Wednesday, June 24, 2009

Got Memory Forensics and Malware Analysis skillz?

We are currently seeking passionate and talented individuals with skills in the areas of memory forensics, malware analysis, and reverse engineering. If you are looking for a position in a rapidly growing company that is building solutions to address the hardest and most exciting challenges currently facing the digital forensics community, we want to talk to you! This is your opportunity to work alongside industry pioneers to help shape the future of digital forensics. Join the digital forensics revolution! Please contact us at (info at volatilesystems dot com)(

Thursday, October 16, 2008

Voltage: Giving Investigators the Power to Make a Difference!

Do you feel like your current methods of performing digital investigations are antiquated and unable to deal with the threats posed by the modern digital adversary? Do you feel that forensic vendors have lost touch with the needs of investigators? Do you believe that the ability to perform investigations is not a privilege for those who can afford an $100,000 price tag? Are you tired of forensics vendors who seem more interested in exploiting the community rather than helping to empower investigators? We are in the midst of a "Digital Forensics Revolution"!

During our presentation at the SANS Forensics Summit, "Upping the 'Anti': Using Memory Analysis to Fight Malware", we made two major announcements which will dramatically affect the way digital investigations are performed across the enterprise. The first announcement related to the availability of a powerful new feature in F-Response 2.03, remote real-time read-only access to a computer system's physical memory. By coupling this revolutionary technology with their ability to provide remote access to a computer's physical disks, F-Response has provided digital investigators a truly unique capability that will shape the future of digital investigations.

During the presentation, we also publicly unveiled Voltage. Voltage is a platform that combines the award winning memory analysis capabilities of Volatility with the remote real-time access provided by F-Response. Imagine being able to reach across the network into the physical memory of a remote system and extract a sample of a suspicious executable in real time! While some investigators will prefer the command-line interface and cost effectiveness of Volatility (free!), Voltage provides an option for enterprise investigators who desire advanced automation and visualization. It also provides investigators with the ability to continuously monitor and verify the runtime state (integrity) of the systems within their organization. If an incident is detected, Voltage is able to automatically capture a sample of physical memory while the artifacts are still resident in memory and temporally relevant. It also provides the ability to search for Advanced Persistent Threats (APT) that may be hiding within the enterprise. Voltage gives investigators unprecedented visibility into the once opaque components of the information infrastructure.

It's important to emphasize that Voltage provides a capability unlike anything you have ever seen. Unlike other enterprise solutions, which deploy heavyweight agents or servlets that attempt to naively perform live analysis on a compromised machine, the minimal F-Response target merely provides access to the raw data. At the same time, all of the complex processing and analysis is done remotely on a trusted machine. As a result, you have complete access to the runtime state of the remote system, physical memory and pagefile (swap), while minimizing your impact on potential artifacts and reducing your exposure to subversion. Whereas other solutions force you to collect a snapshot of physical memory, sometimes taking hours before analysis can even begin, Voltage allows the investigator to begin analyzing physical memory on a remote system in real time.

Thursday, October 9, 2008

Hoffmann Advanced Forensic Sessions

I'm very excited to announce a new training opportunity for those in Europe or those who like to travel to Europe. My colleagues at Hoffmann Investigations will be hosting advanced forensics training for experienced investigators. As a part of this unique week long training, I will be leading a 2-day session on Memory and Malware Forensics. This session is designed to combine informative lectures with hands-on training exercises and realistic scenarios, similar to those that our investigators have faced in the field. This is your opportunity to learn how to leverage the power of Volatility 1.3 to improve your digital investigation process.

Training agenda:

  • Session 1 - Advanced Vista forensics: Lance Mueller

  • Session 2 - Apple and iPhone forensics: Remon Verkerk

  • Session 3 - Open source forensics, File Formats and Advanced File Carving: Joachim Metz and Robert-Jan Mora

  • Session 4 - Advanced Memory Forensics and Malware Analysis: AAron Walters

Please be sure and register early. It is limited to 25 participants and I'm sure it will fill up quickly. For more details and information on how to register, please visit Hoffmann Investigations.

Sunday, September 7, 2008

Volatile University: Memory Forensics in the Classroom

Memory forensics is a critical component of the digital investigation process and an important skill for digital investigators. At Volatile Systems, we are committed to helping educate the community about memory analysis. In support of this commitment, we are currently working with a number of university, college, and continuing education programs to help integrate volatile memory analysis into their digital forensics course work and lab exercises. This is an exciting opportunity for us to work with future digital investigators and those investigators who have gone back to improve their skill set. If you are currently instructing a class on computer forensics and have an interest in exploring how other educators are integrating memory forensics into their curriculum, please let us know.

On a related note, this fall I will be co-teaching a graduate class, ENTS 689I Network Immunity, at the University of Maryland, College Park. This course will actually be composed of three short courses: Cryptography and Information Security, System Security, and Network Security. I am very excited to be teaching this class alongside Dr. Charles Clancy and Dr. Nick Petroni. I consider Charles and Nick to be two of the top systems security researchers. Charles has done some amazing work in the area of wireless networking and Nick pioneered much of the work being done in memory analysis and rootkit detection. Based on the topics which will be covered and the projects that are going to be assigned, this should be a very exciting class! Not to mention, the students will also have the opportunity to learn about memory forensics using Volatility!

Saturday, August 16, 2008

Open Memory Forensics Workshop (OMFW)

I want to take this opportunity and thank everybody who attended the first Open Memory Forensics Workshop (OMFW). In particular, I want to thank all those who volunteered their time and resources to make the workshop such a success, especially, Eoghan Casey, Brendan Dolan-Gavitt, Andreas Schuster, Dr. Michael Cohen, Jesse Kornblum, Dr. Brian Carrier, Matthew Geiger, Keith Jones, and Brian Dykstra. I have received nothing but positive feedback [link][link][link] which is directly attributable to the efforts of those who contributed.

As with many of you who follow my blogs, I firmly believe that volatile memory analysis can dramatically augment the way we currently perform digital investigations and has the ability to help address many of the open challenges that we currently face. I also know that the progress we have seen in memory forensics over the last few years has been driven by the work done in the open source community. The reason Volatile Systems sponsored this workshop is because our organization is committed to the belief that forensics and security should be accessible to everyone. The goal of this workshop is to create a forum that brings together the top researchers and practitioners in an environment that fosters the open exchange of ideas, so we can find ways to help each other. It is our goal to help make this community approachable, so others may be inspired to get involved and contribute back to the community.

If you are interested in learning more about this years workshop, the agenda and and slides have have been posted on the OMFW website. As a side note, we have already started the planning for next year's event. Be sure to follow this blog and the workshop website for further updates! Due to the overwhelming response this year, we were not able to fulfill all the registration requests, so please be sure to register early!

Please feel free to post any comments, questions, or feedback you may have!

Friday, August 15, 2008

Volatility 1.3: Advanced Memory Forensics

The Volatility Team is pleased to announce the release of Volatility 1.3, the open source memory forensics framework. The framework was recently used to help win both the DFRWS 2008 Forensics Challenge and the Forensics Rodeo, demonstrating its power and effectiveness for augmenting digital investigations.

The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for performing advanced memory forensics. The extraction techniques are performed completely independent of the system being investigated but still offer unprecedented visibility into the run time state of the system. The framework is intended to introduce people to the techniques and complexities associated with extracting digital artifacts from volatile memory samples, while providing a powerful platform for further research.

Volatility 1.3 currently supports the investigation of Microsoft Windows XP Service Pack 2 and Service Pack 3 memory samples. Preliminary support has also been added for the Linux operating system, making Volatility the only cross platform memory analysis framework.

Some of the new features in Volatility 1.3 include:

  • Over 14 new data view modules!

  • New object model allowing easier module development and memory exploration

  • New plugin design allowing organizations to easily create, maintain, and share modules

  • New object oriented scanning infrastructure (Very Fast!)

  • Process graphing capabilities

  • Ability to extract open registry handles

  • Ability to dump a process' addressable memory

  • Ability to extract executables from memory samples

  • Transparently supports a variety of sample formats (ie, CrashDump, Hibernate, DD)

  • Automated conversion between sample formats

  • New scanning modules (ie, modules)

  • Support for XP SP3

Special thanks to Brendan Dolan-Gavitt, Andreas Schuster, Michael Cohen, and Matthieu Suiche.

Download the Volatility Framework from:


The Volatility Team

Wednesday, August 13, 2008

PyFlag/Volatility Team Wins DFRWS Challenge!

I'm very excited to announce that the PyFlag/Volatility Team was chosen the winner of the 2008 Digital Forensic Research Workshop (DFRWS) Forensic Challenge. This year's challenge focused on developing advanced tools and techniques in the areas of memory forensics and data fusion.

I want to take this opportunity to thank Eoghan Casey, Matthew Geiger, and Wietse Venema for putting on a fantastic challenge. I also want to thank both Michael Cohen and David Collett for all their hard work and long hours. It was an honor to work with such a strong team. It's amazing to see how the PyFlag and Volatility teams have combined forces to dramatically push the state of the art in digital forensics research and analysis!

In case you missed it in previous posts, the final submission can be found here.