Showing posts with label plugins. Show all posts
Showing posts with label plugins. Show all posts
Thursday, January 30, 2014
OMFW 2013 Slides
In case you missed it, I put up my slides for my OMFW 2013 talk "Every Step You Take: Profiling the System". You can find them here on google docs. Some of the animations may not render properly, even if played, but you get the idea. If you want to see the cyboxer plugin, send me an email (jamie.levy {at} gmail . com).
Tuesday, July 16, 2013
Volatility News
Things have been busy lately, but I want to let you know about some important items that are coming up quickly:
Andrew Case and I will teach our course in Digital Forensics and Incident Response again this summer at Black Hat Vegas. This course will cover enough material to take someone from knowing practically nothing about digital forensics (disk and memory) to a point where s/he can comfortably conduct his/her own investigations. There is limited time to sign up, so reserve your seat while you can!
You can hear Andrew talk about Digital Forensics and Incident Response on the Healthy Paranoia podcast from July 7th, 2013.
The 1st Annual Volatility Plugin Contest deadline is quickly approaching! Don't miss this opportunity to win over $2000 in cash and prizes and contribute to the top memory forensics framework by writing a plugin for the Volatility Framework and submitting it to volcon2013@memoryanalysis.net by August 1st, 2013.
We will have our 4th public offering of our official Windows Malware and Memory Forensics training in the Netherlands September 9-13, 2013. This will be our only offering outside the US for this year. Past offerings of our course have been well received and were recently described as the "... perfect combination of incident response, malware analysis and Windows internals." Don't miss out on your chance to take this course and learn not only how to become a Volatility superuser, but how to apply cutting edge memory and malware analysis methodologies against your worst adversary.
The Open Memory Forensics Workshop (OMFW) call for papers has been announced. If you want to give a talk on memory forensics related topics, please get your submission in by September 1st, 2013. OMFW is a half-day workshop that will be held one day prior to the Open Source Digital Forensics Conference in Chantilly, VA. This workshop is fast-paced, to the point, highly technical and intended to raise the bar for analysts who realize the importance of memory forensics when faced with a highly skilled adversary. Not only will you learn a lot and get to meet all the movers and shakers in the space, but your $50 registration fee is entirely donated to charity! Last year all proceeds went to the National Center for Missing and Exploited Children. So don't delay: there really is limited seating and it does go quickly. Make sure to register your seat now!
The Volatility team will be at the Open Source Digital Forensics Conference discussing The State of Volatility. Come by and see us there :-)
We will have our 5th public offering of the official Windows Malware and Memory Forensics training in Reston, VA November 11-15th, 2013. If you missed the last offering in June, this is your chance to take this course and learn from the developers themselves. As I've stated before, this class includes real-world scenarios that are reinforced with hands-on labs. We cover more than "just one tool" as some detractors like to say. We cover methodologies that will actually help you where some tools fail. You will have a deep enough understanding to investigate even the most skilled adversaries who know how to break common tools in order to hide. Don't be fooled and don't be left behind. Accept no imitations and make sure to take this class.
All students who take the official Volatility training receive a certificate of completion, with CPE credits that can be used for certification renewal. In addition to this, we are constantly updating the course with new material and past students are given updated materials for FREE. What more can you ask for? If you are interested in Volatility training, drop us a line at voltraining [[ at ]] memoryanalysis.net
If you want to see co-trainers MHL and Andrew Case (attrc) in action, I managed to find a couple of videos of their previous talks on youtube:
July 27-30th, 2013: Blackhat Vegas
Andrew Case and I will teach our course in Digital Forensics and Incident Response again this summer at Black Hat Vegas. This course will cover enough material to take someone from knowing practically nothing about digital forensics (disk and memory) to a point where s/he can comfortably conduct his/her own investigations. There is limited time to sign up, so reserve your seat while you can!
You can hear Andrew talk about Digital Forensics and Incident Response on the Healthy Paranoia podcast from July 7th, 2013.
August 1st, 2013: Volatility Plugin Contest
The 1st Annual Volatility Plugin Contest deadline is quickly approaching! Don't miss this opportunity to win over $2000 in cash and prizes and contribute to the top memory forensics framework by writing a plugin for the Volatility Framework and submitting it to volcon2013@memoryanalysis.net by August 1st, 2013.
September 9-13th, 2013: Volatility Training in the Netherlands
We will have our 4th public offering of our official Windows Malware and Memory Forensics training in the Netherlands September 9-13, 2013. This will be our only offering outside the US for this year. Past offerings of our course have been well received and were recently described as the "... perfect combination of incident response, malware analysis and Windows internals." Don't miss out on your chance to take this course and learn not only how to become a Volatility superuser, but how to apply cutting edge memory and malware analysis methodologies against your worst adversary.
November 4th, 2013: Open Memory Forensics Workshop (OMFW)
The Open Memory Forensics Workshop (OMFW) call for papers has been announced. If you want to give a talk on memory forensics related topics, please get your submission in by September 1st, 2013. OMFW is a half-day workshop that will be held one day prior to the Open Source Digital Forensics Conference in Chantilly, VA. This workshop is fast-paced, to the point, highly technical and intended to raise the bar for analysts who realize the importance of memory forensics when faced with a highly skilled adversary. Not only will you learn a lot and get to meet all the movers and shakers in the space, but your $50 registration fee is entirely donated to charity! Last year all proceeds went to the National Center for Missing and Exploited Children. So don't delay: there really is limited seating and it does go quickly. Make sure to register your seat now!
November 5th, 2013: Open Source Digital Forensics Conference
The Volatility team will be at the Open Source Digital Forensics Conference discussing The State of Volatility. Come by and see us there :-)
November 11-15th, 2013: Volatility Training in Reston, VA
We will have our 5th public offering of the official Windows Malware and Memory Forensics training in Reston, VA November 11-15th, 2013. If you missed the last offering in June, this is your chance to take this course and learn from the developers themselves. As I've stated before, this class includes real-world scenarios that are reinforced with hands-on labs. We cover more than "just one tool" as some detractors like to say. We cover methodologies that will actually help you where some tools fail. You will have a deep enough understanding to investigate even the most skilled adversaries who know how to break common tools in order to hide. Don't be fooled and don't be left behind. Accept no imitations and make sure to take this class.
All students who take the official Volatility training receive a certificate of completion, with CPE credits that can be used for certification renewal. In addition to this, we are constantly updating the course with new material and past students are given updated materials for FREE. What more can you ask for? If you are interested in Volatility training, drop us a line at voltraining [[ at ]] memoryanalysis.net
If you want to see co-trainers MHL and Andrew Case (attrc) in action, I managed to find a couple of videos of their previous talks on youtube:
Monday, January 14, 2013
The 1st Annual Volatility Framework Plugin Contest
Cross posted from the Volatility Labs Blog:
We are pleased to announce the 1st Annual Volatility Plugin Contest. This contest is inspired and modeled after the Hex-Rays Plugin Contest. As in the case of IDA, Volatility was designed with the belief that talented analysts should only be limited by their creativity not the tools they use. In this spirit, Volatility has a flexible architecture that can be extended in numerous ways: analysis plugins (operating system plugins, application plugins, etc), volshell commands, address spaces, profiles, or user interfaces. This contest is intended to inspire people to demonstrate their creativity, become a memory analysis pioneer, win the admiration of your peers, and give back to the community.
The contest is straightforward: Create an innovative and useful extension to The Volatility Framework and win the contest!
- 1st place wins one free seat at any future Windows Malware and Memory Forensics Training *or* 1500 USD cash
- 2nd place wins 500 USD cash
- 3rd place wins 250 USD cash
- 4th and 5th place wins Volatility swag (T-shirts, Stickers, etc)
Everyone but the Volatility core developers can participate.
Rules of Engagement
- The goal of the contest is to create innovative, interesting, and useful extensions for The Volatility Framework. While extensions written in Python are preferred, extensions written in other languages will also be considered.
- The submitted extensions should work with the Volatility 2.2 (or greater) release and should have been implemented after the initial contest announcement (1/14/2013).
- The top 5 winners of the contest will get the prizes mentioned above.
- Volatility core developers are not eligible.
- Submissions should be sent to volcon2013@memoryanalysis.net. The submission should include the source code, a short description of how the extension is used, and a signed "Individual Contributor License Agreement".
- By submitting an entry, you declare that you own the copyright to the source code and are authorized to submit it.
- All submissions should be received no later than August 1, 2013. The winner will be announced the following week. We recommend submitting early. In the case of similar submissions, preference will be shown to early submissions.
- The Volatility Project core developers will decide the winners based on the following criteria: creativity, usefulness, effort, completeness, submission date, and clarity of documentation.
- In order to collect the cash prizes, the winner will need to provide a legal picture identification and bank account information within 30 days of notification. The bank transfer will be made within two weeks after the winner is authenticated.
- Group entries are allowed; the prize will be paid (or seat will be registered, if the training option is desired) to the person designated by the group.
- Upon approval from the winners, their names/aliases will be listed on the "Volatility Hall of Fame" web page for the world to admire.
- Selected contestants may also be asked to present their work at the 2013 Open Memory Forensics Workshop or have their research featured on the Volatility Labs Blog.
Acknowledgements
A special thanks goes out to the Hex-Rays team for providing the inspiration and template for this contest.
Friday, September 14, 2012
Week 1 of the Month of Volatility Plugins posted!
I'm going to borrow from Andrew's blog here to let you know about our Month of Volatility Plugins:
Future Volatility posts will appear on our official blog (http://volatility-labs.blogspot.com/). Also you might want to follow our project on twitter: @Volatility for updates and news. See you at OMFW!
I was writing to announce that week 1 of the month of Volatility plugins is finished, and we now have five in-depth blog posts covering Windows and Linux internals and rootkit detection. These have all been posted to the new Volatility Labs blog.
Post 1: Logon Sessions, Processes, and Images
This Windows focused post covers linking processes to their logon session, detecting hidden processes using session structures, and determining the loaded the drivers mapped into each session.
http://volatility-labs.blogspot.com/2012/09/movp-11- logon-sessions-processes-and. html
Post 2: Window Stations and Clipboard Malware
This Windows focused post covers enumerating and analyzing window stations and clipboard monitoring malware.
http://volatility-labs.blogspot.com/2012/09/movp-12- window-stations-and-clipboard. html
Post 3: Desktops, Heaps, and Ransomware
This Windows focused post covers finding rogue desktops used to hide applications and created by ransomware, linking threads to desktops, analyzing the desktop heap for memory corruptions, and profiling heap allocations to locate USER objects.
http://volatility-labs.blogspot.com/2012/09/movp-13- desktops-heaps-and-ransomware. html
Post 4: Average Coder Rootkit, Bash History, and Elevated Processes
This Linux focused post covers analyzing the Average Coder rootkit, recovering .bash_history from memory, even when faced with anti-forensics, and finding elevated processes.
http://volatility-labs.blogspot.com/2012/09/movp-14- average-coder-rootkit-bash. html
Post 5: KBeast Rootkit, Detecting Hidden Modules, and sysfs
This Linux focused post covers analyzing the KBeast rootkit, finding modules unlinked from the module list, and the forensic values of sysfs.
http://volatility-labs.blogspot.com/2012/09/movp-15- kbeast-rootkit-detecting- hidden.html
If you have any questions or comments on the posts, please leave a comment on the respective post on the Volatility Labs blog.
Future Volatility posts will appear on our official blog (http://volatility-labs.blogspot.com/). Also you might want to follow our project on twitter: @Volatility for updates and news. See you at OMFW!
Subscribe to:
Posts (Atom)