Friday, February 18, 2022

The 2021 Volatility Plugin Contest results are in!

Results from the 9th Annual Volatility Plugin Contest are in! And this year, there were 7 submissions from 7 different countries! Submissions included a new web interface, a new address layer, 6 updates to existing plugins, and 15 new Volatility 3 plugins. Once again, we would like to thank the participants for their hard work on their submissions and contributions to Volatility. As in previous years, it was great to see contestants who had submitted in prior contests and submissions from across the global Volatility community.  

It's now 15 years since the first public release of Volatility! It has been exciting to see researchers in the memory forensics field continue to innovate. Later this year, we are planning something special to commemorate all the contributors who have joined us on this journey. 

Independent open source projects and communities only remain viable because of contributors who are willing to sacrifice their time and resources. Please show your appreciation for the contestants’ contributions by following them on Twitter/GitHub/LinkedIn, providing feedback on their ideas, and helping to improve their code with testing, documentation, or contributing patches. 


We would like to thank Volexity for being a sustaining sponsor of the Volatility Foundation and, in particular, for contributing to this year’s contest. We would also like to thank the core Volatility developers and the previous winners of the contest who helped review and deliberate the submissions.

Placements and Prizes for the 2021 Volatility Plugin Contest:

1st place and $3000 USD cash or One Free Seat at Malware and Memory Forensics Training by the Volatility Team goes to:

 Amir Sheffer & Ofek Shaked: Linux Namespaces Support and Docker Plugin

2nd place and $2000 USD cash goes to:

Kevin Breen: Symbol Generator & Public ISF Server, Cobalt Strike Plugin, Rich Header Plugin, and LastPass Credential Recovery Plugin

3rd place and $1000 USD cash goes to:

Frank Block: PTE Analysis Plugins 


Below is a detailed summary of all submissions, ordered alphabetically by first name. If you have feedback for the participants, we're sure they'd love to hear your thoughts! As previously mentioned, these developers deserve praise for their amazing work. We look forward to seeing future work by these authors!

Amir Sheffer & Ofek Shaked: Linux Namespaces Support and Docker Plugin

Container technology is widely used in production Linux settings, and the highly focused analysis of per-container information can help to greatly focus investigations and identify key related artifacts. This submission provides a suite of Volatility 3 plugins for memory forensics of Docker containers.  This included expanding core capabilities in Volatility 3 by making them aware of Linux namespaces and augmenting the number of supported kernel versions.  For example, an analyst can quickly detect the presence of a container, collect information about the container and its capabilities, display information about its mount points, and provide detailed network configuration data.

Related References:

https://github.com/amir9339/volatility-docker
https://github.com/oshaked1
https://github.com/amir9339

Felix Guyard: VolWeb

This submission provides an exciting new web interface to Volatility 3 built using the Django framework. The objectives for the project were to improve investigator efficiency, centralize collaborative analysis, and make memory analysis more "human" friendly. VolWeb also allows investigators to manage memory analysis investigations and search for string-based indicators of compromise. It provides a promising new platform for future work and integrations.

Related References:

https://twitter.com/k1nd0ne
https://k1nd0ne.github.io/index.html
https://github.com/k1nd0ne/VolWeb

Frank Block: PTE Analysis Plugins

The author contributes several Windows plugins for Volatility 3 that extend the code injection detection capabilities of malfind, while also adding low-level PTE enumeration functionality similar to !pte in Windbg. Building on the author's novel research, he has identified potential false negatives in malfind that can occur when the Windows VAD data does not match the underlying page protections, encoded in the PTEs. The author has written a comprehensive library for enumerating and inspecting Windows PTEs and a set of example capabilities on top. All-in-all, it's a great contribution to the Volatility 3 ecosystem! It is also extremely well documented with research publications, blog posts, and a great talk on the subject.

Related References:

https://insinuator.net/2021/12/release-of-pte-analysis-plugins-for-volatility-3
https://github.com/f-block/volatility-plugins

Gerhart: Hyper-V Volatility Introspection Layer

Virtual memory introspection is a technique for monitoring the runtime state of a virtual machine. This submission adds the ability to analyze live Windows Hyper-V virtual machines without acquiring a full memory dump. The new Volatility 3 layer for Hyper-V adds an interface reminiscent of LiveCloudKd or Sysinternals LiveKd, but with the power of Volatility 3's extensive plugins.

Related References:

https://twitter.com/gerhart_x
https://hvinternals.blogspot.com
https://github.com/gerhart01

Kevin Breen:  Symbol Generator & Public ISF Server, Cobalt Strike Plugin, Rich Header Plugin, and LastPass Credential Recovery Plugin

This submission includes a number of components that can help analysts with modern investigations. The submission includes the following 3 plugins that bring new or updated functionality to Volatility 3:

Password Managers: LastPass is a widely used password manager and thus provides a highly valuable forensics target. This submission ports a popular Volatility 2 plugin for extracting LastPass credentials that were stored in memory at the time of acquisition.

 

Rich Header Plugin: A common technique during investigations is to try and identify masquerading processes running on suspected systems. This plugin extracts the Rich header from PE files compiled with Visual Studio which can help identify masquerading processes or aid in wider threat hunting or incident response investigations.

 

Cobalt Strike Plugin: Cobalt Strike is one of the most popular frameworks used by modern attackers and is frequently encountered during investigations. This plugin scans processes for signs of a Cobalt Strike configuration block and provides the ability to extract relevant configuration information.  

In addition to the aforementioned plugins, the submission also provides tools to reduce the hurdles some people experience when analyzing Linux memory samples: 

A Linux symbol server with currently over 1000 Volatility 3 ISF symbol files: The server can be provided to Volatility 3 as a remote symbol server and, if a sample has a matching banner, it can automatically use the associated symbols for analysis. Individual symbol files can also be searched for either by banner or kernel name.


If a symbol file does not exist on the server, a separate Symbol Maker tool can be used to create a symbol file.  By specifying a supported distribution and an optional kernel, the tool will download the necessary files and use dwarf2json to create a symbol file that can be used with Volatility 3. The tool currently supports Ubuntu (Main, AWS, Azure and GCP Variants) and Debian (Main, AWS).

Related References:

https://twitter.com/kevthehermit
https://github.com/kevthehermit/volatility_plugins/blob/main/vol3/passwordmanagers/passwordmanagers.py
https://github.com/Immersive-Labs-Sec/volatility_plugins/tree/main/richheader
https://github.com/Immersive-Labs-Sec/volatility_plugins/tree/main/cobaltstrike
https://isf-server.techanarchy.net
https://github.com/kevthehermit/volatility_symbols

Leonardo Dias da Silva: MultiYara

Many investigators often use YARA to help detect suspicious activity in memory samples.  This submission was intended to help investigators optimize and automate their investigation workflows by making it easier to pull down updated rules from remote locations and leverage multiple YARA rules. 

Related References:

https://www.linkedin.com/in/leonardo-dias-silva

MoonGyu Lee, JeongToon Kang, HyeonDeok Jeongm JunSung Park, Mintaek Lim (BoB Tracer of Coin): CryptoScan

Cryptocurrency is becoming increasingly important during digital investigations ,and there aren’t many forensics tools focused on extracting cryptocurrency artifacts.  In Korea, malicious actors are leveraging hardware wallets to bypass government-required authentication and gain anonymity. This submission is a plugin to detect and extract cryptocurrency transaction records and artifacts related to hardware wallet usage.  In particular, their research explores the Ledger Nano and Trezor One hardware wallets.  By interfacing with several cryptocurrency websites, the plugin can also be used to support investigations related to tracking cryptocurrency transactions.

Related References:

https://github.com/BoB10th-BTC/CryptoScan/blob/master/cryptoscan.py


Here are some additional resources for previous contests and community-driven plugins:

Volatility Foundation Contest Home Page:  http://www.volatilityfoundation.org/contest

Volatility 2020 Plugin Contest Results: https://www.volatilityfoundation.org/2020
Volatility 2019 Plugin Contest Results: https://www.volatilityfoundation.org/2019
Volatility 2018 Plugin Contest Results: https://www.volatilityfoundation.org/2018
Volatility 2017 Plugin Contest Results: http://www.volatilityfoundation.org/2017
Volatility 2016 Plugin Contest Results: http://www.volatilityfoundation.org/2016 
Volatility 2015 Plugin Contest Results: http://www.volatilityfoundation.org/2015
Volatility 2014 Plugin Contest Results: http://www.volatilityfoundation.org/2014-cjpn
Volatility 2013 Plugin Contest Results: http://www.volatilityfoundation.org/2013-c19yz

Volatility Community GitHub Repository: https://github.com/volatilityfoundation/community3 

Tuesday, January 18, 2022

Malware and Memory Forensics Training in 2022!

Over the last few months, we have received many questions about when our Malware and Memory Forensics training would return to in-person learning. Given that a new year is nearly here, and the rate of inquiries has continued to increase, we wanted to document our plans going forward in a publicly available blog post, as opposed to only fielding questions individually.

Virtual Course Remains Available


We would like to start by saying that our course is currently available in virtual format to students across the globe. We announced this availability earlier this year, and since then have had many students successfully complete the course. 

Our online course is self-paced and includes the full material (pre-recorded lectures, copies of the slides, labs, lab guide, etc.) given and presented in the normal 5-day course. Students also have direct access to the instructors through a private Slack channel on the Volatility Foundation’s Slack server. The self-paced format of the course has received very positive feedback, particularly as students have benefited from being able to message and screen share with instructors for help and have the ability to re-listen to lectures to reinforce learning:
"The class is one of the most technical courses I've taken. The Labs provided real world examples and make you think of various aspects of incident response (Network, Disk, File, Memory Forensics). I would recommend this class for incident responders, defenders, and those looking to get a better understanding of memory forensics. I've taken other Level 600/Advanced classes from other vendors and this is right up there with the content and quality." ~ Carlos M.
"I don't say it lightly: this is the best course I've ever taken. The instructors are incredibly fast (and helpful) to answer any questions about the subject, be it directly related to a module or on a real life scenario. It's also not about running plugins blindly. The course has taught me priceless information on Windows Internals, why certain suspicious activities in memory are suspicious in the first place and, best of all, showed me a structured analysis framework I can apply to all my future investigations." ~ Alexandre S.
"I have waited five years to finally attend, participate in and complete this excellent course. I wasn't disappointed. Very relevant, very in depth and has left with me with the skills and enthusiasm to seek out and explore more." ~ Matthew K.

Plans for Public, In-Person Training


As for in-person, public trainings, we are currently evaluating offering these in the Summer or Fall of 2022. We decided against hosting the training in Spring 2022 given the ongoing uncertainty surrounding the pandemic, including restrictions on travel from governments and companies, as well as constantly changing local regulations—particularly in cities we have historically held training events. Our aim is to return to in-person training as soon as the uncertainty clears and as the pandemic allows. 

Private, In-Person Training Beginning in 2022


We will be available for private trainings starting in 2022 within the United States. At this time, this seems the most reasonable option given that a single organization would control the pandemic-related parameters of the training. If your company is interested in a private, in-person training, please contact us. Private trainings can be customized, including modifying the number of days or focusing the course on the areas most critical to the particular organization’s success and goals. 

Keep in Touch!


We hope this update addresses any questions you may have, but if not then please let us know. We also hope to be back presenting at conferences in-person next year along with being able to host our training at public events. 

-- The Volatility Team