During our presentation at the SANS Forensics Summit, "Upping the 'Anti': Using Memory Analysis to Fight Malware", we made two major announcements which will dramatically affect the way digital investigations are performed across the enterprise. The first announcement related to the availability of a powerful new feature in F-Response 2.03, remote real-time read-only access to a computer system's physical memory. By coupling this revolutionary technology with their ability to provide remote access to a computer's physical disks, F-Response has provided digital investigators a truly unique capability that will shape the future of digital investigations.
During the presentation, we also publicly unveiled Voltage. Voltage is a platform that combines the award winning memory analysis capabilities of Volatility with the remote real-time access provided by F-Response. Imagine being able to reach across the network into the physical memory of a remote system and extract a sample of a suspicious executable in real time! While some investigators will prefer the command-line interface and cost effectiveness of Volatility (free!), Voltage provides an option for enterprise investigators who desire advanced automation and visualization. It also provides investigators with the ability to continuously monitor and verify the runtime state (integrity) of the systems within their organization. If an incident is detected, Voltage is able to automatically capture a sample of physical memory while the artifacts are still resident in memory and temporally relevant. It also provides the ability to search for Advanced Persistent Threats (APT) that may be hiding within the enterprise. Voltage gives investigators unprecedented visibility into the once opaque components of the information infrastructure.
It's important to emphasize that Voltage provides a capability unlike anything you have ever seen. Unlike other enterprise solutions, which deploy heavyweight agents or servlets that attempt to naively perform live analysis on a compromised machine, the minimal F-Response target merely provides access to the raw data. At the same time, all of the complex processing and analysis is done remotely on a trusted machine. As a result, you have complete access to the runtime state of the remote system, physical memory and pagefile (swap), while minimizing your impact on potential artifacts and reducing your exposure to subversion. Whereas other solutions force you to collect a snapshot of physical memory, sometimes taking hours before analysis can even begin, Voltage allows the investigator to begin analyzing physical memory on a remote system in real time.
