Blog
Current and archived posts related to Volatility as published by the Volatility Foundation.
The 12th Annual Volatility Plugin Contest is Open!
The Volatility Plugin Contest is officially open for submissions! This is your opportunity to directly contribute to the open source forensics community and put groundbreaking capabilities into the hands of digital investigators. Gain industry-wide visibility for your work, contribute to an...
In-person Malware & Memory Forensics Training on Volatility 3!
We are very excited that, for the first time, we are hosting an in-person, public offering of our popular Malware and Memory Forensics Training focused solely on Volatility 3! This training takes place October 22–25, 2024, in Arlington, VA.Volatility 3 was designed from the ground up to meet the...
The 2023 Volatility Plugin Contest results are in!
Results from the 11th Annual Volatility Plugin Contest are in! We received 9 submissions that included 27 plugins, 3 translation layers, and 2 supporting utilities; and submissions came in from 7 different countries, including some from each of last year’s winners! Contest submissions included a...
Memory Forensics R&D Illustrated: Recovering Raw Sockets on Windows 10+
As mentioned in a recent blog post, our team is once again offering in-person training, and we have substantially updated our course for this occasion. Our next offering will be in Amsterdam in October 2023. To showcase our team’s new research, we are publishing a series of blog posts to offer a...
The 11th Annual Volatility Plugin Contest
[The 11th Annual Volatility Plugin Contest is now closed!] The Volatility Plugin Contest is an excellent opportunity to put groundbreaking capabilities into the hands of investigators and contribute to the open source forensics community. Since its inception, the contest has encouraged research...
Malware and Memory Forensics Training Headed to Amsterdam in October 2023!
We are very excited to announce the next public offering of our Malware and Memory Forensics with Volatility training course! This fall, our course will be held in Amsterdam on Monday, October 2, through Friday, October 6. Course content was recently updated with a significant amount of new...
Memory Forensics R&D Illustrated: Detecting Hidden Windows Services
As mentioned in a recent blog post, our team is once again offering in-person training, and we have substantially updated our course for this occasion. Over the next several weeks, we will be publishing a series of blog posts, offering a sneak peek at the types of analysis incorporated into the...
The 2022 Volatility Plugin Contest results are in!
Results from the 10th Annual Volatility Plugin Contest are in! There were 8 submissions this year, including submissions from 2 contestants from previous years who have continued to build on their previous work. Submissions included updates to graphical interfaces, plugins to detect Linux...
The Return of In-Person Volatility Malware and Memory Forensics Training!
We are excited to announce that we are resuming our in-person Malware and Memory Forensics with Volatility training course! From Fall 2012 until Spring 2020, this course ran multiple times a year and taught hundreds of students how to apply memory forensics to their incident response and malware...
The 10th Annual Volatility Plugin Contest!
This year not only marks 15 years since the first public release of Volatility, we are also excited to announce the 10th annual Volatility Plugin Contest is now open! Submissions will be accepted until December 31, 2022. Volatility Plugin Contest The 2022 Volatility Plugin Contest is...
The 2021 Volatility Plugin Contest results are in!
Results from the 9th Annual Volatility Plugin Contest are in! And this year, there were 7 submissions from 7 different countries! Submissions included a new web interface, a new address layer, 6 updates to existing plugins, and 15 new Volatility 3 plugins. Once again, we would like to thank the...
Malware and Memory Forensics Training in 2022!
Over the last few months, we have received many questions about when our Malware and Memory Forensics training would return to in-person learning. Given that a new year is nearly here, and the rate of inquiries has continued to increase, we wanted to document our plans going forward in a publicly...
Memory Forensics R&D Illustrated: Detecting Mimikatz’s Skeleton Key Attack
In this blog post, we are going to walk you through the research and development process that leads to new and powerful memory analysis capabilities. We are often asked about what this workflow looks like, and how the abuse of an API by malware or a new code injection technique can be successfully...
The 9th Annual Volatility Plugin Contest!
The 9th annual 2021 Volatility Plugin Contest is now open! We will be accepting submissions until December 31, 2021.Volatility Plugin ContestAs in previous years, the 2021 Volatility Plugin Contest encourages research and development in the field of memory analysis. Your...
Highlighting Research from the Next Generation of Memory Forensics Practitioners
Nearly 2 years ago, we published a blog post about our collaboration with Dr. Golden G. Richard III at the Louisiana State University (LSU) Center for Computation and Technology (CCT). We are very happy to report that this collaboration is still going strong, has been a huge success, and has...
Malware and Memory Forensics Training Goes Virtual!
We are very excited to announce that our popular Malware and Memory Forensics with Volatility training is now available in a self-paced, online format!Brought to you by members of the Volatility Team, this course gives you the opportunity to learn directly from the people behind the research and...
The 2020 Volatility Plugin Contest results are in!
We would like to begin by thanking the participants for their hard work and contributions to Volatility. It’s always exciting to see continued innovation in the field of memory forensics from research teams across the globe! Despite the challenges of this unprecedented year, we had 8 submissions,...
When Anti-Virus Engines Look Like Kernel Rootkits
While analyzing real-world systems, memory analysts will often encounter anti-virus (AV) engines, EDRs, and similar products that, at first glance, look suspiciously like malware. This occurs because these security products leverage the same techniques commonly employed by malware—such as API...
The 8th Annual Volatility Plugin Contest!
We are excited to announce that the 8th annual 2020 Volatility Plugin Contest is now accepting submissions until October 1, 2020! Winners will receive over 3750 USD in cash prizes! Volatility 3 The 2020 Volatility Plugin Contest encourages research and development in the field...
Results from the 2019 Volatility Contests are in!
We would like to begin by thanking the participants in this year’s contests! This was one of the hardest years for our panel of judges since it had so many outstanding submissions. In the Plugin Contest, there were 11 submissions, which included over 30 new plugins across 3 operating systems. It...
Announcing the Volatility 3 Public Beta!
The Volatility Team is very excited to announce the first public beta release of Volatility 3! We presented this beta for the first time to OSDFCon attendees and received a very warm reception both during and after our presentation. As always, we are very grateful to our community for the...
Volatility Malware and Memory Forensics Training in 2020!
We are excited to announce that in 2020 we will have 4 public offerings of our highly popular Malware and Memory Forensics training course. These offerings include: March 9-13, San Diego, CA April 20-24, Herndon, VA September 21-25, Amsterdam, NL October 19-23, Herndon, VA [Date...
Helping to Build the Next Generation of Memory Forensics Researchers and Practitioners
The Volatility Foundation strives to help build and enhance the memory forensics field. This includes funding and supporting the Volatility Plugin and Analyst Contests, sponsoring conferences significant to the open source digital forensics community, such as OSDFCON and BSidesNOLA; and...
The 7th Annual Volatility Plugin Contest & the 2nd Annual Volatility Analysis Contest!
It’s that time again! We are happy to announce that the 2019 Volatility Plugin Contest and the 2019 Volatility Analysis Contest are now accepting submissions until October 1, 2019. Winners of each contest will be receiving over 2500 USD in cash prizes and, of course, the highly coveted Volatility...
Malware and Memory Forensics Training in 2019!
We are excited to announce that in 2019 we will have 3 public offerings of our highly popular and newly updated Malware and Memory Forensics training course. If you would like to join us, our international course will be in London in September, and our US course will be back in...
Results from the 2018 Volatility Contests are in!
Let’s begin by thanking all of the participants in this year’s contests! This year we hosted the 6th Annual Volatility Plugin Contest, and we introduced the Inaugural Analysis Contest. We were encouraged to see submissions from our community members around the globe. As in previous years of the...
The 6th Annual Volatility Plugin Contest and the Inaugural Volatility Analysis Contest!
We are excited to announce that the 2018 Volatility Plugin Contest and the 2018 Volatility Analysis Contest are now accepting submissions until October 1, 2018. Winners of each contest will be receiving over $2500 in cash prizes and the highly coveted Volatility swag (t-shirts, stickers, etc.)!...
Malware and Memory Forensics Training Headed to Herndon and Amsterdam!
After another highly successfully year of our Malware and Memory Forensics training, which included sold-out public trainings in Herndon, VA and London as well as several private trainings, we are excited to announce our lineup of public trainings for 2018. Our first offering will be back in...
Results from the (5th Annual) 2017 Volatility Plugin Contest are in!
Congratulations to all the participants! This year's contest resulted in a ton of new and exciting functionality available to law enforcement agents, DF/IR practitioners, malware analysts, and researchers around the globe, which can immediately be transitioned into their workflows. That's the...
Our Newly Updated Memory Forensics and Malware Analysis Course is Headed to Herndon and London!
As we head into summer, we wanted to let everyone know that for 2017 we only have two remaining public offerings of our highly popular and newly updated Malware and Memory Forensics training course. If you would like to join us, our international course will be in London during the week...
The (5th Annual) 2017 Volatility Plugin Contest is Live!
Its that time again, folks! The 2017 Volatility Plugin contest is now live and accepting submissions until October 1st, 2017. Winners of this year's contest will be receiving over $2,250 in cash prizes as well as plenty of Volatility swag (t-shirts, stickers, mugs, sync stops, etc)....
The Release of Volatility 2.6
This release improves support for Windows 10 and adds support for Windows Server 2016, Mac OS Sierra 10.12, and Linux with KASLR kernels. A lot of bug fixes went into this release as well as performance enhancements (especially related to page table parsing and virtual address space scanning)....
Results from the 2016 Volatility Plugin Contest are in!
Congratulations to all the participants! This year we received more submissions than ever before (21 to be exact, from 16 different authors), so judging took longer than we expected. Sorry about that! The good news is...there's a LOT of new and exciting functionality available to law enforcement...
Volatility Update: Core team is growing!
Next year marks the 10-year anniversary of the first public release of Volatility! This would not have beenpossible without the friendship and support of the amazing Volatility Community. One of the original goals of Volatility was to create a project that would help bring together technicaltalent...
Malware and Memory Forensics 2017 Schedule (Now with Linux, Mac, and Surge Collect Pro)
Our most popular training course just got even better! We're happy to announce the curriculum for Malware and Memory Forensics by The Volatility Project now includes the following: Linux and Mac OS X memory analysis Windows memory acquisition with Volexity Surge Collect Pro Several new and...
Automating Detection of Known Malware through Memory Forensics
In this blog post, we will cover how to automate the detection of previously identified malware through the use of three Volatility plugins along with ClamAV. Although this walk-through primarily focuses on Windows memory samples, at the end we explain how to port the approach to Linux and OS X...
Memory Forensics Across the Enterprise – *Beta*
I would like to let you know about a *Beta* course opportunity that I’m hosting this summer. The Beta course, Memory Forensics Across the Enterprise - Beta, is offered at a discounted rate exclusively to those who have completed our first course, Windows Malware and Memory Forensics. This course...
Windows Malware and Memory Forensics Training coming to NYC, Amsterdam, and Reston!
We're excited to announce the dates and locations for three new public offerings of Windows Malware and Memory Forensics Training by The Volatility Project. The following courses are now open for registration: June 27th - July 1st in NYC August 29th - September 2nd in Amsterdam October 3rd - 7th...
Airbnb Donates $999 to the 2016 Volatility Plugin Contest!
Thank you to Airbnb for donating $999 to the 2016 Volatility Plugin Contest and their continued support for open source memory forensics development. When we announced the contest a couple days ago, the cash prizes for the top three contest winners were $1500, $500, and $250. In light of...
The 2016 Volatility Plugin Contest is now live!
This is a quick update to announce that the 2016 Volatility Plugin contest is now live and accepting submissions until October 1st. Winners of this year's contest will be receiving over $2,000 in cash prizes as well as plenty of Volatility swag (t-shirts, stickers, mugs, sync stops,...
Guest Post: Martin Korman (VolatilityBot – An Automated Malicious Code Dumper)
This is a guest post from Martin Korman, author of VolatilityBot. Lately, I've found myself manually unpacking different versions of the same malware in order to perform static analysis with IDA and BinDiff. Therefore, I've decided to write a small system that will automate the entire process –...
PlugX: Memory Forensics Lifecycle with Volatility
At OSDFCon last week, we discussed a case study showing how we identified manipulated memory artifacts in an infected environment. We were then able to rapidly introduce new capabilities to Volatility that could be used proactively in other environments. The presentation (hosted on prezi) takes...
Results from the 2015 Volatility Plugin Contest are in!
The competition this year was fierce! We received 12 plugins to the contest. Similar to last year, ranking the submissions was one of the hardest things we’ve had to do. Each plugin is unique in its own way and introduces a capability to open source memory forensics that didn’t previously...
Volatility Updates Summer 2015
Summer 2015 has been quite a busy time for the memory forensics community. We wanted to write a quick update to talk about some recent events and research as well as upcoming news. Conferences Black Hat Vegas 2015 We wanted to again thank everyone who came out and supported us during Black Hat....
Recovering TeamViewer (and other) Credentials from RAM with EditBox
I recently stumbled upon the TeamViewer-dumper-in-CPP project, which shows just how easy it is to recover TeamViewer IDs, passwords, and account information from a running TV instance by enumerating child windows (on a live machine). The method is based on sending a WM_GETTEXT message to the TV...
The 2015 Volatility Plugin contest is now live!
This is a quick update to announce that the 2015 Volatility Plugin contest is now live and accepting submissions until October 1st. Winners of this year's contest will be receiving over $2,000 in cash prizes as well as plenty of Volatility swag (t-shirts, stickers, etc.). The purpose of the...
Volatility at Black Hat USA & DFRWS 2015!
Due to another year of open research and giving back to the open source community, Volatility will have a strong presence at both Black Hat USA and DFRWS 2015. This includes presentations, a book signing, and even a party! At Black Hat, the core Volatility Developers (@4tphi, @attrc, @gleeda,...
Volshell Quickie: The Case of the Missing Unicode Characters
The other day someone reached out to me because they had a case that involved files with Arabic names. Unfortunately the filenames were only question marks when using filescan or handles, so I set out to figure out why. In order to figure out why, I created a few files with Hebrew names...
Using mprotect(.., .., PROT_NONE) on Linux
After deciding to revisit some old code of mine (ok, very old), I realized that there was something different about how Linux was allocating pages of data I wanted to hide. At first, I was glad that I couldn’t see the data using yarascan, but then I realized that I was...
Windows Malware and Memory Forensics Training in the UK
Windows Malware and Memory Forensics Training by The Volatility Project is the only memory forensics course officially designed, sponsored, and taught by the Volatility developers. One of the main reasons we made Volatility open-source is to encourage and facilitate a deeper understanding of...
Advice from Det. Michael Chaves on Memory Forensics, KnTDD, and POS Malware
The following story was shared by Detective Michael Chaves. It describes how he's used Volatility, KnTDD, and memory forensics over the past year to investigate POS breaches at local businesses. Kudos to Michael for applying his skills in an effective and meaningful way, then taking the time to...
Incorporating Disk Forensics with Memory Forensics – Bulk Extractor
In this post we will take our first look at a tool that is primarily used for disk forensics and show how it can be useful during memory forensics analysis as well. In the coming weeks we will have several follow on posts highlighting other tools and techniques. Background As you are likely aware,...
Acquiring Memor(ies) from 2014
2014 is extremely volatile. Any minute now, it will be gone. Thus, we wanted to take a minute and preserve some of the more exciting memories. Specifically, we wanted to summarize how the memory forensics field and Volatility community has progressed this year. Volatility 2.4 was released - our...
Announcing the 2014 Volatility Plugin Contest Results!
The competition this year was fierce! We received a total of nearly 30 plugins to the contest. Ranking the submissions was one of the hardest things we’ve had to do. Each plugin is unique in its own way and introduces a capability to open source memory forensics that didn’t previously exist....
Memory Forensics Training in Amsterdam
We are excited to announce that the next Europe-based Malware and Memory Forensics Training by The Volatility Project will take place in Amsterdam (August 31st - September 4th, 2015). Our last class in Amsterdam sold out, so sign up early to reserve your seat. You can register by sending an email...
Windows Malware and Memory Forensics Training in April and May 2015
We’re excited to announce the dates and locations for two new public offerings of Windows Malware and Memory Forensics Training by The Volatility Project. The following courses are now open for registration: December 8th – 12th, 2014 in Austin, TX January 12th – 16th, 2015...
The Volatility Foundation: Fighting for Open Source Forensics
We are excited to announce that the Volatility Foundation was officially granted 501(c)(3) status by the IRS and the application was approved in less than a year. This comes as great news when you consider the recent “BOLO” list controversies and the Yorba situation. We believe this is...
Detective Michael Chaves Shares A Memory Forensics Success Story
Detective Michael Chaves from the Monroe CT Police Department shares the following story regarding his experiences with Memory Forensics, Volatility Training, KnTTools, and POS breaches. Michael was also recently quoted in Brian Krebs' article Card Wash: Card Breaches at Car Washes for the key...
Volatility 2.4 at Blackhat Arsenal – Defeating Truecrypt Disk Encryption
This video shows how to use Volatility’s new Truecrypt plugins to defeat disk encryption on suspect computers running 64-bit Windows 8 and server 2012. The video is narrated by Apple's text to speech and you can find the actual text on the Youtube page. The live/in-person demo was given at the...
Facebook Donation Doubles the Volatility Plugin Contest Prizes
As mentioned earlier this week, we have a very exciting announcement to share. One of the primary reasons we extended the deadline for the 2014 Volatility Plugin Contest to October 1st is due to an extremely generous donation from Facebook. Facebook's sponsorship doubles the total cash prizes from...
Heads Up! 2014 Volatility Plugin Contest Deadline Extended!
Good news folks. Due to a very exciting and unexpected development, we're extending the deadline for the 2014 Volatility Plugin Contest to October 1st, 2014. This not only gives you an extra month to work on your plugins, but the reason for the extension (to be announced later this week) will...
Volatility 2.4 at Blackhat Arsenal – Reverse Engineering Rootkits
This video demonstrates how you can leverage Volatility and memory forensics to detect kernel rootkits, assist with reverse engineering, and use the results for developing additional indicators. The video is narrated by Apple's text to speech and you can find the actual text on the Youtube page....
Volatility 2.4 at Blackhat Arsenal – Tracking Mac OS X User Activity
This demo shows how to track Mac OS X user activity by examining artifacts in physical memory with Volatility. The video is narrated by Apple's text to speech and you can find the actual text on the Youtube page. The live/in-person demo was given at the @Toolswatch Blackhat...
New Volatility 2.4 Cheet Sheet with Linux, Mac, and RTFM
Our Windows Malware and Memory Forensics Training class is intense and rigorous, because its designed to reflect real world investigations. When you have a limited amount of time and you're being pressured for reliable answers - every minute counts. Sometimes you just gotta cheat...and when you...
New Paper: In Lieu of Swap: Analyzing Compressed RAM in Mac OS X and Linux
A research paper (slides here) ( X dfrws.org/2014/proceedings/presentations/DFRWS2014-p1.pdf) that I worked on with Golden G. Richard was recently published at DFRWS 2014 ( X dfrws.org/2014/program.shtml) and received the Best Paper award! The paper, In Lieu of Swap: Analyzing Compressed RAM in...
Presenting Volatility Foundation Volatility Framework 2.4
The release of this new Volatility version coincides with the publication of The Art of Memory Forensics. It adds support for Windows 8, 8.1, 2012, and 2012 R2 memory dumps, Mac OS X Mavericks (up to 10.9.4), and Linux kernels up to 3.16. New plugins include the ability to extract cached Truecrypt...
Art of Memory Forensics Picture Contest Winners!
If we were running a book picture contest, these would be the winners. Keep in mind, we actually do have a contest brewing where you can win large cash prizes and/or free training, Volatility swag, etc. The following "retro cover" was submitted by Didier Stevens (@DidierStevens). The following...
Announcing Windows Malware and Memory Forensics in Austin, San Francisco, and Brazil!
Along with the release of The Art of Memory Forensics, we are very happy to announce that we now have the following new Malware and Memory Forensics trainings scheduled: Australia - August 25th - 29th, 2014 (nearly full) Reston - October 6th - 10th, 2014 (nearly full) Austin -...
Volatility at Black Hat USA & DFRWS 2014
Due to another year of open research and giving back to the open source community, Volatility will have a strong presence at both Black Hat USA and DFRWS 2014. This includes presentations, a book signing, and even a party! At Black Hat, the core Volatility Developers (@4tphi, @attrc, @gleeda,...
Volatility – Update All The Things
The Art of Memory Forensics Our book is cleared for release at the Blackhat USA conference this August. You can preorder hard copies and Kindle editions on Amazon now. Huge thanks to our publisher, Wiley, for allowing us to exceed 900 pages after we initially estimated 650...without raising...
Volatility Memory Forensics and Malware Analysis Training in Australia!
We are happy to announce that our popular Memory Forensics and Malware Analysis Training course is going to be held in Canberra, Australia in August. This is our first offering in Australia, and we are already extremely excited to have a great training session full of inquisitive and enthusiastic...
Building a Decoder for the CVE-2014-0502 Shellcode
In late February of this year multiple security companies (FireEye, AlientVault, SecPod, Symantec, plus many more) were reporting on a Flash zero-day vulnerability (CVE-2014-0502) being exploited in the wild. Around this time a friend asked me if I could reverse the exploit and its...
Training by The Volatility Project Now Available In Three Continents!
The Volatility Team is very happy to announce that we have a new website (http://www.memoryanalysis.net) and a number of upcoming training courses this year. With opportunities across three different continents, its now easier than ever before to learn about the most exciting realms of...
ADD: The Next Big Threat To Memory Forensics….Or Not
Similar to a rootkit, an anti-forensics tool or technique must possess two critical traits in order to be significant: 1. It must do something 2. It must get away with it Satisfying #1 is the easy part. You can hide a process, hide a kernel module, or in the case of ADD – create fake, decoy...
Malware Superlatives: Most Likely to Cry s/Wolf/Crocodile/
As a young boy once learned, its bad to cry wolf. Its not necessarily bad to cry crocodile, but the authors of Blazgel decided to do it anyway. Blazgel is a kernel rootkit that hooks various SSDT entries and has some backdoor capabilities. When I first saw it hooking ( X...
Comparing the Dexter and BlackPOS (Target) RAM Scraping Techniques
Up until yesterday when Brian Krebs wrote A First Look at the Target Intrusion, Malware, there weren't many details about the involved code. Now that its out there, I thought it might be interesting to see how the "RAM scraping" feature worked in comparison to the Dexter malware. As it turns...
TrueCrypt Master Key Extraction And Volume Identification
One of the disclosed pitfalls of TrueCrypt disk encryption is that the master keys must remain in RAM in order to provide fully transparent encryption. In other words, if master keys were allowed to be flushed to disk, the design would suffer in terms of security (writing plain-text keys to more...
The Secret to 64-bit Windows 8 and 2012 Raw Memory Dump Forensics
Those of you who attended OMFW 2013 received a talk on Windows 8 and Server 2012 memory forensics with Volatility. One of the interesting aspects of this new operating system, which includes 8.1 and 2012 R2, is that the kernel debugger data block (_KDDEBUGGER_DATA64) is encoded by...
The Art of Memory Forensics
By now, some of you may have realized that The Art of Memory Forensics is available for pre-order on Amazon. The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory This book is written by 4 of the core Volatility developers - Michael Ligh (@iMHLv2), Andrew...
2014 Malware and Memory Forensics Training Schedule Part 2
The Volatility Team would like to announce that our first public training on the East Coast for 2014 will take place in New York City on May 5th - 9th, 2014. Instructors: Michael Ligh (@iMHLv2), Andrew Case (@attrc), Jamie Levy (@gleeda) To request a link to the online registration site or to...
Volatility 2.3 Released! (Official Mac OS X and Android Support)
The Volatility Foundation is thrilled to announce the official release of Volatility 2.3! While the main goal of this release was Mac OS X (x86, x64) and Android Arm support, we also included a number of other exciting new capabilities! Highlights of this release include: Mac OS X:...
Sampling RAM Across the (EnCase) Enterprise
One thing that people may or may not realize is that you can mount memory with EnCase and use Volatility directly against the mounted memory "file". This can be especially useful for checking your enterprise for infected machines in order to narrow your focus. This is a quick post on how to...
2014 Malware and Memory Forensics Training Schedule Part 1
After a SOLD OUT class in Amsterdam last month, we are back with the part 1 of our training schedule for 2014. We will be making our first appearance on the west coast of the United States as well as our second appearance in Europe. * January 20th - 24th in San Diego, CA * June 9th - 13th in...
Leveraging CybOX with Volatility
Lately I've been playing around with Cyber Observable eXpression, CybOX, and created a plugin to help check for threat indicators in memory samples. In case you don't know, CybOX provides a vendor neutral format for expressing indicator information. As of late, it has been gaining a lot of...
Results are in for the 1st Annual Volatility Framework Plugin Contest!
We are excited to announce the results of the 1st Annual Volatility Plugin Contest. We were pleasantly surprised with 8 submissions to the contest. Each submission provides an exciting new capability to the memory analysis community or demonstrates the power of Volatility to solve a variety of...
Memory Forensics Training – Reston, VA – November 2013
The next journey to the center of Windows Memory Forensics starts in Reston, VA this November! This event will be the 5th public offering of the Windows Malware and Memory Forensics Training by The Volatility Project. This is the only memory forensics course officially designed, sponsored, and...
The Perfect Combination of IR, Malware, Forensics, and Winternals
Our Windows Malware and Memory Forensics training course has been described as the "...perfect combination of incident response, malware analysis, memory forensics, and Windows internals." As you can see below, we do in fact disseminate quite a bit of information. If you're used to instructors...
MOVP II – 4.5 – Mac Volatility vs the Rubilyn Kernel Rootkit
In our final Month of Volatility Plugins post, we are going to demonstrate a number of plugins that can be used to detect kernel level OS X rootkits. To show these capabilities I am going to analyze a system that is infected with the rubilyn rootkit. I want to thank @osxreverser for providing me...
MOVP II – 4.4 – What’s in Your Mac OSX Kernel Memory?
Today's post will discuss a number of plugins that can retrieve forensically interesting information from within the kernel. Keep in mind, you can also use mac_yarascan to search kernel memory with yara signatures and you can use mac_volshell as an interactive tool to print kernel data structures,...
MoVP II – 4.3 – Recovering Mac OS X Network Information from Memory
The 2.3 release of Volatility will contain four plugins that are capable of recovering networking information from Mac samples. Combined, these plugins allow for deep inspection of system network activity and can be used in conjunction with network forensics. mac_arp This plugin prints the ARP...
MoVP II – 4.2 – Dumping, Scanning, and Searching Mac OSX Process Memory
In our previous post we discussed multiple ways of finding process structures in memory. Today we will discuss analysis of a process' address space. First we'll describe how Volatility handles all the possible scenarios that must be understood and properly implemented before you can access process...
MOVP II – 4.1 – Leveraging Process Cross-View Analysis for Mac Rootkit Detection
In our final week of Month of Volatility Plugins II we will analyze the wide range of memory forensics capabilities against Mac OS X systems that are included in the latest release of Volatility (version 2.3). These capabilities span 38 different builds including 32- and 64-bit 10.5.x through...
MoVP II – 3.5 – Utilizing the kmem_cache for Android Memory Forensics
This post will discuss utilizing plugins that leverage the kmem_cache in order to perform deep memory forensics of Android devices. In previous Linux posts, we have briefly mentioned these plugins, but a full walk through has not been done. Also, as we will see, these plugins are highly effective...
MoVP II – 3.4 – Checking the ARM (Android) System Call Table and Exception Vector Table for Signs of Rootkits
In this post we are going to discuss two Volatility plugins that are specific to the ARM platform. Both of these plugins were contributed by Joe Sylve. linux_check_syscall_arm The first, linux_check_syscall_arm, enumerates each entry of the system call table to see if it is defined by the debug...
Automated Volatility Plugin Generation with Dalvik Inspector
Last month we covered new capabilities developed by 504ensics Labs that allowed for analysis of Dalvik instances within Volatility. This included a set of plugins as well as a GUI to explore the classes loaded into memory. We are writing an updated post as the GUI now contains the ability to...
MoVP II – 3.3 – Automated Linux/Android Bash History Scanning
Recovering bash command history from Linux and Android memory dumps just got a lot easier. In previous releases of Volatility, extracting commands and the associated timestamps was possible, but with one caveat - you needed to know the offset into the /bin/bash binary where a pointer to the start...
MoVP II – 3.2 – Linux/Android Memory Forensics with Python and Yara
In this post we will describe the Linux volshell and yarascan plugins. In previous releases of Volatility, these plugins only supported Windows samples, but starting with 2.3 you can interactively explore your Linux memory dumps (from a Python shell) or scan process and kernel memory...
MoVP II – 3.1 – Linux CheckTTY & KeyboardNotifier Plugins
In this post we will discuss two new plugins in Volatility 2.3 that were contributed by Joe Sylve @jtsylve of 504ensics. These plugins are used to detect the two kernel-level keylogging techniques presented in "Bridging the Semantic Gap to Mitigate Kernel-level Keyloggers". Both of...
MoVP II – 2.5 – New and Improved Windows Plugins
The Volatility 2.3 release will include several new and improved Windows plugins. This post will summarize their purpose, point you to additional information if they've been mentioned in previous blog posts, and show example usage scenarios for the plugins. Process Privileges In his Open...
MoVP II – 2.4 – Reconstructing Master File Table (MFT) Entries
Today's blogpost will cover the new mftparser plugin for Volatility. As we demonstrated in the GRRCon Challenge writeup, this plugin can come in quite handy in an investigation and also played a small part in the last MoVP blogpost. Why This Plugin Was Created During an investigation some time...
MoVP II – 2.3 – Creating Timelines with Volatility
A common computer forensic investigative methodology is creating timelines. Timelines help establish events that took place on the machine prior to investigation. There are various artifacts in Windows memory that can be used to construct a timeline. This blogpost will cover...
MoVP II – 2.2 – Unloaded Windows Kernel Modules
Sometimes knowing which kernel modules recently unloaded can be as valuable as knowing which ones loaded. Windows keeps a record of drivers that unload for debugging purposes - in particular to help analyze failures in the attempt to call unloaded code. If you've ever used the lm command in...
MoVP II – 2.1 – RSA Private Keys and Certificates
Those of you who downloaded the Volatility Cheat Sheet v2.3 may have noticed a plugin named dumpcerts, which is a relatively new addition to the plugin scene for Windows. Its based on the work by Tobias Klein called Extracting RSA private keys and certificates from process memory. In short, you...
MOVP II – 1.5 – ARM Address Space (Volatility and Android / Mobile)
In order to support Android, Volatility now includes an ARM address space. This is the first new hardware architecture supported by Volatility since the inclusion of Intel support in the earliest of releases. The creation of the address space was based upon the ARM documentation. The address...
MoVP II – 1.4 – New HPAK Address Space
Volatility can analyze memory dumps in the "HPAK" archive format, which is proprietary to the Fast Dump (FDPro.exe) acquisition utility. As we said in a previous MoVP post, if you're not the person acquiring memory, there's no telling what tool or format will be used for the acquisition...but you...
MoVP II – 1.3 – VMware Snapshot and Saved State Analysis
VMware is arguably the most popular virtualization software used in production and research. However, there are various versions of VMware (Workstation, Fusion, ESX Server, etc) and not all of them write raw memory dumps with .vmem extensions for guest VMs. Specifically, some products create saved...
MoVP II – 1.2 – VirtualBox ELF64 Core Dumps
Volatility can analyze memory dumps from VirtualBox virtual machines. This capability was developed by contributor Philippe Teuwen, who wrote the initial Address Space and detailed much of the acquisition, file format, and other intricacies related to this exciting capability on his personal wiki...
MoVP II – 1.1 – Mach-O Address Space
One of the major new features of the Volatility 2.3 release is official support for memory dumps from Mac OSX systems. We support over 38 versions of Mac, from 10.5 to 10.8.3 Mountain Lion, both 32- and 64-bit kernels. Over the next month you'll be exposed to over 30 different plugins for...
What’s Happening in the World of Volatility?
Volatility is not just an advanced open-source memory forensics framework for Windows, Linux, Mac, and Android. Its a community, an attitude, a lifestyle, and every day it grows in popularity, maturity, and integrity. This post will summarize some of the upcoming excitement involving Volatility,...
Memory Forensics Training – The Netherlands – September 2013
If you've never been to the Netherlands, now there's one more awesome reason to plan a trip. We are pleased to announce the 4th public offering of the Windows Malware and Memory Forensics Training by The Volatility Project. This is the only memory forensics course officially designed, sponsored,...
Android Application (Dalvik) Memory Analysis & the Chuli Malware
This blog serves to highlight a recent collaborative effort between myself and Joe Sylve and Vico Maziale of 504ensics Labs. In this effort, we added to Volatility the capability to perform deep, per-application analysis of running Android applications. Each application runs in its own instance of...
Official Training by Volatility – Reston/VA, June 2013
The next journey to the center of Windows Memory Forensics starts in Reston, VA this June! We are pleased to announce the 3rd public offering of the Windows Malware and Memory Forensics Training by The Volatility Project. This is the only memory forensics course officially designed, sponsored, and...
If You’re Going to Cheat…
If you're going to cheat, might as well use an official cheat sheet! Need some help navigating through all of Volatility's plugins and options? Want a birds-eye view of the framework's major capabilities for Windows operating systems? Not sure where to look or who to ask for more information on...
Memory Forensics Talk at RSA!
On Wednesday of RSA ( X rsaconference.com/events/2013/usa/index.htm) I will be giving a talk titled: "Memory Forensics: Defeating Disk Encryption, Skilled Attackers and Malware" This talk will focus on three key points: 1) Showcasing the power and usefulness of memory forensics 2) Distinguishing...
HowTo: Extract “Hidden” API-Hooking BHO DLLs
A Twitter user recently asked a question to the @volatility account: "can you please tell me how to extract SilentBanker [from memory]"? We like to encourage people to work through problems on their own, so our initial advice was short and sweet: SilentBanker is a BHO so find the DLL and extract...
The 1st Annual Volatility Framework Plugin Contest
We are pleased to announce the 1st Annual Volatility Plugin Contest. This contest is inspired and modeled after the Hex-Rays Plugin Contest. As in the case of IDA, Volatility was designed with the belief that talented analysts should only be limited by their creativity not the tools they...
Windows Malware and Memory Forensics Training in The Windy City!
The next journey to the center of Windows Memory Forensics starts in Chicago this March! We are pleased to announce the second public offering of the Windows Malware and Memory Forensics Training by The Volatility Project. This is the only memory forensics course officially designed,...
Slides and Video of Analyzing Malware in Memory Webinar
I recently presented a Hacker Academy Deep Dive ( X thehackeracademy.com/tha-deep-dive-analyzing-malware-in-memory/) webinar on 'Analyzing Malware in Memory'. The purpose of this presentation was to show how in-depth malware analysis can performed on memory captures. It went through a number of...
What do Upclicker, Poison Ivy, Cuckoo, and Volatility Have in Common?
Earlier this month, FireEye researchers Abhishek Singh and Yasir Khalid introduced Trojan Upclicker - malware that detects automated sandboxes by hooking mouse movements. If these user interactions never occur, the malware stays dormant, but as soon as someone clicks the left mouse button, it...
Unpacking Dexter POS “Memory Dump Parsing” Malware
I'm a big fan of Dexter. As I recently mentioned during an impromptu discussion with our first group of memory analysis training attendees, if there are only a few minutes left in an episode and he hasn't killed anyone yet, I start getting nervous. So when I heard there's malware named dexter that...
Windows Memory Forensics Training for Analysts by Volatility Developers
We are pleased to announce the first public offering of the Windows Memory Forensics for Analysts training course. This is the only memory forensics course officially designed, sponsored, and taught by the Volatility developers. One of the main reasons we made Volatility open-source is to...
OMFW 2012: Mining the PFN Database for Malware Artifacts
There are few people in the world who know more about physical memory acquisition and analysis than Mr. Garner; President of GMG Systems, Inc. and author of ( X http://www.gmgsystemsinc.com/knttools/) KnTTools. At a rare conference appearance, George discussed how he leverages the PFN database to...
OMFW 2012: The Analysis of Process Token Privileges
Reverse engineering windows systems nowadays involves looking at static data, such as executables, symbols, pdbs, and/or dynamic data when debugging with a tool like windbg. Determining data structures and the meaning of their content has proven to be time consuming, especially when dealing with...
Reverse Engineering Poison Ivy’s Injected Code Fragments
This is an addendum to GrrCon Network Forensics Challenge with Volatility. In the initial post we covered the basics - the what, the when, and the how. We found strings in memory, such as the mutex name, the registry Run key, and the svchosts.exe file name; then we backed up the findings by...
MoVP for Volatility 2.2 and OMFW 2012 Wrap-Up
The Month of Volatility Plugins and Open Memory Forensics Workshop 2012 have now come to an end. Volatility 2.2 has been released. We hope you enjoyed spending time with us learning about the new features and innovative research that's being built into the framework. At the same time, we'd...
OMFW 2012: Datalore: Android Memory Analysis
This presentation went over the Android specific analysis capabilities of Volatility as well as showed how to use LiME to capture physical memory from Android devices. This functionality will be included in the 2.3 Volatility release. Author/Presenter: Joe Sylve / @jtsylve Direct Link: Datalore:...
OMFW 2012: Analyzing Linux Kernel Rootkits with Volatility
This presentation went over a number of the new Linux plugins and showed how to use them when investigating Linux kernel rootkits. All of the plugins and functionality shown is part of the 2.2 Volatility release. Author/Presenter: Andrew Case / @attrc Direct Link: Analyzing Linux Kernel Rootkits...
Solving the GrrCon Network Forensics Challenge with Volatility
In this post, we will walk through the process that MHL (@iMHLv2) and I (@attrc) went through to solve the @GrrCon network forensics challenge. Although participants were provided a memory sample, packet capture, and file system timeline, as a personal challenge our goal was to use only the...
Phalanx 2 Revealed: Using Volatility to Analyze an Advanced Linux Rootkit
Month of Volatility Plugins In this blog post I will analyze the Phalanax2 rootkit using both Volatility as well as traditional malware analysis techniques. Phalanx2 Phalanx2 (P2) is the latest version of a private rootkit, whose original source was leaked to PacketStorm back in late 2005. Since...
OMFW 2012: Reconstructing the MBR and MFT from Memory
This presentation introduced two new Volatility plugins: mbrparser and mftparser which will be released in Volatility 2.3. These plugins empower the investigator to explore possible MBR infections or in the case of mftparser, files that are in use on the system. There are real...
OMFW 2012: Malware In the Windows GUI Subsystem
This presentation introduced Volatility's new win32k suite - a set of plugins and APIs that make it possible to perform malware analysis and memory forensics based on artifacts in the Windows GUI subsystem. This subsystem plays a part in nearly everything you do and everything you see on a Windows...
MoVP 4.4 Cache Rules Everything Around Me(mory)
Month of Volatility Plugins After an exciting month of new Volatility plugins and another amazing OMFW ( X volatilesystems.com/default/omfw), we are in the final home stretch. It's only fitting that we take a moment to fill in some gaps and dispel some myths and misconceptions. In particular, this...
MoVP 4.3 Recovering Master Boot Records (MBRs) from Memory
Month of Volatility Plugins Given that we are still recovering from an amazing Open Memory Forensics Workshop, today's post will continue the theme of short and sweet. This post will focus on recovering interesting disk artifacts from memory. In particular, it will demonstrate how the Master Boot...
MoVP 4.2 Taking Screenshots from Memory Dumps
Month of Volatility Plugins Open Memory Forensics Workshop 2012 is currently in progress, thus today's MoVP post will be short and sweet. However, it will still introduce an exciting new capability exclusive to Volatility. One of Brendan Dolan Gavitt’s early GDI utilities for Volatility included...
MoVP 4.1 Detecting Malware with GDI Timers and Callbacks
Month of Volatility Plugins Nearly a year ago, Volatility became the first (and to this date, the only) memory forensics framework to analyze kernel timers for malware analysis. The timers plugin was introduced in two of my older blog posts: ZeroAccess, Volatility, and Kernel Timers and...
MoVP 3.5: Analyzing the 2008 DFRWS Challenge with Volatility
In this blog post I will go through analyzing the memory sample that was part of the 2008 DFRWS challenge. This challenge was focused on a Linux computer that had sensitive files transferred from it. Due to its complexity and thoroughness, the challenge is well known throughout the forensics...
MoVP 3.4: Recovering tagCLIPDATA: What’s In Your Clipboard?
Month of Volatility Plugins Determining what’s in a computer’s clipboard can be a valuable resource. If you remember from MoVP 1.1 Logon Sessions, Processes, and Images, we traced an RDP user’s actions by dumping his command history and making note of the FTP transaction. You could see the FTP...
MoVP 3.3 Analyzing USER Handles and the Win32k.sys Gahti
Month of Volatility Plugins Since the early days of memory forensics, tools have analyzed kernel/executive objects such as processes, threads, mutexes, open files, and registry keys. In fact, I would consider that a basic capability of any framework. One thing that sets Volatility apart from other...
MoVP 3.2 Shellbags in Memory, SetRegTime, and TrueCrypt Volumes
Month of Volatility Plugins Today’s post will cover a Shellbags plugin for Volatility that is currently a work in progress and will be included in Volatility 2.3. Background “Shellbags” is a commonly used term to describe a collection of registry keys that allow the...
HowTo: Scan for Internet Cache/History and URLs
This post will describe how you can leverage the flexibility of the Volatility framework to locate IE history from Windows memory dumps. Such artifacts have traditionally not been a priority, because the data is in user-mode (i.e. index.dat mappings) and the structure format is already well...
MoVP 3.1 Detecting Malware Hooks in the Windows GUI Subsystem
Month of Volatility Plugins Applications can place hooks into the Windows GUI subsystem to customize the user experience, receive notification when certain actions take place, or to record everything the user does - for example to create a CBT training video. As you probably expected,...
MoVP 2.5: Investigating In-Memory Network Data with Volatility
Month of Volatility Plugins In this post I will discuss Volatility’s new Linux features related to recovering network information. This will include enumerating sockets, network connections, and packet contents. The post will discuss each plugin along with its implementation, how to...
MoVP 2.4 Analyzing the Jynx rootkit and LD_PRELOAD
Month of Volatility Plugins In this post I will analyze the Jynx rootkit using Volatility’s new Linux features. If you would like to follow along or recreate the steps taken, please see the LinuxForensicsWiki for instructions on how to do so. Obtaining the Samples In order to...
MoVP 2.3 Event Logs and Service SIDs
Month of Volatility Plugins In this post we will discuss how you can recover event logs from Windows XP/2003 machines from memory as well as how to calculate Service SIDs which can potentially be used to link specific event records with the windows service that generated them and are also found in...
MoVP 2.2 Malware In Your Windows
Month of Volatility Plugins So far in the Windows GUI memory space, an area previously unexplored by forensic and malware analysis tools, you have seen sessions, window stations, desktops and atoms. Today's MoVP 2.2 post is about windows. Windows are containers for buttons, scroll...
MoVP 2.1 Atoms (The New Mutex), Classes and DLL Injection
Month of Volatility Plugins In this post, we will discuss various ways you can analyze malware and understand infections by analyzing the atom tables. You'll be surprised that creating window classes, registering window messages, injecting DLLs with message hooks or event...
MoVP 1.5 KBeast Rootkit, Detecting Hidden Modules, and sysfs
Month of Volatility Plugins In this post I will analyze the KBeast rootkit using Volatility’s new Linux features. This will include finding hidden modules, network connections, opened files, and hooked system calls. If you would like to follow along or recreate the steps taken, please see...
MoVP 1.4 Average Coder Rootkit, Bash History, and Elevated Processes
Month of Volatility Plugins In this post I will begin showcasing some of Volatility’s new Linux features by analyzing a popular Linux kernel rootkit named “Average Coder”. These new features will include recovering .bash_history from memory, finding userland processes elevated to root by...
MoVP 1.3 Desktops, Heaps, and Ransomware
Month of Volatility Plugins The MoVP 1.3 plugin, named deskscan, enumerates desktops, desktop heap allocations, and associated threads. In the GUI landscape, a desktop is essentially a container for application windows and user interface objects. Malware utilizes desktops in various...
MoVP 1.2 Window Stations and Clipboard Malware
Month of Volatility Plugins We previously discussed sessions, which are containers for processes and other objects related to a user's logon session. Among those other objects are window stations, which act as security boundaries for processes and desktops. If you're not already...
MoVP 1.1 Logon Sessions, Processes, and Images
Month of Volatility Plugins Attackers like to log on. They specifically like logging on remotely with RDP. Whenever these actions occur, the Windows kernel creates a new session, which is basically a container for processes and objects (like window stations and desktops) that belong to the...
MoVP 1.1 Logon Sessions, Processes, and Images
Month of Volatility Plugins Attackers like to log on. They specifically like logging on remotely with RDP. Whenever these actions occur, the Windows kernel creates a new session, which is basically a container for processes and objects (like window stations and desktops) that belong to the...
Month of Volatility Plugins (MoVP)
To kickstart this new blog and celebrate the upcoming Open Memory Forensics Workshop (OMFW) 2012 and Volatility 2.2 release, we're announcing Month of Volatility Plugins (MoVP). Every day (M-F) for the 3 weeks leading up to OMFW 2012 and 1 week during the conference, a member...
Month of Volatility Plugins (MoVP)
To kickstart this new blog and celebrate the upcoming Open Memory Forensics Workshop (OMFW) 2012 and Volatility 2.2 release, we're announcing Month of Volatility Plugins (MoVP). Every day (M-F) for the 3 weeks leading up to OMFW 2012 and 1 week during the conference, a member...