Thursday, January 31, 2008

Commercial Support for Volatility!

While at DoD Cyber Crime last week, numerous members of the Volatility community made me aware of a company attempting to spread misinformation about Volatility. It was broadly suggested that there was no support being offered for Volatility. The goal behind the open development of Volatility was to bring together systems researchers who believed in bettering the state of the digital forensics community. One way that we have been able to continue this open development is by offering customizations and support.

Volatile Systems, LLC has been providing commercial support and maintenance for Volatility (and our other products) for the past 8 months. In fact, one of the main reasons Volatile Systems, LLC formed was to support the forensics needs of our users who required commercial support contracts. The added benefit of our commercial support contracts is that you are not only getting guaranteed support and access to our team of unparalleled memory analysts, but you are also actively contributing back to the volatile memory analysis community by allowing us to continue the open development of Volatility.

At this point, we also decided to extend a new offer to those who may be considering spending the thousands of dollars to purchase one of those other commercial products, as they become available. If you are considering investing in one of those products because you think it provides extraction functionality not currently supported in Volatility, contact us and let us know! In most cases, we would be more than willing to use those funds to build you custom modules providing the same capabilities you desire but tailored to your exact needs. In addition, we would provide you access to the source code, training on how to use the modules, and share information on how they were developed. As we have learned from our experience performing volatile memory analysis, the most valuable thing is often not the tool but the experience and training of the analyst. Knowledge is power!

On a tangential note, it was encouraging to get all the positive feedback about Volatility at the conference. We are committed to this growing open community of volatile memory analysts and we are highly appreciative of their support. I also wanted to extend a special thanks to the Volatility community for keeping me updated on this evolving issue. Little do they know, the Order of Volatility is everywhere!

Sunday, January 20, 2008

They are playing you for a fool!

I have previously talked about this issue before, but based on a number of conversations I had last week at Cyber Crime, I felt it was worth bringing up again. Every time this issue comes up, it reminds me of one of my favorite blog posts, which talks about the ethical conflict in the rootkit community. I also recently came across this blog post from my former advisor, Spaf, which I found relevant as well.

One of the main reason why I dedicated myself to researching volatile memory analysis was the fact that the offensive communities and projects were flourishing. As a result, the sophistication of methods and accessibility to knowledge was continuing to grow unabated in the offensive community. At the time, I felt we drastically needed to have a similar revolution in the defensive community. A way of bringing together strong systems researchers who were interested in securing our infrastructure.

Based on the research we were doing at the time, I knew that volatile memory analysis would be an important component of securing those systems and had the potential to disrupt much of the offensive research being performed. As a result, members of our project have spent a great deal of time over the last couple of years writing research papers, giving talks, educating, and developing an open source architecture, in order to inspire research and increase the communal knowledge of the investigative community. In the process, we have had over 20 different contributors from multiple countries across the world. This includes contributions from numerous law enforcement and forensic agencies. In fact, I have been contacted by many universities that are now, or soon will be, using Volatility in their digital forensic courses.

It seems that the work being done in the live memory analysis community has also been successful at getting the attention of the offensive community (esp. rootkit). In fact, they have attempted many times in the last couple of years to disrupt the communal aspects of these projects. They began by trying to convince people that volatile memory analysis wouldn't work and was ineffective. Their methods changed last year, when they began trying to deceptively patent techniques that members of the volatile memory analysis community had already presented at conferences. Recently, I have learned that they are now trying to use their companies as real life Trojan horses to undermine and divide the open nature of the volatile memory analysis community. They are now trying to sell the techniques they had previously argued were ineffective. Once again, trying to capitalize on the problem they created.

Let's consider the following analogy:

Sadly, your child has been struggling with drug addiction for a number of years. He was recently busted by the police and mandated by the court to attend drug rehabilitation. Your child's drug dealer was a notorious individual by the name of B.S. Hary. B.S. Hary has never hidden the fact that he sells drugs and, in fact, even wrote a book and teaches classes about advanced drug dealing techniques. Often flaunting his drug dealing in the face of local law enforcement, who are overburdened dealing with the myriad of drug dealing pupils B.S has released on the streets. As a result, B.S. Hary's drugs and drug dealing techniques account for the majority of the drug problem currently faced by your community.

Recently, B.S. became concerned about the popularity of drug rehabilitation in pop culture. On the one hand, he realized that rehabilitation could be bad for business, but he also figured there was a lot money to be made in rehabilitation. As a result, he decided that he could not sit idly by and watch his drug business be swept out from under him, so he formulated a plan. He decided to capitalize on the rehabilitation market while undermining its effectiveness by starting his own rehabilitation company called Addiction Responder. B.S. Hary even had the brazenness to open Addiction Responder right next door to his crack house.


B.S. Hary is hoping to play the community for a fool!

As a parent, would you be willing to send your child to the Addiction Responder clinic? Knowing that Addiction Responder is run by a notorious drug dealer, do you think the court would be willing to trust a report that acknowledges your child's successful completion of its drug rehabilitation program? Knowing that the owner of Addiction Responder has a crack house right next door to the clinic, do you think the court would have faith in the fidelity of Addiction Responder's rehabilitation capabilities? Knowing that B.S. sells manufactured drugs out of the crack house right next door, would you be willing to ingest his magic rehabilitation pills? Knowing that the money you give to Addiction Responder for rehabilitation will be used to further his drug cartel, will you be willing to help fund the problem that is tormenting both your family and your community?

Your child's current drug dealer wants to perform his rehab.
You said, no, no, no!


On that note, it seems utterly absurd to me that anyone would consider buying volatile memory (RAM) forensics tools from an organization that freely admits to having armed and which continues to arm the enemy with "technology being used to evade forensics and response today." As a taxpayer, I'm not happy to see that all the government funding they have received for research and development has contributed to the majority of the rootkits currently found on the Internet today. As a person involved in forensic investigations, I would not want to be the person responsible for presenting those tools or results in court.

Defense Attorney: Is it true that developers of this "investigation" tool are responsible for the techniques found in the majority of rootkits found on the Internet today?
Forensic Examiner: Yes.
Defense Attorney: Is it true that the makers of this tool also sell "undetectable" software agents that allows people to secretly spy on a person/companies computers (similar to malware or spyware)?
Forensic Examiner: Yes.
Defense Attorney: Do the developers of this software also develop tools to exploit software, cheat at online games, and build rootkits?
Forensic Examiner: Yes.


One of the most important things that I have learned from the forensics and digital investigation communities is that the integrity and trust that can be placed in the collected evidence is often the most important standard. I have been confronted with many situations where we have had to forgo certain types of evidence, because it had the potential to compromise the integrity of investigation and/or case. How would you like to walk into court knowing that the evidence you collected and analyzed will immediately be called into question and, as a result, ruin the case? What happens when the malware you are investigating, as part of an incident, was written by the same people who wrote your forensic tool? Can you trust that they weren't involved?

The question is, are you willing to listen to B.S. and be played the fool?

And you wonder why I'm angry.....

Friday, January 4, 2008

PyFlag Using the Volatility Framework!

It was only a matter of time....

In case you might have missed it during the holidays, the latest version of PyFlag now leverages the Volatility Framework to add volatile memory analysis (RAM Forensics) to it's outstanding list of capabilities. As a result, making PyFlag the first and only tool publically available that allows the digital investigator to correlate disk images, log files, network traffic, and RAM captures all within an intuitive interface. While the current functionality is still preliminary, just imagine the possibilities!

Since PyFlag loads memory images through its standard IO source interface, it is also now possible to store your memory images using the EWF format, commonly used in commercial tools. Once the memory image is uploaded to PyFlag, information can either be accessed through a browseable /proc interface or through the Stats view. Michael Cohen and his team have provided a tutorial and image to get you started.






As I mentioned in a previous post, a special thanks to Europol for bringing our teams together through the High Tech Crime Expert Meeting. I also want to thank Michael Cohen for the great work he has done with PyFlag and his contributions to Volatility! Stay tuned for further exciting collaborations and future Volatility releases in 2008!