Tuesday, August 21, 2007

DFRWS 2007

Let me begin by saying that DFRWS is one of my favorite conferences of the year. I highly recommend the conference to anyone interested in the latest research being done in the forensics community. DFRWS has established itself as the main venue for research being done in volatile memory analysis and is able to draw researchers working in this area from across the world. The organizing committee does an excellent job and the conference keeps getting better every year. In particular, Matthew Geiger and rest of the CERT team did a wonderful job in hosting the conference this year.

The keynote address was "Digital Forensics, Covert Monitoring, and Active Methods" given by Greg Hoglund. Greg discussed what "bad guys" are currently doing and the importance of digital forensics for dealing with these sophisticated attackers. In particular, he emphasized the importance of volatile memory analysis for detecting these attackers. His presentation also discussed his company's "surveillance" technology that is capable of defeating all conventional anti-virus. During questions Simson asked, how this "surveillance" technology is different than what the "bad guys" are trying to build? He also asked, what differentiates them from the "bad guys"? Finally, he wanted to know if it was merely related to the fact that they worked for a different "mob"!

I thought the keynote was entertaining and Greg has a unique perspective, but I would have preferred a keynote from someone who is actually involved in the forensic research community or at least a practitioner in the area. It was too bad that Karl Levitt had to cancel!! On the other hand, it is interesting that this is the third talk this summer by people who are arming the malware community, discussing the importance of volatile memory analysis. At SyScan, in the talk "The IPO of the 0 day" Justine Aitel of Immunity mentioned "think memory dump analysis" when performing incident response. At Black Hat, Jamie Butler of Mandiant also discussed the importance of volatile memory analysis and demonstrated his desire to stunt research and collaboration by filing patents on other peoples work (I hope those bonuses are worth it!). Now that the offensive community is beginning to focus their attention on volatile memory analysis, hopefully more investigators will realize the importance of integrating volatile memory analysis into the digital investigation process.

The first talk to discuss volatile memory analysis was "Forensic Memory Analysis: From Stack and Code to Execution History", which was presented by Mohamed Saleh. Personally, I liked the fact that the talk focused more on the analysis being done than on how data structures can be extracted from memory. In the talk they discuss a formal approach to analyzing stack memory of process threads to infer execution history. I also like the approach of combining volatile memory analysis with static analysis. We have been leveraging a similar approach with the FATKit research and found it very powerful. I wish the student who worked on the research had been there to present it. I would have enjoyed discussing some of the issues we faced when analyzing larger and more complex programs.

Another intriguing talk was given by Brendan F Dolan-Gavitt called "The VAD Tree: A Process-Eye View of Physical Memory". Brendan is one of the main people that Jamie ripped off in his Black Hat talk, so it was good to finally see him present his own work. His talk discussed how an investigator can use the Virtual Address Descriptor (VAD) trees found in memory to improve volatile memory analysis. He discussed how to parse the tree and a number of different antiforensic techniques that an investigator needs to be aware of. He also mentioned how the VAD can be used to augment the techniques we presented in "FATKit: Detecting Malicious Library Injection and Upping the 'Anti'" to detect advanced DLL injection attacks. Brendan did some great work on this research and is a really nice guy. Not to mention, he also helped integrate these tools into Volatility. I can't wait to see what he decides to work on next.

The final talk relevant to volatile memory analysis was presented by Bradley Schatz, who presented "BodySnatcher: Towards reliable volatile memory acquisition by software". Bradley began by presenting an abstract model for comparing volatile memory acquisition techniques. Then Bradley presented a new method for memory acquisition that attempts to snatch control of the host hardware from the running OS. A host specific kernel driver is used to load a minimized acquisition focused operating system into memory, it then halts the running kernel and switches control to the acquisition operating system. The acquisition operating system then preserves the host memory, initializes an output device, and copies the memory image to the output device. Finally he compares his software based acquisition method with using Garner's dd. Surprisingly, the paper concludes that using BodySnatcher is less obtrusive than running Garner's dd. I am astounded by the fact that loading an entirely new OS would be less obtrusive than running a single userland application. There is also another difference which must be mentioned: Once BodySnatcher runs, it freezes the state of the system and you will not be able to unfreeze the system. It will be exciting to see if Bradley will be able to overcome the limitations that he mentions in the paper and address the comments made during the presentation. I also want to wish Bradley luck with his new company Evimetry.

During the Work in Progress session, I gave a quick talk on Volatility and I discussed some of the things we are currently working on. The first being a collaboration with Doug White of NIST to make some new resources available to the volatile memory analysis community. The second being work that we are doing on malware analysis. Finally, I showed a screen shot of a visualization tool we have built for combining filesystem and volatile memory analysis to visualize temporal relationships during investigations. I will discuss this tool in more detail in an upcoming post.

Golden Richard and Vassil Roussev also gave an very intriguing WIP on the persistence of volatile evidence. During this talk they discussed research they had performed with their students to determine how long artifacts exist in memory once power has been removed from the machine. They presented some interesting results related to different types of machines and how long digital artifacts can be recovered once power is removed. I have heard numerous people speculate about this, so it is nice to see people actually taking time to investigate it.

If you are interested, the DFRWS 2007 papers have been posted. Hope to see you next year at DFRWS 2008 in Baltimore!!!

CERT Virtual Training Environment

Recently at DFRWS, the PDT Forensics team at CERT made me aware of the CERT Virtual Training Environmnent. The VTE provides training and lab material in the areas of forensics, incident response, and information assurance. This information is available online in the form of short video tutorials and labs. All of the training has also been transcribed so it could be easily searched. The VTE provides a useful resource and I recommend checking it out and seeing if they have anything you find interesting. Richard and his team are working really hard to make this a valuable resource for the community.

We are considering collaborating with the CERT PDT Forensics team to create some tutorials related to volatile memory analysis. These tutorials would then be made available via the VTE. If there is something you would like to see in a quick tutorial video or training lab, let us know!

Thursday, August 9, 2007

Black Hat USA 2007

I just returned back from Black Hat and I wanted to give an update in case you weren't able to attend. There were a number of really good talks this year and I was able to catch up with a lot of old friends.

One of my favorite talks of the conference was "Smoke'em Out!" by Rohyt Belani and Keith Jones. In this talk, they discussed the challenges involved in performing digital investigation when dealing with malicious insiders. This talk was particularly interesting because they discussed these issues within the context of real world investigations they conducted. Both, Rohyt and Keith, are extremely knowledgeable and are also engaging presenters. Take advantage of any opportunity you have to hear these gentlemen present!! On the same note, if you are looking for e-discovery and incident response services, I highly recommend Jones Rose & Dykstra Associates! They are really good people and I enjoyed the opportunity to finally meet these guys.

Unfortunately, I was unable to attend the talk "Breaking Forensics Software: Weaknesses in Critical Evidence Collection" by Chris Palmer, Tim Newsham, and Alex Stamos. I heard from a number of people that this was a very interesting talk and made a number of valid points about the assumptions that are built into forensics products. I agree with the fact that more work needs to be done on improving the robustness of the forensics tools. Most forensic tools inherently trust the data being analyzed. In the Volatools paper, we emphasized that many of the tools being designed for volatile memory analysis also do not consider the malicious adversary and are susceptible to a number of data hiding techniques. This talk is an important reminder that we cannot depend entirely on the results of a single tool and tools need be designed with the malicious adversary in mind.

The final briefing that I want to discuss is "Black Out: What Really Happened" by Jamie Butler and Kris Kendall. Some of you may have heard that I had gotten a little upset at the end of the talk and I thought I would take this opportunity to let you know "What Really Happened". Let me begin by saying that none of my comments were directed towards Kris Kendall and I apologize to him if he took offense to them. I have never had the pleasure of meeting Kris but I have heard from mutual friends that he is a good guy.

This briefing began by discussing the basics of code injection. First, Kris discussed the techniques for performing user mode injection and how these techniques were used in tools such as Metasploit and Poison Ivy. Next Jamie discussed how to perform "kernel process injection". Much of this material is the same that is presented in many rootkit classes and books. After the primer on code injection techniques, Jamie proceeded to present about "Memory Analysis". He began by discussing how APIs can be subverted and the importance of memory analysis. Then he proceeded to relate what he believes are requirements for performing memory analysis. During this time he also made a number of claims about the functionality that his new tool provides. Then he discussed a number of "patent pending" techniques for determining the operating system version and detecting injected DLLs. Then he finally performed a demo detecting an injected DLL using the Virtual Address Descriptors. A "patent pending" technique!!

Let me briefly discuss the issues that I had with the "Memory Analysis" part of the presentation. First, the slides contain no references to any of the prior research that has been done in this area within the last four years, despite the fact that Black Hat requires it. Many of the "patent-pending" techniques are based on techniques that can be found in open source projects and published research. Despite what was claimed, I can prove this work was not done in parallel. He declined the challenge to demonstrate the capabilities he claimed in the presentation. The more I think about this situation it makes me think back to a blog post . Similar to author of the blog post, I would not purchase nor trust forensics tools written by those who have a vested interest in the continuation of the problem.

See you at DFRWS!!

Wednesday, August 1, 2007

Announce: Volatility Framework 1.1.1

The Volatile Systems team is pleased to announce:

The volatile memory extraction utility framework:
Volatility Framework 1.1.1

The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) images. The extraction techniques are performed completely independent of the system being investigated but still offer visibility into the run time state of the system. The framework is intended to introduce people to the techniques and complexities associated with extracting digital artifacts from volatile memory images and provide a platform for further research into this area.

Volatility 1.1.1 currently supports the investigations of Microsoft Windows XP Service Pack memory images and provides the following extraction capabilities:
  • Image date and time
  • Running processes
  • Open network sockets
  • Open network connections
  • DLLs loaded for each process
  • Open files for each process
  • OS kernel modules
  • Mapping physical offsets to virtual addresses (strings to process mapping)
  • Virtual Address Descriptor information
  • Scanning examples: processes, threads, sockets, connections

Download the Volatility Framework at:


Recent Changes:
  • Constraint based linear scanning framework. New modules include psscan, thrdscan, sockscan, connscan. Inspired by the work of Andreas Schuster.
  • Virtual Address Descriptor modules: vadinfo, vaddump, vadwalk. Based on the research of Brendan Dolan-Gavitt to be presented at DFRWS 2007.
  • Completely open source (No third-party closed source dependencies)
  • Auto-identification speed enhancements
  • Bug fixes in network and socket modules
  • Symbol dependencies removed
  • Multiprocessor support


The Volatile Systems team