Friday, February 18, 2022

The 2021 Volatility Plugin Contest results are in!

Results from the 9th Annual Volatility Plugin Contest are in! And this year, there were 7 submissions from 7 different countries! Submissions included a new web interface, a new address layer, 6 updates to existing plugins, and 15 new Volatility 3 plugins. Once again, we would like to thank the participants for their hard work on their submissions and contributions to Volatility. As in previous years, it was great to see contestants who had submitted in prior contests and submissions from across the global Volatility community.  

It's now 15 years since the first public release of Volatility! It has been exciting to see researchers in the memory forensics field continue to innovate. Later this year, we are planning something special to commemorate all the contributors who have joined us on this journey. 

Independent open source projects and communities only remain viable because of contributors who are willing to sacrifice their time and resources. Please show your appreciation for the contestants’ contributions by following them on Twitter/GitHub/LinkedIn, providing feedback on their ideas, and helping to improve their code with testing, documentation, or contributing patches. 


We would like to thank Volexity for being a sustaining sponsor of the Volatility Foundation and, in particular, for contributing to this year’s contest. We would also like to thank the core Volatility developers and the previous winners of the contest who helped review and deliberate the submissions.

Placements and Prizes for the 2021 Volatility Plugin Contest:

1st place and $3000 USD cash or One Free Seat at Malware and Memory Forensics Training by the Volatility Team goes to:

 Amir Sheffer & Ofek Shaked: Linux Namespaces Support and Docker Plugin

2nd place and $2000 USD cash goes to:

Kevin Breen: Symbol Generator & Public ISF Server, Cobalt Strike Plugin, Rich Header Plugin, and LastPass Credential Recovery Plugin

3rd place and $1000 USD cash goes to:

Frank Block: PTE Analysis Plugins 


Below is a detailed summary of all submissions, ordered alphabetically by first name. If you have feedback for the participants, we're sure they'd love to hear your thoughts! As previously mentioned, these developers deserve praise for their amazing work. We look forward to seeing future work by these authors!

Amir Sheffer & Ofek Shaked: Linux Namespaces Support and Docker Plugin

Container technology is widely used in production Linux settings, and the highly focused analysis of per-container information can help to greatly focus investigations and identify key related artifacts. This submission provides a suite of Volatility 3 plugins for memory forensics of Docker containers.  This included expanding core capabilities in Volatility 3 by making them aware of Linux namespaces and augmenting the number of supported kernel versions.  For example, an analyst can quickly detect the presence of a container, collect information about the container and its capabilities, display information about its mount points, and provide detailed network configuration data.

Related References:

https://github.com/amir9339/volatility-docker
https://github.com/oshaked1
https://github.com/amir9339

Felix Guyard: VolWeb

This submission provides an exciting new web interface to Volatility 3 built using the Django framework. The objectives for the project were to improve investigator efficiency, centralize collaborative analysis, and make memory analysis more "human" friendly. VolWeb also allows investigators to manage memory analysis investigations and search for string-based indicators of compromise. It provides a promising new platform for future work and integrations.

Related References:

https://twitter.com/k1nd0ne
https://k1nd0ne.github.io/index.html
https://github.com/k1nd0ne/VolWeb

Frank Block: PTE Analysis Plugins

The author contributes several Windows plugins for Volatility 3 that extend the code injection detection capabilities of malfind, while also adding low-level PTE enumeration functionality similar to !pte in Windbg. Building on the author's novel research, he has identified potential false negatives in malfind that can occur when the Windows VAD data does not match the underlying page protections, encoded in the PTEs. The author has written a comprehensive library for enumerating and inspecting Windows PTEs and a set of example capabilities on top. All-in-all, it's a great contribution to the Volatility 3 ecosystem! It is also extremely well documented with research publications, blog posts, and a great talk on the subject.

Related References:

https://insinuator.net/2021/12/release-of-pte-analysis-plugins-for-volatility-3
https://github.com/f-block/volatility-plugins

Gerhart: Hyper-V Volatility Introspection Layer

Virtual memory introspection is a technique for monitoring the runtime state of a virtual machine. This submission adds the ability to analyze live Windows Hyper-V virtual machines without acquiring a full memory dump. The new Volatility 3 layer for Hyper-V adds an interface reminiscent of LiveCloudKd or Sysinternals LiveKd, but with the power of Volatility 3's extensive plugins.

Related References:

https://twitter.com/gerhart_x
https://hvinternals.blogspot.com
https://github.com/gerhart01

Kevin Breen:  Symbol Generator & Public ISF Server, Cobalt Strike Plugin, Rich Header Plugin, and LastPass Credential Recovery Plugin

This submission includes a number of components that can help analysts with modern investigations. The submission includes the following 3 plugins that bring new or updated functionality to Volatility 3:

Password Managers: LastPass is a widely used password manager and thus provides a highly valuable forensics target. This submission ports a popular Volatility 2 plugin for extracting LastPass credentials that were stored in memory at the time of acquisition.

 

Rich Header Plugin: A common technique during investigations is to try and identify masquerading processes running on suspected systems. This plugin extracts the Rich header from PE files compiled with Visual Studio which can help identify masquerading processes or aid in wider threat hunting or incident response investigations.

 

Cobalt Strike Plugin: Cobalt Strike is one of the most popular frameworks used by modern attackers and is frequently encountered during investigations. This plugin scans processes for signs of a Cobalt Strike configuration block and provides the ability to extract relevant configuration information.  

In addition to the aforementioned plugins, the submission also provides tools to reduce the hurdles some people experience when analyzing Linux memory samples: 

A Linux symbol server with currently over 1000 Volatility 3 ISF symbol files: The server can be provided to Volatility 3 as a remote symbol server and, if a sample has a matching banner, it can automatically use the associated symbols for analysis. Individual symbol files can also be searched for either by banner or kernel name.


If a symbol file does not exist on the server, a separate Symbol Maker tool can be used to create a symbol file.  By specifying a supported distribution and an optional kernel, the tool will download the necessary files and use dwarf2json to create a symbol file that can be used with Volatility 3. The tool currently supports Ubuntu (Main, AWS, Azure and GCP Variants) and Debian (Main, AWS).

Related References:

https://twitter.com/kevthehermit
https://github.com/kevthehermit/volatility_plugins/blob/main/vol3/passwordmanagers/passwordmanagers.py
https://github.com/Immersive-Labs-Sec/volatility_plugins/tree/main/richheader
https://github.com/Immersive-Labs-Sec/volatility_plugins/tree/main/cobaltstrike
https://isf-server.techanarchy.net
https://github.com/kevthehermit/volatility_symbols

Leonardo Dias da Silva: MultiYara

Many investigators often use YARA to help detect suspicious activity in memory samples.  This submission was intended to help investigators optimize and automate their investigation workflows by making it easier to pull down updated rules from remote locations and leverage multiple YARA rules. 

Related References:

https://www.linkedin.com/in/leonardo-dias-silva

MoonGyu Lee, JeongToon Kang, HyeonDeok Jeongm JunSung Park, Mintaek Lim (BoB Tracer of Coin): CryptoScan

Cryptocurrency is becoming increasingly important during digital investigations ,and there aren’t many forensics tools focused on extracting cryptocurrency artifacts.  In Korea, malicious actors are leveraging hardware wallets to bypass government-required authentication and gain anonymity. This submission is a plugin to detect and extract cryptocurrency transaction records and artifacts related to hardware wallet usage.  In particular, their research explores the Ledger Nano and Trezor One hardware wallets.  By interfacing with several cryptocurrency websites, the plugin can also be used to support investigations related to tracking cryptocurrency transactions.

Related References:

https://github.com/BoB10th-BTC/CryptoScan/blob/master/cryptoscan.py


Here are some additional resources for previous contests and community-driven plugins:

Volatility Foundation Contest Home Page:  http://www.volatilityfoundation.org/contest

Volatility 2020 Plugin Contest Results: https://www.volatilityfoundation.org/2020
Volatility 2019 Plugin Contest Results: https://www.volatilityfoundation.org/2019
Volatility 2018 Plugin Contest Results: https://www.volatilityfoundation.org/2018
Volatility 2017 Plugin Contest Results: http://www.volatilityfoundation.org/2017
Volatility 2016 Plugin Contest Results: http://www.volatilityfoundation.org/2016 
Volatility 2015 Plugin Contest Results: http://www.volatilityfoundation.org/2015
Volatility 2014 Plugin Contest Results: http://www.volatilityfoundation.org/2014-cjpn
Volatility 2013 Plugin Contest Results: http://www.volatilityfoundation.org/2013-c19yz

Volatility Community GitHub Repository: https://github.com/volatilityfoundation/community3