Wednesday, June 03, 2015

Volshell Quickies

Since someone had asked about it in a comment on this blog, I decided to write up a Volshell Quickie on the Volatility Labs blog. Enjoy!

Monday, May 18, 2015

Linux Memory Forensics: Using mprotect() with PROT_NONE

In case you didn't catch it on the Volatility Labs blog, I found an interesting bug that we've had in the framework since we've had Linux support. If you've had cases that involved Linux samples and plugins like linux_yarascan, linux_strings etc, you might want to update to the latest code and have another look over those samples. Of course, there's no reason to think that a piece of malware might have used this trick and used a sigsegv handler to access the data, but the idea has been around for years...

Thursday, January 29, 2015

Some Updates

Wow, it's been a while since I've written here.  A lot has happened since, however.  Here are a few updates:

The Book

We released a book: The Art of Memory Forensics.  For those of you who are considering teaching memory forensics or even operating systems, we have a syllabus and evidence files on our website that you may use in your classes.


We have several trainings in line for this year, public and private.  Public trainings currently include:

  • Reston, VA April 13th-17th 2015
  • New York, NY May 11th-15th 2015
  • Amsterdam, NL August 31st-September 4th 2015
We are also currently working on new course offerings coming out this year.  So keep an eye out for those!


I'll be speaking at the upcoming CEIC conference in Las Vegas, on Wednesday May 20th 2015.  Apparently there is a discount code if you register before January 31st: JANS4v15

The Volatility team will also give another talk at NYC4SEC during the week of the training in NYC this coming May.  More details will be given for that talk soon.

Monday, April 14, 2014

Volatility Talk at Upcoming NYC4SEC

The Volatility team will give a talk at the next NYC4SEC meetup on memory forensics on May 8th, 2014 at John Jay College.  Make sure to RSVP if you are planning to attend, since there is limited seating!

 Thanks For the Memory: Rootkits, Exfil and APT - RAM Conquers All

The ability to perform digital investigations and incident response is becoming a critical skill for many occupations. Unfortunately, digital investigators frequently lack the training or experience to take advantage of the volatile artifacts found in physical memory. Volatile memory contains valuable information about the runtime state of the system, provides the ability to link artifacts from traditional forensic analysis (network, file system, registry), and provides the ability to ascertain investigative leads that have been unbeknownst to most analysts. Malicious adversaries have been leveraging this knowledge disparity to undermine many aspects of the digital investigation process with such things as anti-forensics techniques, memory resident malware, kernel rootkits, encryption (file systems, network traffic, etc), and Trojan defenses.  The only way to turn-the-tables and defeat a creative digital human adversary is through talented analysts.
This talk demonstrates the importance of including Volatile memory in your investigations with an overview of the most widely used memory forensics tool, Volatility, by its developers.


Friday, February 07, 2014

New Volatility Training Website

We have a new website for all of our Volatility training opportunities.  Don't forget to check it out:

- @gleeda

Thursday, January 30, 2014

OMFW 2013 Slides

In case you missed it, I put up my slides for my OMFW 2013 talk "Every Step You Take: Profiling the System".  You can find them here on google docs. Some of the animations may not render properly, even if played, but you get the idea.  If you want to see the cyboxer plugin, send me an email (jamie.levy {at} gmail . com).

Tuesday, July 16, 2013

Volatility News

Things have been busy lately, but I want to let you know about some important items that are coming up quickly:

July 27-30th, 2013: Blackhat Vegas

Andrew Case and I will teach our course in Digital Forensics and Incident Response again this summer at Black Hat Vegas.  This course will cover enough material to take someone from knowing practically nothing about digital forensics (disk and memory) to a point where s/he can comfortably conduct his/her own investigations.  There is limited time to sign up, so reserve your seat while you can!

You can hear Andrew talk about Digital Forensics and Incident Response on the Healthy Paranoia podcast from July 7th, 2013.

August 1st, 2013: Volatility Plugin Contest

The 1st Annual Volatility Plugin Contest deadline is quickly approaching!   Don't miss this opportunity to win over $2000 in cash and prizes and contribute to the top memory forensics framework by writing a plugin for the Volatility Framework and submitting it to by August 1st, 2013.

September 9-13th, 2013: Volatility Training in the Netherlands

We will have our 4th public offering of our official Windows Malware and Memory Forensics training in the Netherlands September 9-13, 2013.  This will be our only offering outside the US for this year.  Past offerings of our course have been well received and were recently described as the "... perfect combination of incident response, malware analysis and Windows internals."  Don't miss out on your chance to take this course and learn not only how to become a Volatility superuser, but how to apply cutting edge memory and malware analysis methodologies against your worst adversary.

November 4th, 2013: Open Memory Forensics Workshop (OMFW)

The Open Memory Forensics Workshop (OMFW) call for papers has been announced.  If you want to give a talk on memory forensics related topics, please get your submission in by September 1st, 2013.  OMFW is a half-day workshop that will be held one day prior to the Open Source Digital Forensics Conference in Chantilly, VA.  This workshop is fast-paced, to the point, highly technical and intended to raise the bar for analysts who realize the importance of memory forensics when faced with a highly skilled adversary.  Not only will you learn a lot and get to meet all the movers and shakers in the space, but your $50 registration fee is entirely donated to charity!  Last year all proceeds went to the National Center for Missing and Exploited Children.  So don't delay: there really is limited seating and it does go quickly.  Make sure to register your seat now!

November 5th, 2013: Open Source Digital Forensics Conference

The Volatility team will be at the Open Source Digital Forensics Conference discussing The State of Volatility.  Come by and see us there :-)

November 11-15th, 2013: Volatility Training in Reston, VA

We will have our 5th public offering of the official Windows Malware and Memory Forensics training in Reston, VA November 11-15th, 2013.  If you missed the last offering in June, this is your chance to take this course and learn from the developers themselves.  As I've stated before, this class includes real-world scenarios that are reinforced with hands-on labs.  We cover more than "just one tool" as some detractors like to say.  We cover methodologies that will actually help you where some tools fail.  You will have a deep enough understanding to investigate even the most skilled adversaries who know how to break common tools in order to hide.  Don't be fooled and don't be left behind.  Accept no imitations and make sure to take this class.

All students who take the official Volatility training receive a certificate of completion, with CPE credits that can be used for certification renewal.  In addition to this, we are constantly updating the course with new material and past students are given updated materials for FREE.  What more can you ask for?  If you are interested in Volatility training, drop us a line at voltraining [[ at ]]

If you want to see co-trainers MHL and Andrew Case (attrc) in action, I managed to find a couple of videos of their previous talks on youtube: