Wednesday, June 03, 2015

Volshell Quickies

Since someone had asked about it in a comment on this blog, I decided to write up a Volshell Quickie on the Volatility Labs blog. Enjoy!

Monday, May 18, 2015

Linux Memory Forensics: Using mprotect() with PROT_NONE

In case you didn't catch it on the Volatility Labs blog, I found an interesting bug that we've had in the framework since we've had Linux support. If you've had cases that involved Linux samples and plugins like linux_yarascan, linux_strings etc, you might want to update to the latest code and have another look over those samples. Of course, there's no reason to think that a piece of malware might have used this trick and used a sigsegv handler to access the data, but the idea has been around for years...

Thursday, January 29, 2015

Some Updates

Wow, it's been a while since I've written here.  A lot has happened since, however.  Here are a few updates:

The Book

We released a book: The Art of Memory Forensics.  For those of you who are considering teaching memory forensics or even operating systems, we have a syllabus and evidence files on our website that you may use in your classes.


We have several trainings in line for this year, public and private.  Public trainings currently include:

  • Reston, VA April 13th-17th 2015
  • New York, NY May 11th-15th 2015
  • Amsterdam, NL August 31st-September 4th 2015
We are also currently working on new course offerings coming out this year.  So keep an eye out for those!


I'll be speaking at the upcoming CEIC conference in Las Vegas, on Wednesday May 20th 2015.  Apparently there is a discount code if you register before January 31st: JANS4v15

The Volatility team will also give another talk at NYC4SEC during the week of the training in NYC this coming May.  More details will be given for that talk soon.