research projects underway to further the work of this first HookTracer effort.

We plan to make several announcements over the coming months as all of our pending research efforts are published and presented. We also plan to continue using our resources to help ensure that future generations of memory forensic professionals are well prepared.

UPDATE: The paper is available for download.

Monday, June 17, 2019

The 7th Annual Volatility Plugin Contest & the 2nd Annual Volatility Analysis Contest!

It’s that time again! We are happy to announce that the 2019 Volatility Plugin Contest and the 2019 Volatility Analysis Contest are now accepting submissions until October 1, 2019. Winners of each contest will be receiving over 2500 USD in cash prizes and, of course, the highly coveted Volatility swag (t-shirts, stickers, etc.)!

Volatility Plugin Contest

Heading into its seventh year, the Volatility Plugin Contest encourages research and development in the field of memory analysis. The contest provides an opportunity for people to get industry-wide visibility for their work, put groundbreaking capabilities immediately into the hands of investigators, and contribute back to the open source forensics community. Not to mention, the opportunity to win cash and prizes!

If you are looking for inspiration for the Volatility Plugin Contest, check out the previous results.

Volatility Analysis Contest

Back again for a second year, the Volatility Analysis Contest encourages people to share the creative ways they are using Volatility to augment their analysis efforts. Entries might include techniques for augmenting malware analysis, expediting reverse engineering, finding critical artifacts during an investigation, or triaging new indicators. You can also find a sophisticated malware sample or attack framework and document how Volatility can be used to find its artifacts in memory. The goal here is to write an analysis report detailing how Volatility was used to find relevant artifacts within memory.

If you are looking for ideas, be sure to look back at last year’s noted entries. Previous examples from the Volatility team include: Stuxnet, Phalanx, and Careto.

We would like to thank Volexity and our other sustaining donors for their continued support.

If you have any questions, please feel free to reach out to us!