I have several speaking and training events that are coming up this year that may be of interest to others in the community:
I will be speaking at the New York Banker's Association's upcoming Annual Technology, Compliance & Risk Management Forum on May 16th, 2013 on the topic of Incident Response and Digital Forensics. If you plan to attend I'll see you there!
Also we (Volatility) are holding our third run of Windows Malware and Memory Forensics in Reston, VA from Monday June 10th through Friday, June 14th 2013. This training will not disappoint even the most proficient of forensic/malware analysts. It includes real-world scenarios that are reinforced with hands-on labs. All students will leave with skills and confidence to conduct investigations involving RAM samples from acquisition to the final report. Students also leave with more than just being Volatility power users, they leave with a deeper knowledge of memory forensics and malware analysis methodologies. Such knowledge is integral regardless of what tools you choose for future investigations, be they open source or commercial, and much more powerful than simply "run this tool, the output is colored red so it's bad". You'll leave the class with knowledge that will help you to figure out if something really is "bad" or not. There are still a few seats left for this training, so if you are interested you should register soon. Send an email to voltraining [at] memoryanalysis.net for registration information.
If you are looking for a course that covers both disk and memory forensics, Andrew Case and I will teach our course in Digital Forensics and Incident Response again this summer at Black Hat Vegas. This course runs from July 27th through July 30th 2013 and will cover enough material to take someone from knowing practically nothing about digital forensics to a point where s/he can comfortably conduct his/her own investigations.
Also we (Volatility) will hold another run of Windows Malware and Memory Forensics in the Netherlands from Monday September 9th through Friday, September 13th 2013. Details will appear soon on the Volatility Labs blog.
Planning for the Open Memory Forensics Workshop (OMFW) is in progress. You should plan to attend if you want to know what's new and hot in the memory forensics space. OMFW is likely to take place on November 4th, 2013 one day prior to the Sleuth Kit and Open Source Digital Forensics Conference. Final details will appear soon on the Volatility Labs blog.
Friday, April 19, 2013
Monday, January 14, 2013
Windows Malware and Memory Forensics Training in The Windy City!
Cross posted from the Volatility Labs Blog:
The next journey to the center of Windows Memory Forensics starts in Chicago this March!
We are pleased to announce the second public offering of the Windows Malware and Memory Forensics Training by The Volatility Project. This is the only memory forensics course officially designed, sponsored, and taught by the Volatility developers. One of the main reasons we made Volatility open-source is to encourage and facilitate a deeper understanding of how memory analysis works, where the evidence originates, and how to interpret the data collected by the framework's extensive set of plugins. Now you can learn about these benefits first hand from the developers of the most powerful, flexible, and innovative memory forensics tool.
Appraisal from your peers who attended the first course this past December:
Please see the following details about the upcoming training event:
Dates: Monday, March 18th through Friday, March 22nd 2013
Location: Downtown Chicago, IL (exact location will be shared upon registration)
Instructors: Michael Ligh (@iMHLv2), Andrew Case (@attrc), Jamie Levy (@gleeda)
For more information about the course, view the Volatility Training Flyer (to download a copy of the PDF, click File > Download). To request a link to the online registration site or to receive a detailed course agenda/outline, please send an email voltraining [at] memoryanalysis.net.
The 1st Annual Volatility Framework Plugin Contest
Cross posted from the Volatility Labs Blog:
We are pleased to announce the 1st Annual Volatility Plugin Contest. This contest is inspired and modeled after the Hex-Rays Plugin Contest. As in the case of IDA, Volatility was designed with the belief that talented analysts should only be limited by their creativity not the tools they use. In this spirit, Volatility has a flexible architecture that can be extended in numerous ways: analysis plugins (operating system plugins, application plugins, etc), volshell commands, address spaces, profiles, or user interfaces. This contest is intended to inspire people to demonstrate their creativity, become a memory analysis pioneer, win the admiration of your peers, and give back to the community.
The contest is straightforward: Create an innovative and useful extension to The Volatility Framework and win the contest!
- 1st place wins one free seat at any future Windows Malware and Memory Forensics Training *or* 1500 USD cash
- 2nd place wins 500 USD cash
- 3rd place wins 250 USD cash
- 4th and 5th place wins Volatility swag (T-shirts, Stickers, etc)
Everyone but the Volatility core developers can participate.
Rules of Engagement
- The goal of the contest is to create innovative, interesting, and useful extensions for The Volatility Framework. While extensions written in Python are preferred, extensions written in other languages will also be considered.
- The submitted extensions should work with the Volatility 2.2 (or greater) release and should have been implemented after the initial contest announcement (1/14/2013).
- The top 5 winners of the contest will get the prizes mentioned above.
- Volatility core developers are not eligible.
- Submissions should be sent to volcon2013@memoryanalysis.net. The submission should include the source code, a short description of how the extension is used, and a signed "Individual Contributor License Agreement".
- By submitting an entry, you declare that you own the copyright to the source code and are authorized to submit it.
- All submissions should be received no later than August 1, 2013. The winner will be announced the following week. We recommend submitting early. In the case of similar submissions, preference will be shown to early submissions.
- The Volatility Project core developers will decide the winners based on the following criteria: creativity, usefulness, effort, completeness, submission date, and clarity of documentation.
- In order to collect the cash prizes, the winner will need to provide a legal picture identification and bank account information within 30 days of notification. The bank transfer will be made within two weeks after the winner is authenticated.
- Group entries are allowed; the prize will be paid (or seat will be registered, if the training option is desired) to the person designated by the group.
- Upon approval from the winners, their names/aliases will be listed on the "Volatility Hall of Fame" web page for the world to admire.
- Selected contestants may also be asked to present their work at the 2013 Open Memory Forensics Workshop or have their research featured on the Volatility Labs Blog.
Acknowledgements
A special thanks goes out to the Hex-Rays team for providing the inspiration and template for this contest.
Tuesday, November 13, 2012
Windows Memory Forensics Training for Analysts by Volatility Developers
We are pleased to announce the first public offering of the Windows Memory Forensics for Analysts training course. This is the only memory forensics course officially designed, sponsored, and taught by the Volatility developers. One of the main reasons we made Volatility open-source is to encourage and facilitate a deeper understanding of how memory analysis works, where the evidence originates, and how to interpret the data collected by the framework's extensive set of plugins. Now you can reap these benefits first hand from the developers of the most powerful, flexible, and innovative memory forensics tool.
Please see the following details about the upcoming training event:
Dates: Monday, December 3rd through Friday, December 7th 2012
Location: Reston, Virginia (exact location will be shared upon registration)
Instructors: Michael Ligh (@iMHLv2), Andrew Case (@attrc), Jamie Levy (@gleeda). Please see the VolatilityTeam wiki page for brief bios.
Overview:
The ability to perform digital investigations and incident response is becoming a critical skill for many occupations. Unfortunately, digital investigators frequently lack the training or experience to take advantage of the volatile artifacts found in physical memory. Volatile memory contains valuable information about the runtime state of the system, provides the ability to link artifacts from traditional forensic analysis (network, file system, registry), and provides the ability to ascertain investigative leads that have been unbeknownst to most analysts. Malicious adversaries have been leveraging this knowledge disparity to undermine many aspects of the digital investigation process with such things as anti-forensics techniques, memory resident malware, kernel rootkits, encryption (file systems, network traffic, etc), and Trojan defenses. The only way to turn-the-tables and defeat a creative digital human adversary is through talented analysts.
This course will demonstrate why memory forensics is a critical component of the digital investigation process and how investigators can gain the upper hand. The course will consist of lectures on specific topics in Windows memory forensics followed by intense hands-on exercises to put the topics into real world contexts. Exercises will require analysis of malware in memory, kernel-level rootkits, registry artifacts found in memory, signs of data exfiltration, and much more. This course is your opportunity to learn these invaluable skills from the researchers and developers that have pioneered the field. This is also the only memory forensics training class that is authorized to teach Volatility, officially sponsored by The Volatility Project, and taught directly by the Volatility developers.
Who should attend?
This course is intended for malware analysts, reverse engineers, incident responders, digital forensics analysts, law enforcement officers, federal agents, system administrators, corporate investigators, or anyone who wants to develop the skills necessary to combat advanced adversaries.
Course Prerequisites
This is a 5-day course composed of both classroom learning and hands-on training exercises and scenarios. All course material, lunches, and coffee breaks will be provided (If you have unique dietary restrictions, please make them known during registration).
Course Requirements
In order to fully participate in the course, students are required to bring a properly pre-configured laptop. Students are encouraged to bring laptops that can run both Linux and Windows, where either instance is virtualized based on student preference. It is the student's responsibility to make sure the laptop is configured prior to the beginning of the course. There is no time built into the course schedule to help people configure machines, so please make sure your laptop has been properly configured before showing up for class.
Minimum Hardware Requirements:
2.0 GHz CPU
4 GB of RAM
20 GB of disk space
DVD-ROM drive
USB 2.0 ports
Wireless Network Interface Card
Software Requirements:
Python 2.6 or 2.7
Microsoft Windows Debugger
VMware Workstation 6/Fusion 3 or higher
7-Zip (or ability to decompress zip, gzip, rar, etc)
Wireshark
Additional free/open-source tools or libraries may be required to complete hands-on exercises. More information will be shared upon registration.
Course Fee:
The cost of the course is $3500. Law enforcement, government, and educational discounts are available.
Registration:
To obtain information on registration, please email voltraining [ @ ] memoryanalysis.net.
Other Course Benefits:
Students will be supporting open source development (Volatility)
Preparation for the Advanced Memory Analyst Certification (AMAC)
Please see the following details about the upcoming training event:
Dates: Monday, December 3rd through Friday, December 7th 2012
Location: Reston, Virginia (exact location will be shared upon registration)
Instructors: Michael Ligh (@iMHLv2), Andrew Case (@attrc), Jamie Levy (@gleeda). Please see the VolatilityTeam wiki page for brief bios.
Overview:
The ability to perform digital investigations and incident response is becoming a critical skill for many occupations. Unfortunately, digital investigators frequently lack the training or experience to take advantage of the volatile artifacts found in physical memory. Volatile memory contains valuable information about the runtime state of the system, provides the ability to link artifacts from traditional forensic analysis (network, file system, registry), and provides the ability to ascertain investigative leads that have been unbeknownst to most analysts. Malicious adversaries have been leveraging this knowledge disparity to undermine many aspects of the digital investigation process with such things as anti-forensics techniques, memory resident malware, kernel rootkits, encryption (file systems, network traffic, etc), and Trojan defenses. The only way to turn-the-tables and defeat a creative digital human adversary is through talented analysts.
This course will demonstrate why memory forensics is a critical component of the digital investigation process and how investigators can gain the upper hand. The course will consist of lectures on specific topics in Windows memory forensics followed by intense hands-on exercises to put the topics into real world contexts. Exercises will require analysis of malware in memory, kernel-level rootkits, registry artifacts found in memory, signs of data exfiltration, and much more. This course is your opportunity to learn these invaluable skills from the researchers and developers that have pioneered the field. This is also the only memory forensics training class that is authorized to teach Volatility, officially sponsored by The Volatility Project, and taught directly by the Volatility developers.
Who should attend?
This course is intended for malware analysts, reverse engineers, incident responders, digital forensics analysts, law enforcement officers, federal agents, system administrators, corporate investigators, or anyone who wants to develop the skills necessary to combat advanced adversaries.
Course Prerequisites
- It is recommended that students have some experience with the Volatility Framework.
- Students should possess a basic knowledge of digital investigation tools and techniques.
- Students should be comfortable with general troubleshooting of both Linux and Windows operating systems (setup, configuration, networking)
- Students should be familiar with popular system administration tools (i.e. Sysinternals Utilities)
- Student should be both familiar and comfortable with using the command line
- Student should have a basic understanding of Python or similar scripting language
This is a 5-day course composed of both classroom learning and hands-on training exercises and scenarios. All course material, lunches, and coffee breaks will be provided (If you have unique dietary restrictions, please make them known during registration).
Course Requirements
In order to fully participate in the course, students are required to bring a properly pre-configured laptop. Students are encouraged to bring laptops that can run both Linux and Windows, where either instance is virtualized based on student preference. It is the student's responsibility to make sure the laptop is configured prior to the beginning of the course. There is no time built into the course schedule to help people configure machines, so please make sure your laptop has been properly configured before showing up for class.
Minimum Hardware Requirements:
2.0 GHz CPU
4 GB of RAM
20 GB of disk space
DVD-ROM drive
USB 2.0 ports
Wireless Network Interface Card
Software Requirements:
Python 2.6 or 2.7
Microsoft Windows Debugger
VMware Workstation 6/Fusion 3 or higher
7-Zip (or ability to decompress zip, gzip, rar, etc)
Wireshark
Additional free/open-source tools or libraries may be required to complete hands-on exercises. More information will be shared upon registration.
Course Fee:
The cost of the course is $3500. Law enforcement, government, and educational discounts are available.
Registration:
To obtain information on registration, please email voltraining [ @ ] memoryanalysis.net.
Other Course Benefits:
Students will be supporting open source development (Volatility)
Preparation for the Advanced Memory Analyst Certification (AMAC)
Monday, November 12, 2012
ACSAC 2012
I will be teaching a full day course on Windows Forensics and IR at Annual Computer Security Applications Conference (ACSAC) on December 4th at the Buena Vista Palace Hotel & Spa in Orlando, FL. There is still time to sign up for the conference and/or training and it looks like a good program this year.
Saturday, September 29, 2012
Week 3 of the Month of Volatility Plugins posted!
Cross listed from Andrew Case's blog:
I was writing to announce that week 3 of the month of Volatility plugins is finished, and we now have five more in-depth blog posts covering Windows and Linux internals and rootkit detection as well as a bonus plugin that analyzes Internet Explorer browsing history. These have all been posted on the Volatility Labs blog.
Post 1: Detecting Malware Hooks in the Windows GUI Subsystem
This Windows focused post covers detecting malware hooks in the Windows GUI subsystem, including message hooks and event hooks, and what effects these hooks can have on a compromised system.
http://volatility-labs.blogspot.com/2012/09/movp-31-detecting-malware-hooks-in.html
Post 2: Shellbags in Memory, SetRegTime, and TrueCrypt Volumes
This Windows focused post covers finding and recovering shellbags from memory, the forensics importance of shellbags, and analyzes the effects of anti-forensics on shellbag timestamps. It concludes with covering the traces left in shellbags by TrueCrypt.
http://volatility-labs.blogspot.com/2012/09/movp-32-shellbags-in-memory-setregtime.html
Post 3: Analyzing USER Handles and the Win32k.sys Gahti
This Windows focused post introduces two new plugins, one named gahti that determines the various different types of USER objects on a system and another named userhandles which traverses the handle table entries and associates them with the owning processes or threads
http://volatility-labs.blogspot.com/2012/09/movp-33-analyzing-user-handles-and.html
Post 4: Recovering tagCLIPDATA: What's In Your Clipboard?
This Windows focused post covers recovery of the Windows clipboard from physical memory.
http://volatility-labs.blogspot.com/2012/09/movp-34-recovering-tagclipdata-whats-in.html
Post 5: Analyzing the 2008 DFRWS Challenge with Volatility
This Linux focused post analyzes the 2008 memory challenge with Volatility. It walks through the artifacts produced by the winning team and shows how to recover the same information with Volatility. It then shows plugins in Volatility that can recover artifacts not produced by the winning team.
http://volatility-labs.blogspot.com/2012/09/movp-35-analyzing-2008-dfrws-challenge.html
Bonus Post: HowTo: Scan for Internet Cache/History and URLs
This Windows focused post covers how to recover Internet Explorer's cache and history from a memory sample.
http://volatility-labs.blogspot.com/2012/09/howto-scan-for-internet-cachehistory.html
If you have any questions or comments on the posts, please leave a comment on the respective post on the Volatility Labs blog.
Friday, September 21, 2012
Week 2 of the Month of Volatility Plugins posted!
It's been an exciting week in the Volatility community. We've just finished our second week of Month of Volatility Plugins (MoVP) blogposts, released Volatility 2.2 RC2 for testing, fixed a few minor bugs and now we're gearing up for our third week of posts and the upcoming Open Memory Forensics Workshop (OMFW). Here is a list of this week's posts, compiled by Andrew Case:
We hope you've enjoyed this week's series. Stay tuned, we have much more in store!
I was writing to announce that week 2 of the month of Volatility plugins is finished, and we now have five more in-depth blog posts covering Windows and Linux internals and rootkit detection. These have all been posted to the new Volatility Labs blog.
Post 1: Atoms (The New Mutex), Classes and DLL Injection
This Windows focused post covers investigating malware and understanding infections by analyzing the atom tables.
http://volatility-labs.blogspot.com/2012/09/movp-21-atoms-new-mutex-classes-and-dll.html
Post 2: Malware in your Windows
This Windows focused post covers enumerating and analyzing windows in the GUI subsystem.
http://volatility-labs.blogspot.com/2012/09/movp-22-malware-in-your-windows.html
Post 3: Event logs and Service SIDs
This Windows focused post demonstrates recovering event logs from memory and calculating service SIDs.
http://volatility-labs.blogspot.com/2012/09/movp-23-event-logs-and-service-sids.html
Post 4: Analyzing the Jynx rootkit and LD_PRELOAD
This Linux focused post covers analyzing the Jynx rootkit as well as generic methods for analyzing LD_PRELOAD based rootkits.
http://volatility-labs.blogspot.com/2012/09/movp-24-analyzing-jynx-rootkit-and.html
Post 5: Investigating In-Memory Network Data with Volatility
This Linux focused post goes through each of the Linux Volatility plugins related to recovering network data from memory, such as network connections, packets, and the routing cache.
http://volatility-labs.blogspot.com/2012/09/movp-25-investigating-in-memory-network.html
If you have any questions or comments on the posts, please leave a comment on the respective post on the Volatility Labs blog.
We hope you've enjoyed this week's series. Stay tuned, we have much more in store!
Friday, September 14, 2012
Week 1 of the Month of Volatility Plugins posted!
I'm going to borrow from Andrew's blog here to let you know about our Month of Volatility Plugins:
Future Volatility posts will appear on our official blog (http://volatility-labs.blogspot.com/). Also you might want to follow our project on twitter: @Volatility for updates and news. See you at OMFW!
I was writing to announce that week 1 of the month of Volatility plugins is finished, and we now have five in-depth blog posts covering Windows and Linux internals and rootkit detection. These have all been posted to the new Volatility Labs blog.
Post 1: Logon Sessions, Processes, and Images
This Windows focused post covers linking processes to their logon session, detecting hidden processes using session structures, and determining the loaded the drivers mapped into each session.
http://volatility-labs.blogspot.com/2012/09/movp-11- logon-sessions-processes-and. html
Post 2: Window Stations and Clipboard Malware
This Windows focused post covers enumerating and analyzing window stations and clipboard monitoring malware.
http://volatility-labs.blogspot.com/2012/09/movp-12- window-stations-and-clipboard. html
Post 3: Desktops, Heaps, and Ransomware
This Windows focused post covers finding rogue desktops used to hide applications and created by ransomware, linking threads to desktops, analyzing the desktop heap for memory corruptions, and profiling heap allocations to locate USER objects.
http://volatility-labs.blogspot.com/2012/09/movp-13- desktops-heaps-and-ransomware. html
Post 4: Average Coder Rootkit, Bash History, and Elevated Processes
This Linux focused post covers analyzing the Average Coder rootkit, recovering .bash_history from memory, even when faced with anti-forensics, and finding elevated processes.
http://volatility-labs.blogspot.com/2012/09/movp-14- average-coder-rootkit-bash. html
Post 5: KBeast Rootkit, Detecting Hidden Modules, and sysfs
This Linux focused post covers analyzing the KBeast rootkit, finding modules unlinked from the module list, and the forensic values of sysfs.
http://volatility-labs.blogspot.com/2012/09/movp-15- kbeast-rootkit-detecting- hidden.html
If you have any questions or comments on the posts, please leave a comment on the respective post on the Volatility Labs blog.
Future Volatility posts will appear on our official blog (http://volatility-labs.blogspot.com/). Also you might want to follow our project on twitter: @Volatility for updates and news. See you at OMFW!
Subscribe to:
Posts (Atom)