Saturday, August 16, 2008

Open Memory Forensics Workshop (OMFW)

I want to take this opportunity and thank everybody who attended the first Open Memory Forensics Workshop (OMFW). In particular, I want to thank all those who volunteered their time and resources to make the workshop such a success, especially, Eoghan Casey, Brendan Dolan-Gavitt, Andreas Schuster, Dr. Michael Cohen, Jesse Kornblum, Dr. Brian Carrier, Matthew Geiger, Keith Jones, and Brian Dykstra. I have received nothing but positive feedback [link][link][link] which is directly attributable to the efforts of those who contributed.

As with many of you who follow my blogs, I firmly believe that volatile memory analysis can dramatically augment the way we currently perform digital investigations and has the ability to help address many of the open challenges that we currently face. I also know that the progress we have seen in memory forensics over the last few years has been driven by the work done in the open source community. The reason Volatile Systems sponsored this workshop is because our organization is committed to the belief that forensics and security should be accessible to everyone. The goal of this workshop is to create a forum that brings together the top researchers and practitioners in an environment that fosters the open exchange of ideas, so we can find ways to help each other. It is our goal to help make this community approachable, so others may be inspired to get involved and contribute back to the community.

If you are interested in learning more about this years workshop, the agenda and and slides have have been posted on the OMFW website. As a side note, we have already started the planning for next year's event. Be sure to follow this blog and the workshop website for further updates! Due to the overwhelming response this year, we were not able to fulfill all the registration requests, so please be sure to register early!

Please feel free to post any comments, questions, or feedback you may have!

Friday, August 15, 2008

Volatility 1.3: Advanced Memory Forensics

The Volatility Team is pleased to announce the release of Volatility 1.3, the open source memory forensics framework. The framework was recently used to help win both the DFRWS 2008 Forensics Challenge and the Forensics Rodeo, demonstrating its power and effectiveness for augmenting digital investigations.

The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for performing advanced memory forensics. The extraction techniques are performed completely independent of the system being investigated but still offer unprecedented visibility into the run time state of the system. The framework is intended to introduce people to the techniques and complexities associated with extracting digital artifacts from volatile memory samples, while providing a powerful platform for further research.

Volatility 1.3 currently supports the investigation of Microsoft Windows XP Service Pack 2 and Service Pack 3 memory samples. Preliminary support has also been added for the Linux operating system, making Volatility the only cross platform memory analysis framework.

Some of the new features in Volatility 1.3 include:

  • Over 14 new data view modules!

  • New object model allowing easier module development and memory exploration

  • New plugin design allowing organizations to easily create, maintain, and share modules

  • New object oriented scanning infrastructure (Very Fast!)

  • Process graphing capabilities

  • Ability to extract open registry handles

  • Ability to dump a process' addressable memory

  • Ability to extract executables from memory samples

  • Transparently supports a variety of sample formats (ie, CrashDump, Hibernate, DD)

  • Automated conversion between sample formats

  • New scanning modules (ie, modules)

  • Support for XP SP3


Special thanks to Brendan Dolan-Gavitt, Andreas Schuster, Michael Cohen, and Matthieu Suiche.

Download the Volatility Framework from:

https://www.volatilesystems.com/default/volatility

Thanks,

The Volatility Team

Wednesday, August 13, 2008

PyFlag/Volatility Team Wins DFRWS Challenge!



I'm very excited to announce that the PyFlag/Volatility Team was chosen the winner of the 2008 Digital Forensic Research Workshop (DFRWS) Forensic Challenge. This year's challenge focused on developing advanced tools and techniques in the areas of memory forensics and data fusion.

I want to take this opportunity to thank Eoghan Casey, Matthew Geiger, and Wietse Venema for putting on a fantastic challenge. I also want to thank both Michael Cohen and David Collett for all their hard work and long hours. It was an honor to work with such a strong team. It's amazing to see how the PyFlag and Volatility teams have combined forces to dramatically push the state of the art in digital forensics research and analysis!

In case you missed it in previous posts, the final submission can be found here.