Announcing the Volatility 3 Public Beta!

The Volatility Team is very excited to announce the first public beta release of Volatility 3!

We presented this beta for the first time to OSDFCon attendees and received a very warm reception both during and after our presentation. As always, we are very grateful to our community for the years of support given to our trainings, book, invited speaking engagements, plugin contests, and other activities.

With this blog post, we now want to document the beta release for the entire community.

This beta release is meant to give an early view of the future direction of Volatility along with the ability to experience the new framework well in advance of its first official release next summer.

Motivation
Since being initially developed in the mid-2000s, Volatility 2 has become the de-facto framework for memory analysis research, development, and real-world analysis. Parallel to this rise in popularity, significant changes have occurred in the memory forensic landscape, including the:

• Large increases in the size of RAM samples to be analyzed
• Inclusion of multiple RAM samples in common investigative scenarios
• Number of analysis tasks (plugins) that are available and utilized in investigations
• Introduction of rapid kernel development cycles across Windows, Linux, and OS X

These changes, along with others, drove the decision to redesign and reimplement Volatility 3 as a completely new framework - meaning that every line of code has been written from scratch. This decision gave us the full ability to design a framework that not only meets the needs of current analysis, but also of analysis for years to come.

New Features

During the design phase of Volatility 3, it became clear that the choice to design the framework from scratch provided the flexibility to fulfill many of the requests made over the years by members of our community. We are happy to say that a number of these requests have now been satisfied with Volatility 3 and will be fully realized in the first official release.

For users, the highlights of the new features include:

• Major performance boosts
• The removal of reliance on --profile in order for the framework to determine which symbol table (profile) is needed to match the operating system version in the memory sample 
• Proper evaluation of 32bit code on 64bit systems, such as Window's wow64 
• Automatic evaluation of in-memory code to avoid as much manual reverse engineering on part of the analyst as possible

For developers:

• Much simpler integration into user 3rd-party interfaces and libraries
• Extensive API documentation
• The ability for plugins to directly call other plugins
• Plugin versioning
• Direct integration of custom symbol tables and data structures

Code and Documentation

The official repository for Volatility 3 is on Github within the same organization as Volatility 2.

The official documentation can be found on our Read the Docs page.

Roadmap

In order to fully meet the needs of our community, including keeping Volatility 2 stable and up-to-date with the latest operating system versions, along with the rapid development of Volatility 3, we have decided on a dual framework development cycle.

For Volatility 3, our goal is to have the first full release in August 2020. This release is slated to have complete feature parity (plugins, address spaces, etc.) with Volatility 2 as well as a number of completely new analysis features. We then expect official periodic releases to continue for years after.

For Volatility 2, the core development team will keep it fully up-to-date with features and plugins until August 2021.

In August 2021, the core development team will stop work on Volatility 2 and all efforts will be given to Volatility 3. 

This means that, for the roughly next two years, Volatility users can expect a fully featured framework in Volatility 2 while we work to bring Volatility 3 to full realization.

Getting Involved!

By releasing a beta version of Volatility 3 in the middle of the development cycle, we hoped to inspire members of the community to help with our efforts related to development, documentation, testing, and everything else involved with making Volatility 3 become the new de-facto framework of the field. While the core of Volatility 3 is implemented and stable, there is much work to be done in porting plugins and adding the envisioned brand new features.

Whether you are a college student looking to gain real-world development experience or a seasoned professional looking to have a major impact on your field, there are many tasks where help would be appreciated and recognized.

If you would like to discuss these possibilities with us, then please see our community resources, described next.

Community Resources

For the members of our community who wish to engage directly with the core development team as well as other members, we now have two resources available:

• Our new Slack server
• Our existing mailing list - vol-users

Both of these resources can be used to ask questions, get help with analysis or development tasks, keep up with our latest announcements, and for anything else related to Volatility and memory forensics.

Final Thoughts

We would again like to thank our community for the continued support!

The huge, warm reception at OSDFCon made for a very nice experience, and we always enjoy being able to engage directly with Volatility users.

Our 2020 calendars are already packed with trainings, conferences, and other community events. If you see an announcement of us participating at an event that you will also be attending, then please stop by and say hello.



-- The Volatility Team

Malware and Memory Forensics Training in 2019!

We are excited to announce that in 2019 we will have 3 public offerings of our highly popular and newly updated Malware and Memory Forensics training course. If you would like to join us, our international course will be in London in September, and our US course will be back in Reston/Herndon, VA, during the week of April 8-12, and also in October. We will announce the specific weeks of the Fall courses soon.

Our cutting-edge materials are one of the main reasons students value our course. We don't teach the same concepts year after year. Instead, we update our class regularly to stay in sync with (and in some cases, ahead of) the rapidly changing attack surfaces, advances in defense technologies, malware hiding tricks, and operating system forensics artifacts. A few recent additions include:

• Updated memory analysis techniques for Windows 10 changes
• Challenges of recent hibernation file analysis
• Incorporating decompression of memory pages and paging files into analysis
• Expanded coverage of memory-only Powershell and .NET based attacks
• Scalable and automated memory acquisition of Linux systems
• Memory acquisition challenges from OS X Mojave systems

Not only only will you be learning these memory forensics topics directly from the authors of the Volatility Framework and the Art of Memory Forensics, but you will also receive Volatility stickers, a branded USB drive, a copy of the Art of Memory Forensics (digital or print), and various opportunities to win SyncStops - all nicely documented by a recent student:

Learned a ton, won some stuff, got free drinks. Had an excellent week attending @volatility training. 😊 pic.twitter.com/ZK4OioYCiz

— Sarah (@StarSlaughter) April 21, 2018

We also recently started providing students with a foldable copy of our popular cheat sheet:

Students of our @blackhatevents Digital Forensics & Incident Response class this week will be the first to receive the new foldable @volatility cheat sheets!

Thanks to @Volexity for putting these together! pic.twitter.com/hJ5HHfPy5z

— Andrew Case (@attrc) August 4, 2018

 One of the most popular class contests is our CTF that pits individuals (or teams of two) against the rest of the class, in a challenge that involves analyzing Windows and Linux memory samples in a scenario resembling events that unfolded during the 2016 U.S. Presidential Election.

Swag including coffee mugs, t shirts, and @volatility branded @SyncStop devices for our training CTF winners #dfir #memoryforensics pic.twitter.com/z5kKS4DTnf

— volatility (@volatility) April 20, 2018

To continue providing the most up-to-date memory forensics training available anywhere in the world, our instructors constantly perform high impact, real-world DFIR  (1, 2, 3, 4, 5, 6, 7). The knowledge gained during these investigation is immediately transitioned into content and labs for our training courses.

Besides the core knowledge needed to perform effective memory forensics, we also teach the latest tools and techniques for reliable memory acquisition. Students will gain experience using Volexity Surge Collect Pro for robust, fast, and secure collection of Windows, Linux, and OS X memory to local and remote/network-based destinations. Students can purchase Surge licenses at a discounted price during course registration (see Memory Forensics Training FAQ) or separately after the class.

In closing this update, we would again like to thank the DFIR community for its continued support of the Volatility project and our associated training course. It was great seeing and meeting so many users around the world this year, particularly at OSDFCon, Black Hat, DFRWS, BSidesNOLA, and in Amsterdam and Herndon.

-- The Volatility Team

Malware and Memory Forensics 2017 Schedule (Now with Linux, Mac, and Surge Collect Pro)

Our most popular training course just got even better! We're happy to announce the curriculum for Malware and Memory Forensics by The Volatility Project now includes the following:

• Linux and Mac OS X memory analysis
• Windows memory acquisition with Volexity Surge Collect Pro
• Several new and challenging hands-on labs based on high profile, real world incidents

We currently have 5 MMF courses open for registration, including our first wave of events in 2017. Registrants of all classes will receive a free copy of The Art of Memory Forensics in hard/paper or electronic (eBook, Mobi, or PDF) format.

2016

August 29th - September 2nd, 2016 in Amsterdam (**nearly sold out)
October 3rd - 7th, 2016 in Herndon, VA (**nearly sold out)

2017

April 3rd - 7th, 2017 in Herndon, VA
September 18th - 22nd, 2017 in London, UK (**our first UK class in 3 years)
October 16th - 20th, 2017 in Herndon, VA

Starting with the 2017 courses, we're offering discounts on Volexity Surge Collect Pro (for Windows) at the time of registration. For more information on this package deal, see our Memory Forensics Training FAQ.

If you're interested in attending, contact us. We look forward to meeting and training with everyone!

Automating Detection of Known Malware through Memory Forensics

In this blog post, we will cover how to automate the detection of previously identified malware through the use of three Volatility plugins along with ClamAV. Although this walk-through primarily focuses on Windows memory samples, at the end we explain how to port the approach to Linux and OS X samples.

Motivation

Although it would make our jobs quite interesting if every investigation involved analyzing new malware samples and families, the reality is that many malware investigations only require analyzing memory samples in order to verify (or hunt for) an infection by malware previously discovered in the wild. In these situations, the ability to quickly leverage existing tools and malware intelligence can lead to rapid identification of infected systems.

In this blog post, we document a methodology that we have successfully used in many investigations to confirm the presence, or absence, of known malware on a system. By following this workflow, you should be able to quickly sort through memory samples in your current investigations and to perform one aspect of proactive threat hunting in a highly efficient manner.

Setup

For the purpose of this blog post, we are going to analyze a memory sample that was previously available online. In particular, we are going to look at the stuxnet.vmem file that was produced to accompany The Malware Analyst's Cookbook. As you can likely guess, this memory sample came from a virtual machine infected with Stuxnet.

The real world scenarios where this applies are when you wish to verify if a system is infected, such as after receiving an AV or IDS alert, or when you wish to perform proactive threat hunting in order to stay ahead of potential threats in your environment. In these situations, you will first need to acquire a memory sample of the system you wish to analyze. A full discussion of this process is outside the scope of this blog post, but Chapter 4 of the Art of Memory Forensics provides extensive detail on the topic.

The remainder of this blog post assumes that you have a memory sample that was acquired using a stable tool and/or method.

Plugin Usage

The goal of this section is to showcase how, with only three Volatility plugins, an analyst can quickly extract a majority of the executables loaded into memory at the time of acquisition. 

dlldump

 To start, the dlldump plugin will be used to extract the main application executable and all* loaded DLLs inside of each** process:

$ python vol.py -f stuxnet.vmem --profile=WinXPSP2x86 dlldump —memory -D stuxout/
Volatility Foundation Volatility Framework 2.5
Process(V) Name            Module Base Module Name  Result

---------- --------------------      -------------  -----------------------
0x820df020 smss.exe      0x048580000 smss.exe       OK: module.376.22df020.48580000.dll
0x820df020 smss.exe      0x07c900000 ntdll.dll      OK: module.376.22df020.7c900000.dll
0x821a2da0 csrss.exe     0x04a680000 csrss.exe      OK: module.600.23a2da0.4a680000.dll
0x821a2da0 csrss.exe     0x07c900000                Error: DllBase is paged
0x821a2da0 csrss.exe     0x075b40000 CSRSRV.dll     OK: module.600.23a2da0.75b40000.dll
0x821a2da0 csrss.exe     0x077f10000  GDI32.dll     Error: DllBase is paged
0x821a2da0 csrss.exe     0x07e720000 sxs.dll        Error: DllBase is paged
0x821a2da0 csrss.exe     0x077e70000 RPCRT4.dll     Error: DllBase is paged
0x821a2da0 csrss.exe     0x077dd0000 ADVAPI32.dll   Error: DllBase is paged
0x821a2da0 csrss.exe     0x077fe0000  Secur32.dll   Error: DllBase is paged
0x821a2da0 csrss.exe     0x075b50000 basesrv.dll    Error: DllBase is paged
0x821a2da0 csrss.exe     0x07c800000 KERNEL32.dll   Error: DllBase is paged
0x821a2da0 csrss.exe     0x07e410000 USER32.dll     OK: module.600.23a2da0.7e410000.dll
0x821a2da0 csrss.exe     0x075b60000 winsrv.dll     OK: module.600.23a2da0.75b60000.dll
0x81da5650 winlogon.exe  0x001000000 winlogon.exe   OK: module.624.1fa5650.1000000.dll
<snip>

In the above invocation of dlldump, we set two options. The first, -D, specifies the directory in which to extract the executables. We will have each extraction plugin write to the same directory in order make running ClamScan easier. The second option, --memory, is likely only familiar to power Volatility users. The purpose of this flag is to instruct Volatility to extract all regions of memory around PE files instead of just relying on the file metadata in the PE header that specifies the original size of each section. This helps substantially when extracting packed executables from memory as you can get data both from the original file as well as the unpacked executable.

* There can be hidden DLLs. The next plugin, malfind, will take care of that.

** If a process is hidden from the active process list, then dlldump will not, by default, find it. This means the hidden executable and any DLLs it loaded will not be extracted using the above invocation. In this situation, you would want to use psxview to find the hidden process - but realize that the fact that a process is hidden already mean its malicious, and you do not need ClamScan to re-verify this for you.

malfind

The next plugin that we will use is malfind, which is a plugin that searches for malicious executables (usually DLLs) and shellcode inside of each process. Explaining the precise details of how malfind works is outside the scope of this post and not relevant in a triage situation - but again consult The Art of Memory Forensics if you want all the details. The following shows how to run malfind against the stuxnet sample:

$ python vol.py -f stuxnet.vmem --profile=WinXPSP2x86 malfind  -D stuxout/
Volatility Foundation Volatility Framework 2.5

<snip>
Process: services.exe Pid: 668 Address: 0x13f0000
Vad Tag: Vad  Protection: PAGE_EXECUTE_READWRITE
Flags: Protection: 6

0x013f0000  4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00   MZ..............
0x013f0010  b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00   ........@.......
0x013f0020  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x013f0030  00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00   ................

0x013f0000 4d               DEC EBP
0x013f0001 5a               POP EDX
0x013f0002 90               NOP
0x013f0003 0003             ADD [EBX], AL
0x013f0005 0000             ADD [EAX], AL
0x013f0007 000400           ADD [EAX+EAX], AL
0x013f000a 0000             ADD [EAX], AL
0x013f000c ff               DB 0xff
<snip>

By default, for each suspicious memory region that malfind encounters, it will print attributes about the region such as which process it is mapped in, the starting and ending address of the region, and a hexdump and disassembly of the bytes at the beginning of the suspicious region. Since we added the -D flag to malfind, it will also extract each suspicious region into a separate file under our specified output directory.

By running the file command on just the files that malfind extracted, we have a good idea that we have already found the malware:

$ file stuxout/*
stuxout/process.0x81c47c00.0x1000000.dmp:  PE32 executable (GUI) Intel 80386, for MS Windows
stuxout/process.0x81c47c00.0x680000.dmp:   data
stuxout/process.0x81c47c00.0x6f0000.dmp:   data
stuxout/process.0x81c47c00.0x80000.dmp:    PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
stuxout/process.0x81c47c00.0x870000.dmp:   PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
stuxout/process.0x81c498c8.0x1000000.dmp:  PE32 executable (GUI) Intel 80386, for MS Windows
stuxout/process.0x81c498c8.0x80000.dmp:    PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
stuxout/process.0x81e61da0.0xb70000.dmp:   data
stuxout/process.0x81e61da0.0xbf0000.dmp:   data
stuxout/process.0x81e61da0.0xd00000.dmp:   PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
stuxout/process.0x82073020.0x13f0000.dmp:  PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
stuxout/process.0x82073020.0x940000.dmp:   data
stuxout/process.0x820ec7e8.0x2550000.dmp:  data
stuxout/process.0x821a2da0.0x7f6f0000.dmp: data

In particular, we see multiple files whose file type is listed as a Windows executable. We also see several extracted regions whose file type was unknown (data), which means the region was either a false positive flagged by malfind or injected shellcode. Fortunately, since we are just using these plugins for automated triage, we can safely move on without examining each region individually.

moddump

By using dlldump and malfind, we have extracted every executable that Volatility will give us from userland (process memory) without having to manually dig ourselves. For the last plugin invocation, we will turn to moddump in order to extract all* the executables (drivers) from kernel memory as well.

$ python vol.py -f stuxnet.vmem --profile=WinXPSP2x86 moddump —memory -D stuxout/
Volatility Foundation Volatility Framework 2.5
Module Base Module Name          Result
----------- -------------------- ------
0x0804d7000 ntoskrnl.exe         OK: driver.804d7000.sys
0x0806d0000 hal.dll              OK: driver.806d0000.sys
0x0f7470000 update.sys           OK: driver.f7470000.sys
0x0f89ba000 usbehci.sys          OK: driver.f89ba000.sys
0x0f8a1a000 HIDPARSE.SYS         OK: driver.f8a1a000.sys
0x0f8b5a000 CmBatt.sys           OK: driver.f8b5a000.sys
0x0f855a000 pci.sys              OK: driver.f855a000.sys
0x0f89aa000 usbuhci.sys          OK: driver.f89aa000.sys
0x0bf800000 win32k.sys           OK: driver.bf800000.sys
0x0f87fa000 raspptp.sys          OK: driver.f87fa000.sys
0x0f89c2000 TDI.SYS              OK: driver.f89c2000.sys
0x0b2c23000 ipnat.sys            OK: driver.b2c23000.sys
0x0b23ce000 wdmaud.sys           OK: driver.b23ce000.sys
0x0f84e5000 SCSIPORT.SYS         OK: driver.f84e5000.sys

In this invocation, we have instructed Volatility to locate and extract all* kernel drivers from kernel memory into our output folder.

* moddump relies on the linked list of kernel modules in order to locate each extracted module. This list is susceptible to manipulation by malware and kernel-level malware can certainly run without being present in this list - in fact, it can even run without having any driver file associated with the malware at all (these are known as 'orphan threads' in Volatility terminology). We will avoid that rabbit hole in this blog post though.

Detection with ClamScan

So far we have leveraged dlldump, malfind, and moddump to automatically locate and extract a wide variety of executables from memory.  At this point, we want to check to see if any known malware is on the system, and to do so we will use ClamAV. For those unaware, ClamAV is an open source anti-virus engine with millions of signatures for known malware. It is command-line based and very easy to automate.

The following invocation of clamscan shows running it against all the files in the stuxout directory, which is the directory that contains every executable extracted by the previous three plugins:

$ clamscan stuxout/ | grep -v ": OK$"
stuxout/process.0x81c47c00.0x1000000.dmp: Win.Trojan.5873027-1 FOUND
stuxout/process.0x81c47c00.0x6f0000.dmp:      Win.Worm.Stuxnet-49 FOUND
stuxout/process.0x81c498c8.0x1000000.dmp: Win.Trojan.5873027-1 FOUND
stuxout/driver.f895a000.sys: Win.Trojan.Rootkit-8720 FOUND
stuxout/process.0x81e61da0.0xb70000.dmp:   Win.Worm.Stuxnet-49 FOUND
stuxout/process.0x81c47c00.0x80000.dmp: Win.Worm.Stuxnet-49 FOUND
stuxout/process.0x81c498c8.0x80000.dmp: Win.Worm.Stuxnet-49 FOUND

----------- SCAN SUMMARY -----------
Known viruses: 4514519
Engine version: 0.98.7
Scanned directories: 1
Scanned files: 1262
Infected files: 7
Data scanned: 614.46 MB
Data read: 631.82 MB (ratio 0.97:1)
Time: 196.320 sec (3 m 16 s)

In this output it is immediately obvious that we have a problem as 6 process (userland) files matched AV signatures. Furthermore, one of the drivers extracted from kernel memory matched a signature as well. While ClamScan will occasionally throw a false positive, the fact that multiple signatures matched multiple extracted files very likely means that we have an actual infection. In this example, we can see that ClamAV correctly identifies several of the malicious regions as being associated with Stuxnet.

Advantages to this approach

Speed

The fact that we only need to run three Volatility plugins, all with static command line options,  makes this a very fast process. Since none of the plugins require scanning the entire memory sample, each individual plugin should finish in less than one minute.

ClamAV can take anywhere from 1 minute to 10 minutes to scan all files extracted from memory samples that we regularly encounter.

Scalability

Since the entire triage process described in the writeup can be scripted and will almost always be finished in less than 15 minutes, this approach to detecting known malware is highly scalable.

Defeating Packers

One of the main advantages to extracting malware through memory forensics is that the malware will be in its unpacked form (ignoring VM-based and other advanced packers). This means that the anti-virus engine will be able to scan the actual contents of the malicious files and not just its obfuscated, outer shell. This really helps when scanning with Yara rules as well.

Memory-Only Malware & Injected Code

Through the use of malfind, we are able to find code injected into memory that may never exist on disk and that may have been injected in ways that traditional endpoint security tools would have missed.

No Need to Upload Samples

By running your testing local, you bypass the need to upload potential targeted malware to services such as VirusTotal or to your anti-virus vendor.

No OS Internals Needed

Performing this type of triage requires no advanced memory forensics or operating systems internals knowledge - all you have to do is run the plugins followed by clamscan.

Disadvantages to this approach

While highly useful, this approach is not 100% effective. The following sections describe some of the drawbacks.

Known Only

As made clear in the post title, this approach will only detect known malware. If the organizations originally targeted by Stuxnet had applied this approach to their systems, they would not have detected it as there would be no signatures for it.

This is an example of where deep memory forensics comes into play as it can detect malware in a generic fashion - without the need for any signatures or malware-specific knowledge. MHL's blog post does a great job of showing how effective Volatility's generic anomaly detection plugins are against Stuxnet.

Not everything will be mapped

A second downfall to this approach is that the malicious code might not be resident in memory at the time of the acquisition - it will either in a file on disk or scattered throughout the page file. This situation requires deeper analysis beyond simple triage in order to verify the malware's presence.

ClamAV isn't Perfect

No security tool is perfect, and ClamAV is no exception to this rule. Just because ClamAV does not flag any executables does NOT mean that they are all actually legitimate. In general, we use ClamAV for quick, positive identification of known malware - not to gain confidence that no malware is on the system.

Warnings / Caution Points

Before testing this approach in your own environment, there are two precautions to be aware of:

ClamAV bugs

Unfortunately, ClamAV is not written in a type-safe programming language, and, as a result, has had many vulnerabilities. These vulnerabilities allow for malicious executables to exploit the ClamAV scanning engine in order to take over systems on which the malware is being analyzed. For this reason, we only perform this triage process on systems without critical data and almost always non-networked virtual machines. In general, you should take the same approach with all major anti-virus engines as they all have had numerous exploitable bugs reported in them.

Analysis on Windows systems / Shared VM folders

If you perform this triage process on native Windows systems with AV installed or write your output files to a virtual machine shared folder where the host has AV installed, then it is very likely that the host AV will delete/quarantine any malicious files that you extract. This can cause you to miss infections as, by the time you get to run clamscan, the host AV has already deleted the files, which will prevent clamscan from alerting them to you.

What about dumpfiles?

An experienced Volatility user may be wondering why we did not include dumpfiles into this triage process as dumpfiles can reconstruct cached files, including executables, directly from memory. The answer is that you can certainly include dumpfiles-based extraction into your triage process ---- but be aware of a few points first:

• This can make your output folder quite large
• One of the caches that dumpfiles examines contains a file contents as they appear on disk. This means that you will likely be scanning over packed files instead of the unpacked versions from memory
• dumpfiles can be considerably slower than the three plugins listed

This doesn't mean that you should always avoid dumpfiles, but instead just be cautious of its drawbacks in this particular situation.

Linux & OS X 

This same process can be accomplished with the Linux and OS X counterpart plugins to the plugins used against the Windows stuxnet sample. Please see the official Volatility Cheat Sheet (or the Art of Memory Forensics) for information on these plugins.

Conclusion

Hopefully this blog post has shown you a method that you can bring to your organization and immediately start triaging memory samples. If you have any questions on this process or the post itself, then please feel free to reach out - andrew @@@ AT @@@@ dfir.org  - PGP or through Twitter - @attrc - @volatility.

Windows Malware and Memory Forensics Training coming to NYC, Amsterdam, and Reston!

We're excited to announce the dates and locations for three new public offerings of Windows Malware and Memory Forensics Training by The Volatility Project.

The following courses are now open for registration:

• June 27th - July 1st in NYC

• August 29th - September 2nd in Amsterdam

• October 3rd - 7th in Reston/Herndon, VA

You can request an invite through our web form or contact us via voltraining @ memoryanalysis [dot] net (pgp). All three of these locations have sold out early in the past, so please contact us ASAP if you wish to attend.

Also, students in our recent Reston course wanted to share some of their feedback with you:

I thought I understood Windows internals until I attended this course. Attend if at all possible! Troy A. (Malware Analyst)

Thanks for a great training. Its one of the best (if not the best) I've been to.  Billy M. 

The course is put together in a way that all skill levels and experience will get valuable information.  Jeremy S. (Senior Research Analyst)

It is one of the greatest forensics classes I ever attended.  Ali K. (IT Security Consultant)

We look forward to meeting all the talented analysis and investigators that attend our classes!

Results from the 2015 Volatility Plugin Contest are in!

The competition this year was fierce! We received 12 plugins to the contest. Similar to last year, ranking the submissions was one of the hardest things we’ve had to do. Each plugin is unique in its own way and introduces a capability to open source memory forensics that didn’t previously exist. Although a few people will receive prizes for their work, the real winners in this contest are the practitioners and investigators in the community that perform memory forensics. 

Needless to say, we're very proud of everyone who submitted to the contest. 

Here are this year’s rankings:

1. Fred House, Andrew Davis, and Claudiu Teodorescu for the shimcachemem plugin. 
2. James Habben for the Evolve web interface to Volatility. 
3. Philip Huppert for the VM migration address space. 
4. Ying Li for the linux python strings and SSH agent plugins. 
5. Adam Bridge for the NDIS packet scanning plugin. 

Here is a detailed summary of the submissions. If you have feedback for the authors, we're sure they'd love to hear your thoughts.

1st: Shimcache Memory Scan 

This plugin by FireEye and Mandiant researchers Fred House, Andrew Davis, and Claudiu Teodorescu parses the Windows Application Compatibility Database (aka, ShimCache) from the module or process memory that contain the database. In the authors' own words:

Shim cache is a highly valuable forensic artifact used to identify evidence of file execution. In addition to recording potential file executions, the cache is ordered, meaning that an analyst can identify other files that may have executed before or after a file of interest.

Most forensic tools that parse the shim cache rely on the cache stored in the Windows registry. The cache in the registry is only updated when a system is shutdown so this approach has the disadvantage of only parsing cache entries since the last shutdown. On systems that are not rebooted regularly (e.g., production servers) an analyst must either use out-of-date shim cache data or request a system reboot.

This plugin parses the shim cache directly from the module or process containing the cache, thereby providing analysts access to the most up-to-date cache. The plugin supports Windows XP SP2 through Windows 2012 R2 on both 32 and 64 bit architectures.

Fred's Twitter: @0xF2EDCA5A

Claudiu's Twitter: @cteo13

FireEye's blog post: https://www.fireeye.com/blog/threat-research/2015/10/shim_shady_live_inv.html

Shimcachemem Submission: https://github.com/volatilityfoundation/community/tree/master/ShimcacheMemory

2nd: James Habben: Evolve Web Interface

This submission provides a web interface to Volatility built with AJAX, jQuery, and JSON. It allows the user to run several plugins at once and leverage the power of multi-processing. It shows the plugins' status and places the completed plugins near the top for easy access. The output is easily searchable given its sqlite3 backend and there is a "morph" option as well for highlighting interesting artifacts. In fact, users can create their own morphs using a plugin-based template system. Existing morphs include associating country codes with IP addresses and marking filenames that do not match the NSRL list. 

James' Submission: https://github.com/JamesHabben/evolve

James' Twitter: @JamesHabben
James' GitHub: https://github.com/jameshabben
Evolve Videos: https://youtu.be/55G2oGPQHF8 and https://youtu.be/mqMuQQowqM

3rd: Philip Huppert: VM Live Migration 

This submission includes an address space plugin for accessing memory samples found in network data captured during a VMotion live migration. In particular, it currently supports analysis of samples collected during VMotion migrations between ESXi hosts. This allows an analyst to access the entire runtime state of a virtual machine as it is being transferred between two physical hosts over the network. This has a number of valuable applications toward virtual machine introspection and forensics investigations of cloud environments. 

Philip's plugin represents interesting implications toward VM's that migrate between different cloud providers or countries. Wireshark has the capability to analyze the traffic protocols but not the payload of the traffic, so this is a new and exciting capability for both forensic researchers and offensive security analysts. 

Philip's Submission: https://github.com/volatilityfoundation/community/tree/master/PhilipHuppert

Philip's Twitter: @oilheap

Philip's GitHub: https://github.com/Phaeilo

4th: Ying Li: Python Strings and SSH Keys 

This submission includes a collection of plugins for analyzing memory samples acquired from 64-bit Linux systems. The plugins were initially presented at PyCon 2015. The first plugin in the submission, linux_python_strings, extracts memory resident Python strings from the heap of Python processes. This is accomplished by scanning the heap for Python string objects. The advantage of this approach is that we are able to leverage context that the interpreter has about the particular string and how it is being used. The author also includes a plugin for extracting strings stored in Python dictionaries. The context provided by this plugin could allow an analyst to determine which strings were associated as key-value pairs. The final plugin, linux_ssh_keys, will extract RSA keys from the heap of ssh-agent processes. These keys could be useful when investigating lateral movement or performing an investigation of a suspected person's machine.  

Ying's plugins continue the trend of moving further up the analysis stack into the application to extract more memory resident context. As for RSA keys, extracting crypto artifacts is always interesting. To date, we haven't seen anyone extract the RSA keys from ssh-agents with Volatility. Additionally, Ying created an automated test harness for generating memory samples, which we thought was particularly useful. 

Ying's Submission: https://github.com/volatilityfoundation/community/tree/master/YingLi

Ying's Twitter: @cyli
Ying's GitHub: https://github.com/cyli
Ying's PyCon 2015 Talk: https://www.youtube.com/watch?v=tMKXcc2-xO8

5th: Adam Bridge: NDIS Packet Scan 

This submission carves packets and ethernet frames from NDIS shared memory sections (regions of RAM shared between the OS and DMA NIC). Although tools exist to scan an arbitrary binary file for packets, the extra context that Adam's plugin provides is extremely valuable. For example, the methodology is far less likely to produce false positives or report fake/decoy packets. In addition to outputting text and pcap formatted results, the plugin also decodes NetBIOS names found in DNS traffic and extracts slack space between packet payloads that other tools may miss. This research represents the beginning of a very exciting realm of future plugins that focus on NDIS private data structures including data waiting in sent/received buffers. 

Adam's Submission: https://github.com/volatilityfoundation/community/tree/master/AdamBridge

Adam's Twitter: @bridgeythegeek
Adam's GitHub: https://github.com/bridgeythegeek

The following submissions appear in the order they were received. As previously mentioned, everyone succeeded in solving a specific problem that they (and undoubtedly others) faced. For this, they deserve huge props. We look forward to seeing future work by these authors!

Joe Greenwood: Hacking Team RCS Attribution  

This plugin searches a memory dump for evidence of the Hacking Team Galileo Remote Control System (RCS), and attempts to attribute the infection to particular Hacking Team client. One of our favorite aspects of this plugin is that it detects RCS based on its predictable named shared memory sections, a creative alternative to scanning for the typical byte signatures and mutexes. Its also a really nice touch to provide the extra attribution context via the watermark lookups. 

Joe's Submission: https://github.com/volatilityfoundation/community/tree/master/JoeGreenwood

Joe's Twitter: @SeawolfRN
Joe's (4ARMED) GitHub: https://github.com/4ARMED
Joe's Blog: https://www.4armed.com/blog/memory-forensics-detecting-galileo-rcs-windows/

Alexander Tarasenko: Pykd/Windbg Address Space

This submission lets you integrate Volatility into Windbg through Pykd. You're then able to query for addresses of critical data structures, functions, and other variables using the debugging APIs. Additionally, you can connect Volatility to a running Windows system in debugging mode and run Volatility plugins against the live system, which particularly comes in handy for malware/rootkit analysis (not necessarily IR/forensics). 

The author of this address space also mentioned a new project named Karmadbg (see the link below) which is a GUI intended for development of new debugging and memory analysis scripts. Check it out! Unfortunately, documentation in English is not yet available. 

Alexander's Submission: https://github.com/volatilityfoundation/community/tree/master/AlexanderTarasenko

Pykd's Twitter: @pykd and @pykd_dev
Pykd's Website: https://pykd.codeplex.com
Karmadbg's Website: https://karmadbg.codeplex.com

Loïc Jaquemet: Haystack 

These plugins are an interface between the Volatility framework and the haystack framework. While Volatility establishes a forensic framework to analyse a system's RAM, the haystack framework is intended to analyse a process's RAM, allowing an analyst to search for defined structures in a process's memory. You can build structure definitions from known/public C header files or with Python's ctypes library (based on undocumented or reverse engineered data structures) and then plug them into this framework to scan across process heaps, all process memory allocations, etc. The author provided examples of constraints that can find openssl cipher contexts, session keys, and passphrases, but its surely not limited to those types of data. Give it a shot and see what you can find! 

Loïc's Submission: https://github.com/volatilityfoundation/community/tree/master/Lo%C3%AFcJaquemet

Loïc's Twitter: @trolldbois
Loïc's GitHub: https://github.com/trolldbois

The python-haystack module: https://github.com/trolldbois/python-haystack

May Medhat (et. al.): GVol Tool

This tool by EG-CERT researchers May Medhat and Mohamad Shawkey provides a (thick) GUI front end for Volatility written in Java. It lets you run preconfigured batch scripts against a memory dump with just a couple mouse clicks or you can customize your own batch scripts. You can choose from categories such as Rootkits, Kernel Artifacts, Networking, etc. and they link up with Volatility plugins in the backend. We imagine this tool will be very handy for analysts who are not comfortable on the command line or with Volatility usage in general. Additionally, for those who are seasoned Volatility users, this tool can reduce the amount of time you spend typing commands before you actually dive into the details of your case. 

May's GitHub: https://github.com/May-Medhat
Mohomad's GitHub: https://github.com/m-shawkey

GVol User Guide: https://github.com/eg-cert/GVol/blob/master/docs/GVol-User%20Guide.pdf

EG-CERT's GitHub: https://github.com/eg-cert/GVol

Monnappa Ka: Linux Memory Diff 

This plugin uses the Volatility advanced memory forensics framework to run various plugins against a clean and infected Linux memory image and reports the changes. Many times while doing memory analysis (or malware analysis) an analyst is presented with an abundance of data and the analyst has to manually find the malicious artifacts from that data which takes time and effort. This tool helps in solving that problem by comparing the results between the clean and infected memory images. This tool helps speed up analysis, reduce manual effort and allows you to focus on the relevant data.

Monnappa's Submission: https://github.com/volatilityfoundation/community/tree/master/MonnappaKa

Monnappa's Twitter: @monnappa22
Monnappa's GitHub: https://github.com/monnappa22
Monnappa's Blog: http://malware-unplugged.blogspot.com

Bart Inglot: Scheduled Task and Job Scanners 

This plugin scans for job files and prints out their information. It's useful from a DFIR perspective, since job files are often used by attackers in order to run programs with SYSTEM privileges, run at scheduled moments, or to move laterally within a network. Aside from the job plugin for Volatility, adapted from Jamie Levy's jobparser.py (http://gleeda.blogspot.com/2012/09/job-file-parser.html) Bart also has written standalone carvers for jobs and scheduled tasks that work against memory samples, disk images, and other binary files. 

Bart's Submission: https://github.com/volatilityfoundation/community/tree/master/BartoszInglot

Bart's Twitter: @BartInglot
Bart's GitHub: https://github.com/binglot
Bart's Blog: http://passionateaboutis.blogspot.com

Volatility Updates Summer 2015

Summer 2015 has been quite a busy time for the memory forensics community. We wanted to write a quick update to talk about some recent events and research as well as upcoming news.

Conferences

Black Hat Vegas 2015

We wanted to again thank everyone who came out and supported us during Black Hat. Between our Arsenal demo, book signing, and party, we met hundreds of Volatility users and fans. Your support and enthusiasm is greatly appreciated. Come back next year for twice the champagne, twice the suite size, and twice the fun!

HTCIA International Conference (Orlando) 

We're putting on a lab session at HTCIA's International Conference in Orlando next week. You can also stop by the Volexity booth for a chance to win a free seat at any upcoming Windows Malware and Memory Forensics Training course.

Open Source Digital Forensics Conference (OSDFC) 2015

The Volatility team will once again be presenting the latest in memory forensic research at OSDFC 2015. This year we will be focusing on the anti-forensic capabilities of PlugX as well as new Volatility capabilities that can auto-detect them. We will also be discussing the results of the 2015 Volatility Plugin contest. 

OSDFC has a great lineup this year so you should try and attend. We hope to see many Volatility users while we are out there.

Research

A New Paper on OS X Memory Forensics

At DFRWS 2015, Dr. Golden Richard and I published a paper on OS X memory forensics entitled: Advancing OS X Rootkit Detection. The purpose of this paper was to document gaps in existing OS X rootkit detection techniques and then develop new methods, in the form of Volatility plugins, to close these gaps. The plugins introduced in the paper will be committed to GitHub in the coming weeks.

DFRWS had a number of good submissions this year, and we recommend browsing the program for other interesting forensics research.

Volatility vs Hacking Team

The malware used by Hacking Team to control victim's computers is known as Galileo RCS, and in a well done blog post, Joe Greenwood shows how to use Volatility to detect RCS in a number of ways.

RCS now joins a long list (Stuxnet, Careto, Flame, and more) of 'advanced', 'stealthy' malware that immediately falls to inspection by memory forensics.

Volatility at PyCon

At PyCon 2015, Ying Li showed how to use newly developed Volatility capabilities in order to find artifacts of Python scripts that were executing on the system. This was very interesting work, and we suggest watching the video of her talk.

Projects Building on Volatility

VolDiff

VolDiff is a project that compares the results of a number of Volatility plugins against two memory samples and automatically the reports the differences. Compared to manually running and comparing the plugins, this can save a substantial amount of time.

The purpose of VolDiff is to compare in-memory artifacts both before (clean state) and after (post-install state) an application, such as a malware sample, has executed. The new artifacts that appear post-installation can be immediately isolated for further analysis and/or for the creation of highly-effective IOCs.

If you wanted to get started with VolDiff then you should read the author's post on analyzing DarkComet with VolDiff.

Evolve

Evolve is an open source web interface to Volatility. It is under very active development and is constantly having new features added. Consult the README on GitHub for the latest features, and be sure to follow the tool's author on Twitter.

To see Evolve in action, check out a video showing the basic features here and advanced features here.

As much as we love the command line, it is sometimes nice to have a GUI visualize and shuffle data for you!

Plugin Contest

The 2015 Volatility Plugin Contest is underway and accepting submissions until October. The contest is a great way to win cash and other prizes, gain recognition in the community and become more familiar with Volatility and Python. We feature the research submitted to the contest on this blog, during conferences, presentations, and all throughout social media and our mailing lists.

New Volatility Capabilities

Windows 10 Support

While not merged in the official Volatility branch (yet), the Windows 10 branch is currently under active development. Nearly all of the plugins are working at the current time, and we would be very appreciative of any bug reports you may have when testing the branch. Please post any bugs to the GitHub issue tracker. Currently supported functionality includes process and kernel module listing, all pool scanning plugins (files, mutexes, processes, drivers, etc.), handles, DLLs, PE file extraction, process memory (VAD) parsing, service enumeration, cached file extraction, and memory signature scanning with Yara.

OS X 10.10.x Support and New Plugins

Volatility now has official support for OS X 10.10.4 and 10.10.5, which are the latest two versions. We have also tested Volatility on a preview release of 10.11, and it appears that all of the plugins work as expected. We will release an official profile for 10.11 once Apple releases debug kits (we are currently using special custom built profiles).

Volatility also has a new plugin named mac_get_profile. This plugin allows Volatility to auto-detect which profile (OS version) matches the given memory sample. To use this plugin you do NOT need any OS X profiles installed. Instead, you can run a fresh checkout of Volatility, determine the profile by using mac_get_profile, and then download the correct profile from our profiles repository.

To use mac_get_profile, simply pass the path to your memory sample as the -f option and then put mac_get_profile after it:

$ python vol.py -f <path to memory sample> mac_get_profile

Linux

Volatility Linux support has now been tested through kernel version 3.19. As many of the data structures do not change between versions, we expect that most or all of the plugins will work with bleeding edge developments kernels as well. Please file an issue if you encounter any bugs.

Memory Forensic Trainings

Our memory forensics training class in Amsterdam is now SOLD OUT.  We appreciate the support and word of mouth praise from past attendees as well as fans of the project.

Our current course is 5 days of memory forensics and malware analysis training against Windows systems. Full information on the course, as well as upcoming dates and locations, can be found here. If our current set of public offerings does not work for your company then please contact us about conducting a private training at one of your facilities.

Recovering TeamViewer (and other) Credentials from RAM with EditBox

I recently stumbled upon the TeamViewer-dumper-in-CPP project, which shows just how easy it is to recover TeamViewer IDs, passwords, and account information from a running TV instance by enumerating child windows (on a live machine). The method is based on sending a WM_GETTEXT message to the TV GUI controls that contain the credentials. In particular, we're looking for the two fields under the "Allow Remote Control" heading (Your ID: 567 744 114 and Password q16jp7).

The equivalent of TeamViewer-dumper for memory forensics analysts is Adam Bridge's EditBox plugin for Volatility. Adam's submission won 3rd place in last years Volatility Plugin Contest, but I still feel like many people don't realize the full potential of this plugin. While TeamViewer-dumper is specific to TV, the EditBox plugin recovers text from editbox controls for all applications (that depend on Microsoft Common Controls) across all user sessions (local or remote via RDP/VNC), even for "special" editboxes that contain passwords and show up as asterisks on the screen.

Here's an example of the editbox plugin's output when TV is running:

$ python vol.py -f memory.dmp --profile=Win7SP1x64 editbox 
Volatility Foundation Volatility Framework 2.4
41 processes to check.

*******************************************************
Wnd context          : 1\WinSta0\Default
Window title         : -
pointer-to tagWND    : 0xfffff900c062b510 [0x67dc6510]
pid                  : 2524
imageFileName        : TeamViewer.exe
wow64                : Yes
atom_class           : 6.0.7601.17514!Edit
address-of cbwndExtra: 0xfffff900c062b5f8 [0x67dc65f8]
value-of cbwndExtra  : 4 (0x4)
address-of WndExtra  : 0xfffff900c062b638 [0x67dc6638]
value-of WndExtra    : 0x46e0480 [0x67302480]
pointer-to hBuf      : 0x46af000 [0x67e28000]
hWnd                 : 0x10228
parenthWnd           : 0x1020a
nChars               : 6 (0x6)
selStart             : 0 (0x0)
selEnd               : 0 (0x0)
text_md5             : 7a62c5fa901ff86a1562b9c7075674f8
isPwdControl         : No
q16jp7

*******************************************************
Wnd context          : 1\WinSta0\Default
Window title         : -
pointer-to tagWND    : 0xfffff900c062b150 [0x67dc6150]
pid                  : 2524
imageFileName        : TeamViewer.exe
wow64                : Yes
atom_class           : 6.0.7601.17514!Edit
address-of cbwndExtra: 0xfffff900c062b238 [0x67dc6238]
value-of cbwndExtra  : 4 (0x4)
address-of WndExtra  : 0xfffff900c062b278 [0x67dc6278]
value-of WndExtra    : 0x46a0f98 [0x689d7f98]
pointer-to hBuf      : 0x46bf390 [0x6769d390]
hWnd                 : 0x10224
parenthWnd           : 0x1020a
nChars               : 11 (0xb)
selStart             : 0 (0x0)
selEnd               : 0 (0x0)
text_md5             : b45dfe635940d5490276a5ae41e1422f
isPwdControl         : No
567 744 114

*******************************************************
Wnd context          : 1\WinSta0\Default
Window title         : -
pointer-to tagWND    : 0xfffff900c0631a50 [0x552cea50]
pid                  : 2524
imageFileName        : TeamViewer.exe
wow64                : Yes
atom_class           : 6.0.7601.17514!Edit
address-of cbwndExtra: 0xfffff900c0631b38 [0x552ceb38]
value-of cbwndExtra  : 4 (0x4)
address-of WndExtra  : 0xfffff900c0631b78 [0x552ceb78]
value-of WndExtra    : 0x4781678 [0x6648b678]
pointer-to hBuf      : 0x46fac80 [0x68493c80]
hWnd                 : 0x801aa
parenthWnd           : 0x70186
nChars               : 15 (0xf)
selStart             : 0 (0x0)
selEnd               : 0 (0x0)
text_md5             : 2cbe388f82d11af92a8d4950e24db799
isPwdControl         : No
WIN-948O8I1DO91

[snip]

As you can see, the ID, password, computer name, and various other fields are recovered. This is a powerful way to reconstruct the state of the user interface from memory. Although technically you could also find the values by brute force string scanning in process memory, but there's no need to brute force when you can use a structured, focused approach. Kudos to Adam for creating such a useful extension to last year's plugin contest.

Volshell Quickie: The Case of the Missing Unicode Characters

The other day someone reached out to me because they had a case that involved files with Arabic names.  Unfortunately the filenames were only question marks when using filescan or handles, so I set out to figure out why.

In order to figure out why, I created a few files with Hebrew names (which I can read and write, so I can verify if it is correct) and Arabic names (which was just me tapping on the keyboard, so they don't say anything). After creating them, I interacted with them to make sure they'd show up in filescan. Below you can see the filescan results:

[snip]
$ python vol.py -f Win7x86.vmem --profile=Win7SP1x86 filescan
0x000000003d7008d0     16      0 RW-rw-
\Device\HarddiskVolume2\Users\user\Desktop\????.txt
0x000000003ddfef20     18      1 RW-r--
\Device\HarddiskVolume2\Windows\Tasks\SCHEDLGU.TXT
0x000000003def9340     16      0 RW-r--
\Device\HarddiskVolume2\Users\user\Desktop\????????????????????.txt
[snip]

In order to understand how the filename is output, you can look at the code in filescan:

        for file in data:
            header = file.get_object_header()
            self.table_row(outfd,
                         file.obj_offset,
                         header.PointerCount,
                         header.HandleCount,
                         file.access_string(),
                         str(file.file_name_with_device() or ''))

The function file_name_with_device() is defined in volatility/plugins/overlays/windows/windows.py and the relevant part is highlighted in red:

class _FILE_OBJECT(obj.CType, ExecutiveObjectMixin):
    """Class for file objects"""

    def file_name_with_device(self):
        """Return the name of the file, prefixed with the name
        of the device object to which the file belongs"""
        name = "" 
        if self.DeviceObject:
            object_hdr = obj.Object("_OBJECT_HEADER",
                            self.DeviceObject - self.obj_vm.profile.get_obj_offset("_OBJECT_HEADER", "Body"),
                            self.obj_native_vm)
            if object_hdr:
                name = "\\Device\\{0}".format(str(object_hdr.NameInfo.Name or '')) 
        if self.FileName:
            name += str(self.FileName)
        return name 

So we can take a look at this in volshell:

  1 $ python vol.py -f Win7x86.vmem --profile=Win7SP1x86 volshell
  2 [snip]
  3 >>> file = obj.Object("_FILE_OBJECT", offset = 0x000000003d7008d0, vm = addrspace().base, native_vm = addrspace())
  4 >>> print file.FileName
  5 \Users\user\Desktop\????.txt
  6
  7 >>> file2 = obj.Object("_FILE_OBJECT", offset = 0x000000003def9340, vm = addrspace().base, native_vm = addrspace())
  8 >>> print file2.FileName
  9 \Users\user\Desktop\????????????????????.txt

On line 3 we create a _FILE_OBJECT object. We know the offset where this object resides (0x000000003d7008d0) from filescan. Since this object was obtained from the physical address space, we specify this by setting vm to addrspace().base, or the physical layer, since this is a raw memory sample. Since the _FILE_OBJECT's native address space is virtual, we specify this as well: native_vm = addrspace(). At this point we have instantiated a _FILE_OBJECT in a variable called "file". We then print out the FileName member on line 5 and see its output on line 6. We follow the same process for the second file, except we save the object as "file2". As you can see, the output is not very helpful. So now we need to know what type of member, FileName is. In order to accomplish this, we need to look at the vtypes in the volatility/plugins/overlays/windows/win7_sp1_x86_vtypes.py file:

  '_FILE_OBJECT' : [ 0x80, {
    'Type' : [ 0x0, ['short']],
[snip]
    'FileName' : [ 0x30, ['_UNICODE_STRING']],
[snip]

We have some functionality added to this type in volatility/plugins/overlays/windows/windows.py:

class _UNICODE_STRING(obj.CType):
    [snip]
    def v(self):
        """  
        If the claimed length of the string is acceptable, return a unicode string.
        Otherwise, return a NoneObject.
        """
        data = self.dereference()
        if data:
            return unicode(data)
        return data 

    def dereference(self):
        length = self.Length.v()
        if length > 0 and length <= 1024:
            data = self.Buffer.dereference_as('String', encoding = 'utf16', length = length)
            return data
        else:
            return obj.NoneObject("Buffer length {0} for _UNICODE_STRING not within bounds".format(length))

    [snip]

    def __format__(self, formatspec):
        return format(self.v(), formatspec)

    def __str__(self):
        return str(self.dereference())
    
    [snip]

We know that the file_name_with_device() function uses str() in order to transform the _UNICODE_STRING into something readable and if we look at the overridden __str__() operator in the above code, we see that it uses the dereference() function. The dereference() function never casts the data as unicode, however, so the data is printed incorrectly. If we look at the above v() function, we see that there is a call to dereference() and that the resulting data is case as unicode, so let's see if we get valid data back by calling that function instead:

>>> print file.FileName.v()
\Users\user\Desktop\שלום.txt

>>> print file2.FileName.v()
\Users\user\Desktop\تهحححتهحححتهحححتهححح.txt

Success! So let's modify the __str__() operator to use v() instead and see if that fixes filescan:

[snip]
    def __str__(self):
        return str(self.v())
[snip]

Now let's examine the filescan data:

0x000000003d7008d0     16      0 RW-rw-
\Device\HarddiskVolume2\Users\user\Desktop\שלום.txt
0x000000003ddfef20     18      1 RW-r--
\Device\HarddiskVolume2\Windows\Tasks\SCHEDLGU.TXT
0x000000003def9340     16      0 RW-r--
\Device\HarddiskVolume2\Users\user\Desktop\تهحححتهحححتهحححتهححح.txt

Success! Just to make dually sure, I then created a user with a Hebrew name: גלידה, and created some files with Hebrew characters as well. If we look back to the file_name_with_device() function, you'll see that the complete file path is populated by using the NameInfo optional header (name = "\\Device\\{0}".format(str(object_hdr.NameInfo.Name or ''))). If you look in the volatility/plugins/overlays/windows/win7.py file, you'll see the following definition:

class _OBJECT_HEADER(windows._OBJECT_HEADER):
    [snip]
    optional_header_mask = (('CreatorInfo', '_OBJECT_HEADER_CREATOR_INFO', 0x01),
                            ('NameInfo', '_OBJECT_HEADER_NAME_INFO', 0x02),
                            ('HandleInfo', '_OBJECT_HEADER_HANDLE_INFO', 0x04),
                            ('QuotaInfo', '_OBJECT_HEADER_QUOTA_INFO', 0x08),
                            ('ProcessInfo', '_OBJECT_HEADER_PROCESS_INFO', 0x10))

Announcing the 2014 Volatility Plugin Contest Results!

The competition this year was fierce! We received a total of nearly 30 plugins to the contest. Ranking the submissions was one of the hardest things we’ve had to do. Each plugin is unique in its own way and introduces a capability to open source memory forensics that didn’t previously exist. Although a few people will receive prizes for their work, the real winners in this contest are the practitioners and investigators in the community that perform memory forensics. We’re talking about the federal government who used Volatility on some of the nation’s most prominent cases and the law enforcement groups that used it as the primary tool to force a child pornographer into a guilty plea (see you in about 10 years, wish it were more!). We’re talking about Det. Michael Chaves who used memory forensics to help crack a case involving POS breaches that lead to losses of over $100K. We’re talking about all the analysts who rely on open source forensics to identify and track malicious code and threat actors in their networks and those of their clients. 

Needless to say, we're very proud of everyone who submitted to the contest. Also a huge thanks goes out to Facebook for doubling the contest's cash prizes and supporting the research and development  of open source memory forensics. 

Here are this year’s rankings:

1. Dave Lasalle wins first place and his choice of $2500 or free training. Dave submitted 14 plugins for recovering Firefox and Chrome activity (history, search terms, cookies, downloads) from memory, carving Java IDX files, and using fuzzy hashing to whitelist injected code and API hooks. 
2. Curtis Carmony wins second place and $1250 for his plugin to extract dm-crypt disk encryption keys from Linux (and potentially Android) memory dumps.
3. Adam Bridge wins third place and $750 with editbox – a plugin to recover the text within edit controls of GUI applications on Windows (including but not limited to notepad contents, username and password fields, browser URL and search forms, etc). 
4. Thomas Chopitea wins fourth place for his autoruns plugin that enumerates automatically starting applications on Windows systems – a common first step in many different types of investigations.
5. Takahiro Haruyama wins fifth place with openioc_scan, a plugin that combines the flexibility of the IOC language with the power of Volatility to give analyst’s quick and easy malware triage capabilities.

---

Here is a detailed summary of the submissions. We've included a link to the respective submissions on the Volatility Foundation website for archive purposes, however we recommend getting the code from the author's own GitHub repositories if that option exists. If you have feedback for the authors, we're sure they'd love to hear your thoughts.

(1st) Dave Lasalle: Forensic Suite

Dave’s 14 plugins are immediately useful for various different scenarios, from tracking user activity to parsing special file formats and whitelisting injected code and API hooks.

Previously, if you needed to inspect a suspect or victim’s browsing activity from memory in a structured manner (i.e. not brute forcing with regular expressions), you were limited to the iehistory (Internet Explorer) plugin. Now you can do the same, and more, for Firefox and Chrome. The two browsers use sqlite3 databases, but due to several reasons (including paging), you’re not likely to succeed in carving complete sqlite3 files from memory. Dave’s plugins leverage his sqlite3 memory API, which handles missing chunks of database files gracefully.

Dave’s Twitter: @superponible
Dave’s GitHub: https://github.com/superponible/volatility-plugins
Dave's Blog: http://blog.superponible.com
Dave’s Submission: http://downloads.volatilityfoundation.org/contest/2014/DaveLasalle_ForensicSuite.zip

Most wanted follow up(s): A plugin to extract the most recent Internet Explorer history records.  Porting Firefox and Chrome plugins to Linux and Mac memory dumps. 

(2nd) Curtis Carmony: Dmcrypt

The dm_dump plugin brings an exciting new capability to open source memory forensics. In his own words, “given a memory dump from a Linux system using full disk encryption and access to the disk, the output of this plugin gives you the arguments to pass to the dmsetup command to remount the original unencrypted file system on a different machine.” In addition, Curtis provided support for Linux kernels 3.0 to 3.14 and instructions on how to extend Volatility’s profile generation mechanism for future systems.

A unique aspect of this plugin is that the data it recovers can only be found in RAM. As such, it accomplishes something that no form of disk or network forensics can do and it really showcases the power of memory forensics. Similar to the existing truecrypt plugins, the dm_dump plugin works by traversing the internal data structures used by device-mapper to keep track of its devices. Thus it pinpoints the data in memory without scanning for constants or patterns in key schedules.

Curtis’ GitHub: https://github.com/c1fe/dm_dump
Curtis’ Submission: http://downloads.volatilityfoundation.org/contest/2014/CurtisCarmony_DmCrypt.zip

Most wanted follow up(s): Testing the methodology on Android disk encryption. 

(3rd) Adam Bridge: Editbox

Adam’s submission provides powerful new capabilities for tracking suspect user activity. It recovers text from EditBox controls in the GUI subsystem, with experimental support of ComboBox and ListBox. As a result, it can extract the following data types:

• Notepad window.
• Run dialog.
• Username and server name fields of Remote Desktop Connection.
• Address bar and search bar of Internet Explorer.
• Search bar of Windows Media Player.
• Username field of Create New Account wizard.
• Password of Change Password dialog.

In general, it is effective on any applications that leverage Microsoft's Common Control APIs. This plugin is particularly interesting, because the data it recovers is not available anywhere besides RAM. On a multi-user system, there would be no way to collect the data this plugin enumerates without logging into each account and taking a screen shot.

Adam’s Twitter: @bridgeythegeek
Adam’s Submission: http://downloads.volatilityfoundation.org/contest/2014/AdamBridge_Editbox.zip

Most wanted follow up(s): Integration of edit box labels into the screenshot plugin.

(4th) Thomas Chopitea: Autoruns

In Thomas' own words, "Finding persistence points (also called "Auto-Start Extensibility Points", or ASEPs) is a recurring task of any investigation potentially involving malware." The plugin currently covers several of the most common registry locations, including services, appinit DLLs, winlogin notification packages, and scheduled tasks. After finding ASEPs, the plugin matches them with running processes in memory.

Thomas’ Twitter: @tomchop
Thomas’ GitHub: https://github.com/tomchop/volatility-autoruns
Thomas’ Blog: http://tomchop.me/volatility-autoruns-plugin/
Thomas’ Submission: http://downloads.volatilityfoundation.org/contest/2014/ThomasChopitea_Autoruns.zip

Most wanted follow up(s): Adding Linux and Mac support.

(5th) Takahiro Haruyama: OpenIOC Scan

This plugin combines the flexibility of the IOC language with the power of Volatility to give analyst’s quick and easy malware triage capabilities. Takahiro solved several problems that he (and most certainly other analysts) faced when using the existing tools, such as ability to automate the tasks outside of a GUI and scan for terms with regular expressions and case sensitivity. Takahiro’s blog (below) shows several practical examples of quickly finding malicious code in memory. We’re really excited for investigators to start taking advantage of Takahiro’s work.

Takahiro’s Twitter: @cci_forensics
Takahiro’s Blog: https://takahiroharuyama.github.io/blog/2014/08/15/fast-malware-triage-using-openioc-scan-volatility-plugin/
Takahiro’s Submission: http://downloads.volatilityfoundation.org/contest/2014/TakahiroHaruyama_OpenIOC.zip

Most wanted follow up(s): A repository of memory related indicators. Also for performance reasons, using the Registry API to scan for keys, values, etc.

---

The following submissions appear in the order they were received. As previously mentioned, everyone succeeded in solving a specific problem that they (and undoubtedly others) faced. For this, they deserve huge props. We look forward to seeing future work by these authors!

Monnappa KA: Gh0stRat Decryption  

Monnappa’s plugin focuses on detecting and analyzing Gh0stRat in memory. In his own words, “Gh0stRat is a RAT (Remote Access Trojan) used in many APT/targeted attacks. This plugin detects the encrypted Gh0stRat communication, decrypts it and also automatically identifies the malicious Gh0stRat process, its associated network connections and the loaded DLL's. This can help the digital forensic investigators and incident responders to quickly narrow down on the Gh0stRat artifacts without having to spend time on the manual investigation.”

Although a chopshop module exists for decrypting Gh0stRat communications in packet captures, Monnappa’s Volatility plugin aims to solve several specific problems that analysts may regularly face, including the absence of a full packet capture from the victim machine and needing to trace connections in the pcap back to the suspect process or DLL.

Monnappa’s Twitter: @monnappa22
Monnappa’s Submission: http://downloads.volatilityfoundation.org/contest/2014/MonnappaKa_Gh0stRat.zip

Most wanted follow up(s): Continued research into other malware families.

Jamaal Speights: MsDecompress

The msdecompress plugin by Jamaal Speights has high potential. It allows investigators to find and extract data compressed with the LZNT1 algorithm (Xpress and XpressH coming soon) from memory dumps and it reports the process in which the data was found. The RtlDecompressBuffer API is heavily used by malware authors to pack their code and minimize the size of command and control traffic before sending it across the network. Many kernel components and popular applications also use this compression algorithm, and we look forward to hearing about all the types of forensic evidence that can be uncovered using this plugin.

Jamaal’s Twitter: @jamaalspeights
Jamaal’s Blog: http://jamaaldev.blogspot.com/2014/10/vol-msdecompress.html
Jamaal’s Code: https://code.google.com/p/jamaal-re-tools/ 
Jamaal’s Submission: http://downloads.volatilityfoundation.org/contest/2014/JamaalSpeights_MsDecompress.zip

Most wanted follow up(s): An analysis of the different types of compressed data frequently found in memory.

Cem Gurkok: Mac Rootkit and Bitcoin

Cem submitted a total of four plugins: two for detection of rootkit hooks in Mac OSX memory, one for in-depth investigation of Mac OSX threads, and one for finding bitcoin private keys and addresses.

• mac_bitcoin allows for recovery of bitcoin keys and addresses. This can greatly help investigators that need to determine which transactions and activity a particular user was involved with. Due to the nature of bitcoin, this activity can be very well hidden within the network and only examination of a user’s system can put the pieces back together
• The mac_check_call_reference plugin is used to check for modified call instructions in the kernel. This can catch a wide array of rootkits that directly modify control flow in order to manipulate the system.
• The mac_threads plugin is able to enumerate threads of each running Mac task. The examination of thread state can lead to determination of which portions of code a thread was using and which operations it performed. This capability had been missing from Volatility’s Mac support while being supported by the Windows and Linux side in the last two releases.
• mac_check_shadow_trustedbsd enables the detection of rootkits that modify a reference to the TrustedBSD policy list. Such a modification can allow a rootkit to add, modify, and delete system activity returned to other kernel components and user land tools that rely on TrustedBSD for a set of system state.

Cem’s Twitter: @CGurkok
Cem’s GitHub: https://github.com/siliconblade/volatility
Cem’s Blog: http://siliconblade.blogspot.com/
Cem’s Submission: http://downloads.volatilityfoundation.org/contest/2014/CemGurkok_MacPlugins.zip and http://downloads.volatilityfoundation.org/contest/2014/CemGurkok_BitCoins.zip

Most wanted follow up(s): Support for bitcoin addresses found in any process (not just Multibit) on any memory dump (Windows, Linux, Mac) and also in free/deallocated memory.

Csaba Barta: Malware Analysis 

The plugins in this submission are focused on helping analysts perform malware investigations and malware research.  The first set of plugins highlight the differences between an infected memory sample and its baseline image.  This can help an analyst quickly determine the types of changes the malware has made to the system.   The current plugins focus on four important components of the operating system: processes,  DLLs, services, and drivers.  The final plugin, malprocfind, attempts to codify the rules an investigator may use to look for suspicious artifacts on a system.   The plugins help automate common analysis techniques used by analysts during malware investigations.

Csaba’s GitHub: https://github.com/csababarta/volatility_plugins
Csaba’s Submission: http://downloads.volatilityfoundation.org/contest/2014/CsabaBarta_MalwarePlugins.zip

Most wanted follow up(s): Further extension of the baseline artifacts and malprocfind rules.

Philip Huppert: OpenVPN 

Philip’s submission is the result of his University paper “Extracting private information of virtual machines using VM introspection.” In the paper, Philip described how to recover openvpn 2.x.x usernames and passwords entered by the user in addition to the password required for unlocking the private key. The submission also includes a plugin to extract base64/PEM encoded RSA private keys from memory.

The openvpn plugin is effective against any memory dump format (not just live VM memory using libvmi). Philip also did a really nice job of narrowing the search space for finding the usernames and passwords. He isolates the .data and .bss segments of openvpn.exe and looks for signs of a specific data structure (named “user_pass”).

Philip’s GitHub: https://github.com/Phaeilo/vol-openvpn
Philip’s Submission: http://downloads.volatilityfoundation.org/contest/2014/PhilipHuppert_OpenVPN.zip

Most wanted follow up(s): A summary of the steps for decrypting an openvpn session from a packet capture, given the private key.  Also the ability to scan for the data structures in physical space (for example if the openvpn.exe process is no longer running).

Wyatt Roersma: Hyper-V Tools

Wyatt’s plugins will extract Hyper-V artifacts from a host system’s memory.  The first plugin hpv_vmconnect is used to extract information about which users were accessing virtual machines using the virtual connect console. The second plugin, hpv_vmwp, is used to map each virtual machine to its associated process on the host and extract temporal information about when the machine was started last. The final plugin hpv_clipboard is used to extract memory resident Hyper-V clipboard and hotkey artifacts. The plugins provide some insights into the types of artifacts that can be extracted from Hyper-V host memory and set the stage for future research.

Wyatt’s Twitter: @WyattRoersma
Wyatt’s Blog: http://www.wyattroersma.com/?p=131
Wyatt’s GitHub: https://github.com/wroersma/volplugins
Wyatt’s Submission: http://downloads.volatilityfoundation.org/contest/2014/WyattRoersma_HyperV.zip

Most wanted follow up(s): Further research into other Hyper-V artifacts and conversion tools.