Wednesday, July 3, 2019

Helping to Build the Next Generation of Memory Forensics Researchers and Practitioners

The Volatility Foundation strives to help build and enhance the memory forensics field. This includes funding and supporting the Volatility Plugin and Analyst Contestssponsoring conferences significant to the open source digital forensics community, such as OSDFCON and BSidesNOLAand maintaining the Volatility Memory Analysis Framework.

For the past year and a half, we have collaborated with Louisiana State University (LSU) to help develop the next generation of researchers and practitioners. This effort, which is funded by the National Science Foundation (NSF) and officially known as SaTC: CORE: Medium: Robust Memory Forensics Techniques for Userland Malware Analysisis a three-year grant focused on the development of cutting-edge techniques for reliable and robust memory analysis of userland (process memory) malware.  Our work on this effort is being coordinated and performed with Dr. Golden Richardthe technical editor of the Art of Memory Forensicsand several of his Master’s and PhD students.

Our contributions to this project have included mentoring students, conducting research, and presenting the results of our research to a wide variety of academic and industry security professionals. The project is now halfway complete and has led to conference presentations and peer-reviewed papers already published or pending publication. Several students whose research was sponsored by the grant have successfully earned their degrees.

We will be presenting the initial results of one recent research project on July 17, 2019, at DFRWS in Portland, OR. Our accepted paper, titled HookTracer: A System for Automated and Accessible API Hooks Analysis, discusses research to create a system for accessible analysis of userland API hooks. Previously, such analysis was mostly accessible to expert investigators who possessed deep knowledge of operating system internals and reversing engineering skills. To reduce those requirements, HookTracer performs emulation of in-memory code, such as an API hook, in order to present the investigator with automated reports of the code’s behavior.  Not only does it make these techniques more practical for digital investigators, it also provides the foundation for more scalable analysis. We believe this approach will allow for the development of a wide range of automated and accessible analysis techniques aimed at memory-resident malware, and we have several new research projects underway to further the work of this first HookTracer effort.

We plan to make several announcements over the coming months as all of our pending research efforts are published and presented. We also plan to continue using our resources to help ensure that future generations of memory forensic professionals are well prepared.

UPDATE: The paper is available for download.