Volatility Plugin Contest
The annual Volatility Plugin Contest, which began in 2013, is your chance to gain visibility for your work and win cash prizes —while contributing to the community!
The 2024 Plugin Contest is open for submissions!
The Plugin Contest is straightforward: Create an innovative and useful extension to Volatility 3 and win!
- 1st place wins one free seat at any future Windows Malware and Memory Forensics Training *or* 3000 USD cash
- 2nd place wins 2000 USD cash
- 3rd place wins 1000 USD cash
More information about the Volatility 3 can be found here.
Contest Results
The winners will be announced in a blog post, which will be linked here.
Here’s the announcement for last year’s contest winners.
Rules of Engagement
- The goal of the contest is to create innovative, interesting, and useful extensions for The Volatility Framework. While extensions written in Python are preferred, extensions written in other languages will also be considered.
- The submitted extensions should work with the latest version of Volatility 3.
- The top 3 winners of the contest will get the prizes mentioned above.
- Volatility core developers are not eligible.
- Submissions should be sent to contest@volatilityfoundation.org. The submission should include the source code, a memory sample demonstrating the capabilities, description of how the extension is used, a write up describing the motivation for the work and why it should win the contest, and a signed “Individual Contributor License Agreement” (please request a copy prior to your submission).
- If you submit multiple plugins, please specify if they should be evaluated as an individual entry or multiple entries.
- By submitting an entry, you declare that you own the copyright to the source code and are authorized to submit it.
- All submissions should be received no later than December 31, 2024. We recommend submitting early. In the case of similar submissions, preference will be shown to early submissions.
- The Volatility Project core developers will decide the winners based on the following criteria: creativity, usefulness, effort, completeness, submission date, and clarity of documentation.
- In order to collect the cash prizes, the winner will need to provide a legal photo identification and bank account information within 30 days of notification. The bank transfer will be made within two weeks after the winner is authenticated.
- Group entries are allowed; the prize will be paid (or seat will be registered, if the training option is desired) to the person designated by the group.
- Upon approval from the winners, their names/aliases will be listed on the “Volatility Plugin Contest” web page and announced in the Volatility Foundation blog for the world to admire.
- Selected contestants may also be asked to present their work at a future event hosted by the Volatility Foundation and/or have their research featured on the Volatility Foundation blog.
Frequently Asked Questions
Does my submission have to be a “plugin”?
No, your submission does not need to be implemented as an actual Volatility plugin that executes through vol.py. For example, you can submit a tool that imports Volatility as a library and performs various tasks, one of which includes memory forensics using the Volatility APIs.
Will my submission still be considered if it was previously released?
Yes, as long as the submission is your original creation, you can submit it to the contest. It doesn’t matter if you’ve previously released the code, presented the topic at a conference, etc.
My submission requires a capability similar to one found in Volatility 2.6. When will that capability be added to Volatility 3?
If you have questions about the current state of Volatility 3 development and when specific features will be added, feel free to engage the core development team on the Volatility Slack server. As always, we are happy to work with people looking to contribute to the project.
Can I (or my company) donate to the contest?
Yes, we (and the participants) would be grateful to receive donations. The Volatility Foundation is a 501(c)(3) so your donation is tax deductible. The amount you donate will be divided among the first, second, and third place winners. Your donation will increase the currently advertised prizes – it will not be used to substitute the values we’ve already pledged. To make a donation, contact us.
ROLL CALL: PLUGIN CONTEST SUBMISSIONS
CONTEST ARCHIVE
2023 Volatility Plugin Contest
The contest is straightforward: Create an innovative and useful extension to Volatility 3 and win the contest!
- 1st place wins one free seat at any future Windows Malware and Memory Forensics Training*or* 3000 USD cash
- 2nd place wins 2000 USDcash
- 3rd place wins 1000 USDcash
For more information about the Volatility 3 can be found here.
Contest Results
https://volatilityfoundation.org/the-2023-volatility-plugin-contest-results-are-in/
Rules of Engagement
- The goal of the contest is to create innovative, interesting, and useful extensions for The Volatility Framework. While extensions written in Python are preferred, extensions written in other languages will also be considered.
- The submitted extensions should work with the latest version of Volatility 3.
- The top 3 winners of the contest will get the prizes mentioned above.
- Volatility core developers are not eligible.
- Submissions should be sent to contest@volatilityfoundation.org. The submission should include the source code, a memory sample demonstrating the capabilities, description of how the extension is used, a write up describing the motivation for the work and why it should win the contest, and a signed “Individual Contributor License Agreement” (please request a copy prior to your submission).
- If you submit multiple plugins, please specify if they should be evaluated as an individual or multiple entries.
- By submitting an entry, you declare that you own the copyright to the source code and are authorized to submit it.
- All submissions should be received no later than December 31, 2023. We recommend submitting early. In the case of similar submissions, preference will be shown to early submissions.
- The Volatility Project core developers will decide the winners based on the following criteria: creativity, usefulness, effort, completeness, submission date, and clarity of documentation.
- In order to collect the cash prizes, the winner will need to provide a legal picture identification and bank account information within 30 days of notification. The bank transfer will be made within two weeks after the winner is authenticated.
- Group entries are allowed; the prize will be paid (or seat will be registered, if the training option is desired) to the person designated by the group.
- Upon approval from the winners, their names/aliases will be listed on the “Volatility Plugin Contest” web page for the world to admire.
- Selected contestants may also be asked to present their work at a future Open Memory Forensics Workshop and/or have their research featured on the Volatility Labs Blog.
2022 Volatility Plugin Contest
The contest is straightforward: Create an innovative and useful extension to Volatility 3 and win the contest!
- 1st place wins one free seat at any future Windows Malware and Memory Forensics Training*or* 3000 USD cash
- 2nd place wins 2000 USDcash
- 3rd place wins 1000 USDcash
For more information about the Volatility 3 can be found here.
Contest Results
For the 2022 contest results, please see:
https://volatilityfoundation.org/the-2022-volatility-plugin-contest-results-are-in/
Rules of Engagement
- The goal of the contest is to create innovative, interesting, and useful extensions for The Volatility Framework. While extensions written in Python are preferred, extensions written in other languages will also be considered.
- The submitted extensions should work with the latest version of Volatility 3.
- The top 3 winners of the contest will get the prizes mentioned above.
- Volatility core developers are not eligible.
- Submissions should be sent to contest@volatilityfoundation.org. The submission should include the source code, a memory sample demonstrating the capabilities, description of how the extension is used, a write up describing the motivation for the work and why it should win the contest, and a signed “Individual Contributor License Agreement” (please request a copy prior to your submission).
- If you submit multiple plugins, please specify if they should be evaluated as an individual or multiple entries.
- By submitting an entry, you declare that you own the copyright to the source code and are authorized to submit it.
- All submissions should be received no later than December 31, 2022. We recommend submitting early. In the case of similar submissions, preference will be shown to early submissions.
- The Volatility Project core developers will decide the winners based on the following criteria: creativity, usefulness, effort, completeness, submission date, and clarity of documentation.
- In order to collect the cash prizes, the winner will need to provide a legal picture identification and bank account information within 30 days of notification. The bank transfer will be made within two weeks after the winner is authenticated.
- Group entries are allowed; the prize will be paid (or seat will be registered, if the training option is desired) to the person designated by the group.
- Upon approval from the winners, their names/aliases will be listed on the “Volatility Plugin Contest” web page for the world to admire.
- Selected contestants may also be asked to present their work at a future Open Memory Forensics Workshop and/or have their research featured on the Volatility Labs Blog.
2021 Volatility Plugin Contest
The contest is straightforward: Create an innovative and useful extension to Volatility 3 and win the contest!
- 1st place wins one free seat at any future Windows Malware and Memory Forensics Training*or* 3000 USD cash
- 2nd place wins 2000 USD cash
- 3rd place wins 1000 USD cash
For more information about the Volatility 3 can be found here.
Contest Results
For the 2021 contest results, please see:
Rules of Engagement
- The goal of the contest is to create innovative, interesting, and useful extensions for The Volatility Framework. While extensions written in Python are preferred, extensions written in other languages will also be considered.
- The submitted extensions should work with the latest version of Volatility 3.
- The top 3 winners of the contest will get the prizes mentioned above.
- Volatility core developers are not eligible.
- Submissions should be sent to contest@volatilityfoundation.org. The submission should include the source code, a memory sample demonstrating the capabilities, description of how the extension is used, a write up describing the motivation for the work and why it should win the contest, and a signed “Individual Contributor License Agreement” (please request a copy prior to your submission).
- If you submit multiple plugins, please specify if they should be evaluated as an individual or multiple entries.
- By submitting an entry, you declare that you own the copyright to the source code and are authorized to submit it.
- All submissions should be received no later than December 31, 2021. We recommend submitting early. In the case of similar submissions, preference will be shown to early submissions.
- The Volatility Project core developers will decide the winners based on the following criteria: creativity, usefulness, effort, completeness, submission date, and clarity of documentation.
- In order to collect the cash prizes, the winner will need to provide a legal picture identification and bank account information within 30 days of notification. The bank transfer will be made within two weeks after the winner is authenticated.
- Group entries are allowed; the prize will be paid (or seat will be registered, if the training option is desired) to the person designated by the group.
- Upon approval from the winners, their names/aliases will be listed on the “Volatility Plugin Contest” web page for the world to admire.
- Selected contestants may also be asked to present their work at a future Open Memory Forensics Workshop and/or have their research featured on the Volatility Labs Blog.
2020 Volatility Plugin Contest
The contest is straightforward: Create an innovative and useful extension to Volatility 3 and win the contest!
- 1st place wins one free seat at any future Windows Malware and Memory Forensics Training*or* 2000 USD cash
- 2nd place wins 1000 USDcash
- 3rd place wins 750 USDcash
For more information about the Volatility 3 Public Beta, read the announcement blog post and view the recent presentation.
Contest Results
For the 2020 contest results, please see:
https://volatilityfoundation.org/the-2020-volatility-plugin-contest-results-are-in/
Rules of Engagement
- The goal of the contest is to create innovative, interesting, and useful extensions for The Volatility Framework. While extensions written in Python are preferred, extensions written in other languages will also be considered.
- The submitted extensions should work with the Volatility 3 Public Beta (1.0.0-beta.1 release).
- The top 5 winners of the contest will get the prizes mentioned above.
- Volatility core developers are not eligible.
- Submissions should be sent to contest@volatilityfoundation.org. The submission should include the source code, a memory sample demonstrating the capabilities, description of how the extension is used, a write up describing the motivation for the work and why it should win the contest, and a signed “Individual Contributor License Agreement” (please request a copy prior to your submission).
- If you submit multiple plugins, please specify if they should be evaluated as an individual or multiple entries.
- By submitting an entry, you declare that you own the copyright to the source code and are authorized to submit it.
- All submissions should be received no later than October 1, 2020. The winners will be announced before November 1, 2020. We recommend submitting early. In the case of similar submissions, preference will be shown to early submissions.
- The Volatility Project core developers will decide the winners based on the following criteria: creativity, usefulness, effort, completeness, submission date, and clarity of documentation.
- In order to collect the cash prizes, the winner will need to provide a legal picture identification and bank account information within 30 days of notification. The bank transfer will be made within two weeks after the winner is authenticated.
- Group entries are allowed; the prize will be paid (or seat will be registered, if the training option is desired) to the person designated by the group.
- Upon approval from the winners, their names/aliases will be listed on the “Volatility Plugin Contest” web page for the world to admire.
- Selected contestants may also be asked to present their work at a future Open Memory Forensics Workshop and/or have their research featured on the Volatility Labs Blog.
2019 Volatility Plugin Contest
The contest is straightforward: Create an innovative and useful extension to The Volatility Framework and win the contest!
- 1st place wins one free seat at any future Windows Malware and Memory Forensics Training*or* 1500 USD cash
- 2nd place wins 750 USDcash
- 3rd place wins 250 USDcash
- 4th and 5th place wins Volatility swag (T-shirts, Stickers, etc)
Contest Results
For the 2019 contest results, please see:
https://volatilityfoundation.org/2019/11/results-from-2019-volatility-contests.html
Rules of Engagement
- The goal of the contest is to create innovative, interesting, and useful extensions for The Volatility Framework. While extensions written in Python are preferred, extensions written in other languages will also be considered.
- The submitted extensions should work with the Volatility 2.6 (or greater) release.
- The top 5 winners of the contest will get the prizes mentioned above.
- Volatility core developers are not eligible.
- Submissions should be sent to contest@volatilityfoundation.org. The submission should include the source code, a memory sample demonstrating the capabilities, description of how the extension is used, a write up describing the motivation for the work and why it should win the contest, and a signed “Individual Contributor License Agreement” (please request a copy prior to your submission).
- If you submit multiple plugins, please specify if they should be evaluated as an individual or multiple entries.
- By submitting an entry, you declare that you own the copyright to the source code and are authorized to submit it.
- All submissions should be received no later than October 1, 2019. The winners will be announced before October 31, 2019. We recommend submitting early. In the case of similar submissions, preference will be shown to early submissions.
- The Volatility Project core developers will decide the winners based on the following criteria: creativity, usefulness, effort, completeness, submission date, and clarity of documentation.
- In order to collect the cash prizes, the winner will need to provide a legal picture identification and bank account information within 30 days of notification. The bank transfer will be made within two weeks after the winner is authenticated.
- Group entries are allowed; the prize will be paid (or seat will be registered, if the training option is desired) to the person designated by the group.
- Upon approval from the winners, their names/aliases will be listed on the “Volatility Plugin Contest” web page for the world to admire.
- Selected contestants may also be asked to present their work at a future Open Memory Forensics Workshop and/or have their research featured on the Volatility Labs Blog.
2018 Volatility Plugin Contest
The contest is straightforward: Create an innovative and useful extension to The Volatility Framework and win the contest!
- 1st place wins one free seat at any future Windows Malware and Memory Forensics Training*or* 1500 USD cash
- 2nd place wins 750 USDcash
- 3rd place wins 250 USDcash
- 4th and 5th place wins Volatility swag (T-shirts, Stickers, etc)
THANK YOU to Magnet Forensics for donating $2500 to the contest.
Contest Results
For the 2018 contest results, please see:
https://volatilityfoundation.org/2018/11/results-from-annual-2018-volatility-contests.html
Rules of Engagement
- The goal of the contest is to create innovative, interesting, and useful extensions for The Volatility Framework. While extensions written in Python are preferred, extensions written in other languages will also be considered.
- The submitted extensions should work with the Volatility 2.6 (or greater) release.
- The top 5 winners of the contest will get the prizes mentioned above.
- Volatility core developers are not eligible.
- Submissions should be sent to contest@volatilityfoundation.org. The submission should include the source code, a memory sample demonstrating the capabilities, description of how the extension is used, a write up describing the motivation for the work and why it should win the contest, and a signed “Individual Contributor License Agreement” (please request a copy prior to your submission).
- If you submit multiple plugins, please specify if they should be evaluated as an individual or multiple entries.
- By submitting an entry, you declare that you own the copyright to the source code and are authorized to submit it.
- All submissions should be received no later than October 1, 2018. The winners will be announced before October 31, 2018. We recommend submitting early. In the case of similar submissions, preference will be shown to early submissions.
- The Volatility Project core developers will decide the winners based on the following criteria: creativity, usefulness, effort, completeness, submission date, and clarity of documentation.
- In order to collect the cash prizes, the winner will need to provide a legal picture identification and bank account information within 30 days of notification. The bank transfer will be made within two weeks after the winner is authenticated.
- Group entries are allowed; the prize will be paid (or seat will be registered, if the training option is desired) to the person designated by the group.
- Upon approval from the winners, their names/aliases will be listed on the “Volatility Plugin Contest” web page for the world to admire.
- Selected contestants may also be asked to present their work at a future Open Memory Forensics Workshop and/or have their research featured on the Volatility Labs Blog.
2017 Volatility Plugin Contest
The contest is straightforward: Create an innovative and useful extension to The Volatility Framework and win the contest!
- 1st place wins one free seat at any future Windows Malware and Memory Forensics Training*or* 1500 USD cash
- 2nd place wins 500 USDcash
- 3rd place wins 250 USDcash
- 4th and 5th place wins Volatility swag (T-shirts, Stickers, etc)
Contest Results
For the 2017 contest results, please see:
https://volatilityfoundation.org/2017/11/results-from-5th-annual-2017-volatility.html
Rules of Engagement
- The goal of the contest is to create innovative, interesting, and useful extensions for The Volatility Framework. While extensions written in Python are preferred, extensions written in other languages will also be considered.
- The submitted extensions should work with the Volatility 2.6 (or greater) release.
- The top 5 winners of the contest will get the prizes mentioned above.
- Volatility core developers are not eligible.
- Submissions should be sent to contest@volatilityfoundation.org. The submission should include the source code, a memory sample demonstrating the capabilities, description of how the extension is used, a write up describing the motivation for the work and why it should win the contest, and a signed “Individual Contributor License Agreement” (please request a copy prior to your submission).
- If you submit multiple plugins, please specify if they should be evaluated as an individual or multiple entries.
- By submitting an entry, you declare that you own the copyright to the source code and are authorized to submit it.
- All submissions should be received no later than October 1, 2017. The winners will be announced before October 31, 2017. We recommend submitting early. In the case of similar submissions, preference will be shown to early submissions.
- The Volatility Project core developers will decide the winners based on the following criteria: creativity, usefulness, effort, completeness, submission date, and clarity of documentation.
- In order to collect the cash prizes, the winner will need to provide a legal picture identification and bank account information within 30 days of notification. The bank transfer will be made within two weeks after the winner is authenticated.
- Group entries are allowed; the prize will be paid (or seat will be registered, if the training option is desired) to the person designated by the group.
- Upon approval from the winners, their names/aliases will be listed on the “Volatility Plugin Contest” web page for the world to admire.
- Selected contestants may also be asked to present their work at a future Open Memory Forensics Workshop and/or have their research featured on the Volatility Labs Blog.
2016 Volatility Plugin Contest
-
1st place wins one free seat at any future Windows Malware and Memory Forensics Training *or* 1800 USD cash
-
2nd place wins 800 USD cash
-
3rd place wins 450 USD cash
-
4th and 5th place wins 100 USD each and Volatility swag (T-shirts, Stickers, etc)
THANK YOU to Airbnb for donating $999 to the contest.
All participants who place will receive a signed copy of The Art of Memory Forensics.
Contest Results
For this year’s contest results, please see:
https://volatilityfoundation.org/2016/12/results-from-2016-volatility-plugin.html
Rules of Engagement
- The goal of the contest is to create innovative, interesting, and useful extensions for The Volatility Framework. While extensions written in Python are preferred, extensions written in other languages will also be considered.
- The submitted extensions should work with the Volatility 2.5 (or greater) release.
- The top 5 winners of the contest will get the prizes mentioned above.
- Volatility core developers are not eligible.
- Submissions should be sent to contest@volatilityfoundation.org. The submission should include the source code, a memory sample demonstrating the capabilities, description of how the extension is used, a write up describing the motivation for the work and why it should win the contest, and a signed “Individual Contributor License Agreement” (please request a copy prior to your submission).
- If you submit multiple plugins, please specify if they should be evaluated as an individual or multiple entries.
- By submitting an entry, you declare that you own the copyright to the source code and are authorized to submit it.
- All submissions should be received no later than October 1, 2016. The winners will be announced before October 31, 2016. We recommend submitting early. In the case of similar submissions, preference will be shown to early submissions.
- The Volatility Project core developers will decide the winners based on the following criteria: creativity, usefulness, effort, completeness, submission date, and clarity of documentation.
- In order to collect the cash prizes, the winner will need to provide a legal picture identification and bank account information within 30 days of notification. The bank transfer will be made within two weeks after the winner is authenticated.
- Group entries are allowed; the prize will be paid (or seat will be registered, if the training option is desired) to the person designated by the group.
- Upon approval from the winners, their names/aliases will be listed on the “Volatility Plugin Contest” web page for the world to admire.
- Selected contestants may also be asked to present their work at a future Open Memory Forensics Workshop and/or have their research featured on the Volatility Labs Blog.
2015 Volatility Plugin Contest
The contest is straightforward: Create an innovative and useful extension to The Volatility Framework and win the contest!
- 1st place wins one free seat at any future Windows Malware and Memory Forensics Training*or* 1500 USD cash
- 2nd place wins 500 USDcash
- 3rd place wins 250 USDcash
- 4th and 5th place wins Volatility swag (T-shirts, Stickers, etc)
All participants who place will receive a signed copy of The Art of Memory Forensics.
Results
The competition this year was fierce! We received 12 plugins to the contest. Similar to last year, ranking the submissions was one of the hardest things we’ve had to do. Each plugin is unique in its own way and introduces a capability to open source memory forensics that didn’t previously exist. Although a few people will receive prizes for their work, the real winners in this contest are the practitioners and investigators in the community that perform memory forensics. We’re talking about the federal government who used Volatility on some of the nation’s most prominent cases and the law enforcement groups that used it as the primary tool to force a child pornographer into a guilty plea (see you in about 10 years, wish it were more!). We’re talking about Det. Michael Chaves who used memory forensics to help crack a case involving POS breaches that lead to losses of over $100K. We’re talking about all the analysts who rely on open source forensics to identify and track malicious code and threat actors in their networks and those of their clients.
Needless to say, we’re very proud of everyone who submitted to the contest.
Here are this year’s rankings:
- Fred House, Andrew Davis, and Claudiu Teodorescu for the shimcachemem plugin.
- James Habben for the Evolve web interface to Volatility.
- Philip Huppert for the VM migration address space.
- Ying Li for the linux python strings and SSH agent plugins.
- Adam Bridge for the NDIS packet scanning plugin.
Here is a detailed summary of the submissions. If you have feedback for the authors, we’re sure they’d love to hear your thoughts.
1st: Shimcache Memory Scan
This plugin by FireEye and Mandiant researchers Fred House, Andrew Davis, and Claudiu Teodorescu parses the Windows Application Compatibility Database (aka, ShimCache) from the module or process memory that contain the database. In the authors’ own words:
Shim cache is a highly valuable forensic artifact used to identify evidence of file execution. In addition to recording potential file executions, the cache is ordered, meaning that an analyst can identify other files that may have executed before or after a file of interest.
Most forensic tools that parse the shim cache rely on the cache stored in the Windows registry. The cache in the registry is only updated when a system is shutdown so this approach has the disadvantage of only parsing cache entries since the last shutdown. On systems that are not rebooted regularly (e.g., production servers) an analyst must either use out-of-date shim cache data or request a system reboot.
This plugin parses the shim cache directly from the module or process containing the cache, thereby providing analysts access to the most up-to-date cache. The plugin supports Windows XP SP2 through Windows 2012 R2 on both 32 and 64 bit architectures.
Fred’s Twitter: @0xF2EDCA5A
Claudiu’s Twitter: @cteo13
Shimcachemem Submission: https://github.com/volatilityfoundation/community/tree/master/ShimcacheMemory
2nd: James Habben: Evolve Web Interface
This submission provides a web interface to Volatility built with AJAX, jQuery, and JSON. It allows the user to run several plugins at once and leverage the power of multi-processing. It shows the plugins’ status and places the completed plugins near the top for easy access. The output is easily searchable given its sqlite3 backend and there is a “morph” option as well for highlighting interesting artifacts. In fact, users can create their own morphs using a plugin-based template system. Existing morphs include associating country codes with IP addresses and marking filenames that do not match the NSRL list.
James’ Submission: https://github.com/JamesHabben/evolve
James’ Twitter: @JamesHabben
James’ GitHub: https://github.com/jameshabben
Evolve Videos: https://youtu.be/55G2oGPQHF8 and https://youtu.be/mqMuQQowqM
3rd: Philip Huppert: VM Live Migration
This submission includes an address space plugin for accessing memory samples found in network data captured during a VMotion live migration. In particular, it currently supports analysis of samples collected during VMotion migrations between ESXi hosts. This allows an analyst to access the entire runtime state of a virtual machine as it is being transferred between two physical hosts over the network. This has a number of valuable applications toward virtual machine introspection and forensics investigations of cloud environments.
Philip’s plugin represents interesting implications toward VM’s that migrate between different cloud providers or countries. Wireshark has the capability to analyze the traffic protocols but not the payload of the traffic, so this is a new and exciting capability for both forensic researchers and offensive security analysts.
Philip’s Submission: https://github.com/volatilityfoundation/community/tree/master/PhilipHuppert
Philip’s Twitter: @oilheap
Philip’s GitHub: https://github.com/Phaeilo
4th: Ying Li: Python Strings and SSH Keys
This submission includes a collection of plugins for analyzing memory samples acquired from 64-bit Linux systems. The plugins were initially presented at PyCon 2015. The first plugin in the submission, linux_python_strings, extracts memory resident Python strings from the heap of Python processes. This is accomplished by scanning the heap for Python string objects. The advantage of this approach is that we are able to leverage context that the interpreter has about the particular string and how it is being used. The author also includes a plugin for extracting strings stored in Python dictionaries. The context provided by this plugin could allow an analyst to determine which strings were associated as key-value pairs. The final plugin, linux_ssh_keys, will extract RSA keys from the heap of ssh-agent processes. These keys could be useful when investigating lateral movement or performing an investigation of a suspected person’s machine.
Ying’s plugins continue the trend of moving further up the analysis stack into the application to extract more memory resident context. As for RSA keys, extracting crypto artifacts is always interesting. To date, we haven’t seen anyone extract the RSA keys from ssh-agents with Volatility. Additionally, Ying created an automated test harness for generating memory samples, which we thought was particularly useful.
Ying’s Submission: https://github.com/volatilityfoundation/community/tree/master/YingLi
Ying’s Twitter: @cyli
Ying’s GitHub: https://github.com/cyli
Ying’s PyCon 2015 Talk: https://www.youtube.com/watch?v=tMKXcc2-xO8
5th: Adam Bridge: NDIS Packet Scan
This submission carves packets and ethernet frames from NDIS shared memory sections (regions of RAM shared between the OS and DMA NIC). Although tools exist to scan an arbitrary binary file for packets, the extra context that Adam’s plugin provides is extremely valuable. For example, the methodology is far less likely to produce false positives or report fake/decoy packets. In addition to outputting text and pcap formatted results, the plugin also decodes NetBIOS names found in DNS traffic and extracts slack space between packet payloads that other tools may miss. This research represents the beginning of a very exciting realm of future plugins that focus on NDIS private data structures including data waiting in sent/received buffers.
Adam’s Submission: https://github.com/volatilityfoundation/community/tree/master/AdamBridge
Adam’s Twitter: @bridgeythegeek
Adam’s GitHub: https://github.com/bridgeythegee
The following submissions appear in the order they were received. As previously mentioned, everyone succeeded in solving a specific problem that they (and undoubtedly others) faced. For this, they deserve huge props. We look forward to seeing future work by these authors!
Joe Greenwood: Hacking Team RCS Attribution
This plugin searches a memory dump for evidence of the Hacking Team Galileo Remote Control System (RCS), and attempts to attribute the infection to particular Hacking Team client. One of our favorite aspects of this plugin is that it detects RCS based on its predictable named shared memory sections, a creative alternative to scanning for the typical byte signatures and mutexes. Its also a really nice touch to provide the extra attribution context via the watermark lookups.
Joe’s Submission: https://github.com/volatilityfoundation/community/tree/master/JoeGreenwood
Joe’s Twitter: @SeawolfRN
Joe’s (4ARMED) GitHub: https://github.com/4ARMED
Joe’s Blog: https://www.4armed.com/blog/memory-forensics-detecting-galileo-rcs-windows/
Alexander Tarasenko: Pykd/Windbg Address Space
This submission lets you integrate Volatility into Windbg through Pykd. You’re then able to query for addresses of critical data structures, functions, and other variables using the debugging APIs. Additionally, you can connect Volatility to a running Windows system in debugging mode and run Volatility plugins against the live system, which particularly comes in handy for malware/rootkit analysis (not necessarily IR/forensics).
The author of this address space also mentioned a new project named Karmadbg (see the link below) which is a GUI intended for development of new debugging and memory analysis scripts. Check it out! Unfortunately, documentation in English is not yet available.
Alexander’s Submission: https://github.com/volatilityfoundation/community/tree/master/AlexanderTarasenko
Pykd’s Twitter: @pykd and @pykd_dev
Loïc Jaquemet: Haystack
These plugins are an interface between the Volatility framework and the haystack framework. While Volatility establishes a forensic framework to analyse a system’s RAM, the haystack framework is intended to analyse a process’s RAM, allowing an analyst to search for defined structures in a process’s memory. You can build structure definitions from known/public C header files or with Python’s ctypes library (based on undocumented or reverse engineered data structures) and then plug them into this framework to scan across process heaps, all process memory allocations, etc. The author provided examples of constraints that can find openssl cipher contexts, session keys, and passphrases, but its surely not limited to those types of data. Give it a shot and see what you can find!
Loïc’s Submission: https://github.com/volatilityfoundation/community/tree/master/LoicJaquemet
Loïc’s Twitter: @trolldbois
Loïc’s GitHub: https://github.com/trolldbois
The python-haystack module: https://github.com/trolldbois/python-haystack
May Medhat (et. al.): GVol Tool
This tool by EG-CERT researchers May Medhat and Mohamad Shawkey provides a (thick) GUI front end for Volatility written in Java. It lets you run preconfigured batch scripts against a memory dump with just a couple mouse clicks or you can customize your own batch scripts. You can choose from categories such as Rootkits, Kernel Artifacts, Networking, etc. and they link up with Volatility plugins in the backend. We imagine this tool will be very handy for analysts who are not comfortable on the command line or with Volatility usage in general. Additionally, for those who are seasoned Volatility users, this tool can reduce the amount of time you spend typing commands before you actually dive into the details of your case.
May’s GitHub: https://github.com/May-Medhat
Mohomad’s GitHub: https://github.com/m-shawkey
GVol User Guide: https://github.com/eg-cert/GVol/blob/master/docs/GVol-User%20Guide.pdf
EG-CERT’s GitHub: https://github.com/eg-cert/GVol
Monnappa Ka: Linux Memory Diff
This plugin uses the Volatility advanced memory forensics framework to run various plugins against a clean and infected Linux memory image and reports the changes. Many times while doing memory analysis (or malware analysis) an analyst is presented with an abundance of data and the analyst has to manually find the malicious artifacts from that data which takes time and effort. This tool helps in solving that problem by comparing the results between the clean and infected memory images. This tool helps speed up analysis, reduce manual effort and allows you to focus on the relevant data.
Monnappa’s Submission: https://github.com/volatilityfoundation/community/tree/master/MonnappaKa
Monnappa’s Twitter: @monnappa22
Monnappa’s GitHub: https://github.com/monnappa22
Monnappa’s Blog: http://malware-unplugged.blogspot.com
Memory Diff Analysis of Linux Malware Tsunami
Memory Diff Analysis of Linux Rootkit Xingiquan
Memory Diff Analysis of Average Coder Linux Rootkit
Bart Inglot: Scheduled Task and Job Scanners
This plugin scans for job files and prints out their information. It’s useful from a DFIR perspective, since job files are often used by attackers in order to run programs with SYSTEM privileges, run at scheduled moments, or to move laterally within a network. Aside from the job plugin for Volatility, adapted from Jamie Levy’s jobparser.py: https://gleeda.blogspot.com/2012/09/job-file-parser.html
Bart also has written standalone carvers for jobs and scheduled tasks that work against memory samples, disk images, and other binary files.
Bart’s Submission: https://github.com/volatilityfoundation/community/tree/master/BartoszInglot
Bart’s Twitter: @BartInglot
Bart’s GitHub: https://github.com/binglot
Bart’s Blog: http://passionateaboutis.blogspot.com
Past Contest Results
Before getting involved, if you wanted to see what participants have done in the past, take a look at the 2014 Plugin Contest Results and/or 2013 Plugin Contest Results.
Rules of Engagement
- The goal of the contest is to create innovative, interesting, and useful extensions for The Volatility Framework. While extensions written in Python are preferred, extensions written in other languages will also be considered.
- The submitted extensions should work with the Volatility 2.4 (or greater) release.
- The top 5 winners of the contest will get the prizes mentioned above.
- Volatility core developers are not eligible.
- Submissions should be sent to volcon2015@volatilityfoundation.org. The submission should include the source code, a memory sample demonstrating the capabilities, description of how the extension is used, a write up describing the motivation for the work and why it should win the contest, and a signed “Individual Contributor License Agreement” (please request a copy prior to your submission).
- If you submit multiple plugins, please specify if they should be evaluated as an individual or multiple entries.
- By submitting an entry, you declare that you own the copyright to the source code and are authorized to submit it.
- All submissions should be received no later than October 1, 2015. The winners will be announced before October 31, 2015. We recommend submitting early. In the case of similar submissions, preference will be shown to early submissions.
- The Volatility Project core developers will decide the winners based on the following criteria: creativity, usefulness, effort, completeness, submission date, and clarity of documentation.
- In order to collect the cash prizes, the winner will need to provide a legal picture identification and bank account information within 30 days of notification. The bank transfer will be made within two weeks after the winner is authenticated.
- Group entries are allowed; the prize will be paid (or seat will be registered, if the training option is desired) to the person designated by the group.
- Upon approval from the winners, their names/aliases will be listed on the “Volatility Plugin Contest” web page for the world to admire.
- Selected contestants may also be asked to present their work at a future Open Memory Forensics Workshop and/or have their research featured on the Volatility Labs Blog.
2014 Volatility Plugin Contest
- 1st place wins one free seat at any future Windows Malware and Memory Forensics Training*or* 2500 USD cash
- 2nd place wins 1250 USDcash
- 3rd place wins 750 USDcash
- 4th and 5th place wins Volatility swag (T-shirts, Stickers, etc)
A huge thanks goes to Facebook for their generous donation of $2250 USD to augment the existing cash prizes. The final prizes after Facebook’s donation are shown above in red.
Everyone but the Volatility core developers can participate.
Results
The competition this year was fierce! We received a total of nearly 30 plugins to the contest. Ranking the submissions was one of the hardest things we’ve had to do. Each plugin is unique in its own way and introduces a capability to open source memory forensics that didn’t previously exist. Although a few people will receive prizes for their work, the real winners in this contest are the practitioners and investigators in the community that perform memory forensics. We’re talking about the federal government who used Volatility on some of the nation’s most prominent cases and the law enforcement groups that used it as the primary tool to force a child pornographer into a guilty plea (see you in about 10 years, wish it were more!). We’re talking about Det. Michael Chaves who used memory forensics to help crack a case involving POS breaches that lead to losses of over $100K. We’re talking about all the analysts who rely on open source forensics to identify and track malicious code and threat actors in their networks and those of their clients.
Needless to say, we’re very proud of everyone who submitted to the contest. Also a huge thanks goes out to Facebook for doubling the contest’s cash prizes and supporting the research and development of open source memory forensics.
Here are this year’s rankings:
- Dave Lasalle wins first place and his choice of $2500 or free training. Dave submitted 14 plugins for recovering Firefox and Chrome activity (history, search terms, cookies, downloads) from memory, carving Java IDX files, and using fuzzy hashing to whitelist injected code and API hooks.
- Curtis Carmony wins second place and $1250 for his plugin to extract dm-crypt disk encryption keys from Linux (and potentially Android) memory dumps.
- Adam Bridge wins third place and $750 with editbox – a plugin to recover the text within edit controls of GUI applications on Windows (including but not limited to notepad contents, username and password fields, browser URL and search forms, etc).
- Thomas Chopitea wins fourth place for his autoruns plugin that enumerates automatically starting applications on Windows systems – a common first step in many different types of investigations.
- Takahiro Haruyama wins fifth place with openioc_scan, a plugin that combines the flexibility of the IOC language with the power of Volatility to give analyst’s quick and easy malware triage capabilities.
Here is a detailed summary of the submissions. We’ve included a link to the respective submissions on the Volatility Foundation website for archive purposes, however we recommend getting the code from the author’s own GitHub repositories if that option exists. If you have feedback for the authors, we’re sure they’d love to hear your thoughts.
(1st) Dave Lasalle: Forensic Suite
Dave’s 14 plugins are immediately useful for various different scenarios, from tracking user activity to parsing special file formats and whitelisting injected code and API hooks.
Previously, if you needed to inspect a suspect or victim’s browsing activity from memory in a structured manner (i.e. not brute forcing with regular expressions), you were limited to the iehistory (Internet Explorer) plugin. Now you can do the same, and more, for Firefox and Chrome. The two browsers use sqlite3 databases, but due to several reasons (including paging), you’re not likely to succeed in carving complete sqlite3 files from memory. Dave’s plugins leverage his sqlite3 memory API, which handles missing chunks of database files gracefully.
Dave’s Twitter: @superponible
Dave’s GitHub: https://github.com/superponible/volatility-plugins
Dave’s Blog: http://blog.superponible.com
Dave’s Submission: http://downloads.volatilityfoundation.org/contest/2014/DaveLasalle_ForensicSuite.zip
Most wanted follow up(s): A plugin to extract the most recent Internet Explorer history records. Porting Firefox and Chrome plugins to Linux and Mac memory dumps.
(2nd) Curtis Carmony: Dmcrypt
The dm_dump plugin brings an exciting new capability to open source memory forensics. In his own words, “given a memory dump from a Linux system using full disk encryption and access to the disk, the output of this plugin gives you the arguments to pass to the dmsetup command to remount the original unencrypted file system on a different machine.” In addition, Curtis provided support for Linux kernels 3.0 to 3.14 and instructions on how to extend Volatility’s profile generation mechanism for future systems.
A unique aspect of this plugin is that the data it recovers can only be found in RAM. As such, it accomplishes something that no form of disk or network forensics can do and it really showcases the power of memory forensics. Similar to the existing truecrypt plugins, the dm_dump plugin works by traversing the internal data structures used by device-mapper to keep track of its devices. Thus it pinpoints the data in memory without scanning for constants or patterns in key schedules.
Curtis’ GitHub: https://github.com/c1fe/dm_dump
Curtis’ Submission: http://downloads.volatilityfoundation.org/contest/2014/CurtisCarmony_DmCrypt.zip
Most wanted follow up(s): Testing the methodology on Android disk encryption.
(3rd) Adam Bridge: Editbox
Adam’s submission provides powerful new capabilities for tracking suspect user activity. It recovers text from EditBox controls in the GUI subsystem, with experimental support of ComboBox and ListBox. As a result, it can extract the following data types:
- Notepad window.
- Run dialog.
- Username and server name fields of Remote Desktop Connection.
- Address bar and search bar of Internet Explorer.
- Search bar of Windows Media Player.
- Username field of Create New Account wizard.
- Password of Change Password dialog.
In general, it is effective on any applications that leverage Microsoft’s Common Control APIs. This plugin is particularly interesting, because the data it recovers is not available anywhere besides RAM. On a multi-user system, there would be no way to collect the data this plugin enumerates without logging into each account and taking a screen shot.
Adam’s Twitter: @bridgeythegeek
Adam’s Submission: http://downloads.volatilityfoundation.org/contest/2014/AdamBridge_Editbox.zip
Most wanted follow up(s): Integration of edit box labels into the screenshot plugin.
(4th) Thomas Chopitea: Autoruns
In Thomas’ own words, “Finding persistence points (also called “Auto-Start Extensibility Points”, or ASEPs) is a recurring task of any investigation potentially involving malware.” The plugin currently covers several of the most common registry locations, including services, appinit DLLs, winlogin notification packages, and scheduled tasks. After finding ASEPs, the plugin matches them with running processes in memory.
Thomas’ Twitter: @tomchop
Thomas’ GitHub: https://github.com/tomchop/volatility-autoruns
Thomas’ Blog: https://tomchop.me/
Thomas’ Submission: http://downloads.volatilityfoundation.org/contest/2014/ThomasChopitea_Autoruns.zip
Most wanted follow up(s): Adding Linux and Mac support.
(5th) Takahiro Haruyama: OpenIOC Scan
This plugin combines the flexibility of the IOC language with the power of Volatility to give analyst’s quick and easy malware triage capabilities. Takahiro solved several problems that he (and most certainly other analysts) faced when using the existing tools, such as ability to automate the tasks outside of a GUI and scan for terms with regular expressions and case sensitivity. Takahiro’s blog (below) shows several practical examples of quickly finding malicious code in memory. We’re really excited for investigators to start taking advantage of Takahiro’s work.
Takahiro’s Twitter: @cci_forensics
Takahiro’s Blog: https://takahiroharuyama.github.io/blog/2014/08/15/fast-malware-triage-using-openioc-scan-volatility-plugin/
Takahiro’s Submission: http://downloads.volatilityfoundation.org/contest/2014/TakahiroHaruyama_OpenIOC.zip
Most wanted follow up(s): A repository of memory related indicators. Also for performance reasons using the Registry API for finding keys, values, etc.
The following submissions appear in the order they were received. As previously mentioned, everyone succeeded in solving a specific problem that they (and undoubtedly others) faced. For this, they deserve huge props. We look forward to seeing future work by these authors!
Monnappa KA: Gh0stRat Decryption
Monnappa’s plugin focuses on detecting and analyzing Gh0stRat in memory. In his own words, “Gh0stRat is a RAT (Remote Access Trojan) used in many APT/targeted attacks. This plugin detects the encrypted Gh0stRat communication, decrypts it and also automatically identifies the malicious Gh0stRat process, its associated network connections and the loaded DLL’s. This can help the digital forensic investigators and incident responders to quickly narrow down on the Gh0stRat artifacts without having to spend time on the manual investigation.”
Although a chopshop module exists for decrypting Gh0stRat communications in packet captures, Monnappa’s Volatility plugin aims to solve several specific problems that analysts may regularly face, including the absence of a full packet capture from the victim machine and needing to trace connections in the pcap back to the suspect process or DLL.
Monnappa’s Twitter: @monnappa22
Monnappa’s Submission: http://downloads.volatilityfoundation.org/contest/2014/MonnappaKa_Gh0stRat.zip
Most wanted follow up(s): Continued research into other malware families.
Jamaal Speights: MsDecompress
The msdecompress plugin by Jamaal Speights has high potential. It allows investigators to find and extract data compressed with the LZNT1 algorithm (Xpress and XpressH coming soon) from memory dumps and it reports the process in which the data was found. The RtlDecompressBuffer API is heavily used by malware authors to pack their code and minimize the size of command and control traffic before sending it across the network. Many kernel components and popular applications also use this compression algorithm, and we look forward to hearing about all the types of forensic evidence that can be uncovered using this plugin.
Jamaal’s Twitter: @jamaalspeights
Jamaal’s Blog: http://jamaaldev.blogspot.com/2014/10/vol-msdecompress.html
Jamaal’s Code: https://code.google.com/p/jamaal-re-tools/
Jamaal’s Submission: http://downloads.volatilityfoundation.org/contest/2014/JamaalSpeights_MsDecompress.zip
Most wanted follow up(s): An analysis of the different types of compressed data frequently found in memory.
Cem Gurkok: Mac Rootkit and Bitcoin
Cem submitted a total of four plugins: two for detection of rootkit hooks in Mac OSX memory, one for in-depth investigation of Mac OSX threads, and one for finding bitcoin private keys and addresses.
- mac_bitcoin allows for recovery of bitcoin keys and addresses. This can greatly help investigators that need to determine which transactions and activity a particular user was involved with. Due to the nature of bitcoin, this activity can be very well hidden within the network and only examination of a user’s system can put the pieces back together
- The mac_check_call_reference plugin is used to check for modified call instructions in the kernel. This can catch a wide array of rootkits that directly modify control flow in order to manipulate the system.
- The mac_threads plugin is able to enumerate threads of each running Mac task. The examination of thread state can lead to determination of which portions of code a thread was using and which operations it performed. This capability had been missing from Volatility’s Mac support while being supported by the Windows and Linux side in the last two releases.
- mac_check_shadow_trustedbsd enables the detection of rootkits that modify a reference to the TrustedBSD policy list. Such a modification can allow a rootkit to add, modify, and delete system activity returned to other kernel components and user land tools that rely on TrustedBSD for a set of system state.
Cem’s Twitter: @CGurkok
Cem’s GitHub: https://github.com/siliconblade/volatility
Cem’s Blog: http://siliconblade.blogspot.com/
Cem’s Submission: http://downloads.volatilityfoundation.org/contest/2014/CemGurkok_MacPlugins.zip and http://downloads.volatilityfoundation.org/contest/2014/CemGurkok_BitCoins.zip
Most wanted follow up(s): Support for bitcoin addresses found in any process (not just Multibit) on any memory dump (Windows, Linux, Mac) and also in free/deallocated memory.
Csaba Barta: Malware Analysis
The plugins in this submission are focused on helping analysts perform malware investigations and malware research. The first set of plugins highlight the differences between an infected memory sample and its baseline image. This can help an analyst quickly determine the types of changes the malware has made to the system. The current plugins focus on four important components of the operating system: processes, DLLs, services, and drivers. The final plugin, malprocfind, attempts to codify the rules an investigator may use to look for suspicious artifacts on a system. The plugins help automate common analysis techniques used by analysts during malware investigations.
Csaba’s GitHub: https://github.com/csababarta/volatility_plugins
Csaba’s Submission: http://downloads.volatilityfoundation.org/contest/2014/CsabaBarta_MalwarePlugins.zip
Most wanted follow up(s): Further extension of the baseline artifacts and malprocfind rules.
Philip Huppert: OpenVPN
Philip’s submission is the result of his University paper “Extracting private information of virtual machines using VM introspection.” In the paper, Philip described how to recover openvpn 2.x.x usernames and passwords entered by the user in addition to the password required for unlocking the private key. The submission also includes a plugin to extract base64/PEM encoded RSA private keys from memory.
The openvpn plugin is effective against any memory dump format (not just live VM memory using libvmi). Philip also did a really nice job of narrowing the search space for finding the usernames and passwords. He isolates the .data and .bss segments of openvpn.exe and looks for signs of a specific data structure (named “user_pass”).
Philip’s GitHub: https://github.com/Phaeilo/vol-openvpn
Philip’s Submission: http://downloads.volatilityfoundation.org/contest/2014/PhilipHuppert_OpenVPN.zip
Most wanted follow up(s): A summary of the steps for decrypting an openvpn session from a packet capture, given the private key. Also the ability to scan for the data structures in physical space (for example if the openvpn.exe process is no longer running).
Wyatt Roersma: Hyper-V Tools
Wyatt’s plugins will extract Hyper-V artifacts from a host system’s memory. The first plugin hpv_vmconnect is used to extract information about which users were accessing virtual machines using the virtual connect console. The second plugin, hpv_vmwp, is used to map each virtual machine to its associated process on the host and extract temporal information about when the machine was started last. The final plugin hpv_clipboard is used to extract memory resident Hyper-V clipboard and hotkey artifacts. The plugins provide some insights into the types of artifacts that can be extracted from Hyper-V host memory and set the stage for future research.
Wyatt’s Twitter: @WyattRoersma
Wyatt’s Blog: http://www.wyattroersma.com/?p=131
Wyatt’s GitHub: https://github.com/wroersma/volplugins
Wyatt’s Submission: http://downloads.volatilityfoundation.org/contest/2014/WyattRoersma_HyperV.zip
Most wanted follow up(s): Further research into other Hyper-V artifacts and conversion tools.
Acknowledgements
A special thanks goes out to the Hex-Rays team for providing the inspiration and template for this contest.
Rules of Engagement
- The goal of the contest is to create innovative, interesting, and useful extensions for The Volatility Framework. While extensions written in Python are preferred, extensions written in other languages will also be considered.
- The submitted extensions should work with the Volatility 2.3 (or greater) release.
- The top 5 winners of the contest will get the prizes mentioned above.
- Volatility core developers are not eligible.
- Submissions should be sent to volcon2014@volatilityfoundation.org. The submission should include the source code, a memory sample demonstrating the capabilities, description of how the extension is used, a write up describing the motivation for the work and why it should win the contest, and a signed “Individual Contributor License Agreement”.
- If you submit multiple plugins, please specify if they should be evaluated as an individual or multiple entries.
- By submitting an entry, you declare that you own the copyright to the source code and are authorized to submit it.
- All submissions should be received no later than October 1, 2014. The winner will be announced the following week. We recommend submitting early. In the case of similar submissions, preference will be shown to early submissions.
- The Volatility Project core developers will decide the winners based on the following criteria: creativity, usefulness, effort, completeness, submission date, and clarity of documentation.
- In order to collect the cash prizes, the winner will need to provide a legal picture identification and bank account information within 30 days of notification. The bank transfer will be made within two weeks after the winner is authenticated.
- Group entries are allowed; the prize will be paid (or seat will be registered, if the training option is desired) to the person designated by the group.
- Upon approval from the winners, their names/aliases will be listed on the “Volatility Hall of Fame” web page for the world to admire.
- Selected contestants may also be asked to present their work at the 2014 Open Memory Forensics Workshop or have their research featured on the Volatility Labs Blog.
2013 Volatility Plugin Contest
The contest is straightforward: Create an innovative and useful extension to The Volatility Framework and win the contest!
- 1st place wins one free seat at any future Windows Malware and Memory Forensics Training *or* 1500 USD cash
- 2nd place wins 500 USD cash
- 3rd place wins 250 USD cash
- 4th and 5th place wins Volatility swag (T-shirts, Stickers, etc)
Everyone but the Volatility core developers can participate.
Results
We are excited to announce the results of the 1st Annual Volatility Plugin Contest. We were pleasantly surprised with 8 submissions to the contest. Each submission provides an exciting new capability to the memory analysis community or demonstrates the power of Volatility to solve a variety of real world problems. The submissions included everything from new plugins to new address spaces and operating system plugins to application plugins. We also had submissions for Linux, Windows, and OS X. It’s great to see so many people giving back to the memory analysis community and taking this opportunity to do pioneering research in such an exciting field.
Given the number of deserving submissions we received, the judging took a little longer than we originally anticipated. We wanted to make sure that we were able to thoroughly test and verify each submission. We would like to thank all the participants for their submissions. A number of these submissions will be highlighted in upcoming blog posts and at OMFW 2013!
The winners of the 1st Annual Volatility Framework Plugin Contest are:
- Mariano Graziano from EURECOM with Actaeon, Intel VT-x introspection.
- Cem Gurkok with OS X rootkit detection and Window’s security auditing plugins.
- Jeff Bryner with the Facebook and Twitter artifact extraction.
- Carl Pulley with a plugin to find the nearest function/method within a symbol table & Edwin Smulders with his Linux process information, stack analysis, and syscall register plugins [Note: Carl and Edwin tied for 4th place, this is not a joint submission]
- Jamaal Speights with extracting networking packets from memory samples.
Honorable Mention: Jeremy Jones from Delphix with a plugin to convert VMware suspended state to Illumos debug format
Mariano Graziano from EURECOM with Actaeon, Intel VT-x introspection.
This submission enables memory forensics of guest operating systems in virtualization environments using Intel VT-x technology. This includes the ability to locate memory resident hypervisors and nested virtualization. It’s current implementation enables virtual machine instrospection of 32-bit Windows guests. It was tested with KVM, Xen, VMware Workstation, VirtualBox and HyperDbg.
Download Link: http://downloads.volatilityfoundation.org/contest/2013/MarianoGraziano_Actaeon.zip
Related Links:
http://www.s3.eurecom.fr/tools/actaeon/
https://github.com/eurecom-s3/actaeon
http://www.s3.eurecom.fr/docs/raid13_graziano.pdf
Author’s Twitter: @emd3l
Cem Gurkok with the Window’s security permission plugin
This plugin displays the security permission information for files, processes, services, tokens, threads, devices, and registry keys. The information includes DACLs, SACLs (Discretionary/System access control lists), object integrity level, and object ownership. Security permission information is obtained from the object’s security descriptor. This plugin can help administrators proactively assess the security of their systems and can also help determine possible “holes” that led to successful privilege escalation attacks. This plugin dumps verbose information that you can categorize and filter for your needs, and it also supports all major 32-bit and 64-bit Windows operating systems.
Download Link: http://downloads.volatilityfoundation.org/contest/2013/CemGurkok_WindowsSecurity.zip
Author’s Twitter: @CGurkok
Cem Gurkok with the OS X rootkit detection plugins
This submission provides detection capabilities for a number of rootkit hooking techniques within 64 bit OS X:
- Direct syscall table modification
- Syscall function inlining (ie DTrace hooks)
- Patching the syscall handler (ie, shadow sycall table)
- Hooked functions in kernel/kext symbol tables
- Modified IDT descriptors
- Modified IDT handlers
There is published research and example rootkits that are leveraging the exact hooking techniques detected by this plugin, and the addition of the plugin into the core framework will greatly enhance Volatility’s Mac rootkit detection capabilities.
Download Link: http://downloads.volatilityfoundation.org/contest/2013/CemGurkok_OSXDetect.zip
Related Links:
http://siliconblade.blogspot.com/2013/07/idt-hooks-and-detecting-them-in-osx.html
http://siliconblade.blogspot.com/2013/07/back-to-defense-finding-hooks-in-os-x.html
http://siliconblade.blogspot.com/2013/07/offensive-volatility-messing-with-os-x.html
http://siliconblade.blogspot.com/2013/05/checkdtrace-volatility-plugin-arises.html
Author’s Twitter: @CGurkok
Jeff Bryner with the Facebook and Twitter artifact extraction
This submission provides plugins for carving Twitter and Facebook artifacts from a process’ address space. This is accomplished by scanning the address space for the json/html structures that are used by the social media applications. Examples of information extracted include: Twitter direct messages, identifying user information, Facebook direct messages, etc.
Download Link: http://downloads.volatilityfoundation.org/contest/2013/JeffBryner_FacebookTwitter.zip
Related Links: https://github.com/jeffbryner/volatilityPlugins
http://www.youtube.com/watch?v=K_gBpdK936o
Author’s Twitter: @0x7eff
Carl Pulley with a plugin to find the nearest function/method within a symbol table.
This submission demonstrates the usefulness of being able to dynamically extract Window’s symbol information. It includes a plugin that will automatically extract symbol information from PDB files associated with memory resident modules. The submission also includes a “profile modification” that creates a new member of the _EPROCESS object, which facilitates “nearest symbol” lookups of addresses. This can be very useful when investigating unknown pointers or the control flow history of a corrupted execution stack.
Download Link: http://downloads.volatilityfoundation.org/contest/2013/CarlPulley_Symbols.zip
Related Links: https://github.com/carlpulley/volatility/blob/master/symbols.py
https://code.google.com/p/pdbparse/issues/detail?id=13
Author’s Github: https://github.com/carlpulley
Edwin Smulders with his Linux process information, stack analysis, and syscall register plugins
This submission provides plugins for extracting information from x86_64 Linux memory samples. They provide extensive insight into the state of the system at the time of the memory samples. Examples of the extracted information include:
- Detailed process information
- Networking data structures
- Detailed analysis and annotation of the execution stacks
- System call context
Download Link: http://downloads.volatilityfoundation.org/contest/2013/EdwinSmulders_Symbols.zip
Related Links:
https://github.com/Dutchy-/volatility-plugins
Author’s Twitter: @0x445554434859
Jamaal Speights with a plugin that extracts networking packets from memory samples.
The ethscan plugin provides the ability to recover Ethernet frames from memory samples. It provides extraction support for both IPV4 and IPV6. It also provides the option to extract the frame data to either binary files or to a pcap file. It should work against any binary file (not just memory dumps).
Download Link: http://downloads.volatilityfoundation.org/contest/2013/JamaalSpeights_Network.zip
Related Links:
https://code.google.com/p/jamaal-re-tools/source/browse/volplugins/ethscan.py
Author’s Twitter: @jamaalspeights
Jeremy Jones from Delphix with a plugin to convert VMware suspended state to Illumos debug format
Description: This submission includes a plugin that converts a VMware suspended state file (.vmss) into a format supported by Illumos debugging tools (mdb, adb, etc.). It was tested on an OpenIndiana VM, which it converted successfully and whose files worked well when anaylzed with mdb. This plugin was created to solve a real world system administration challenge of collecting a crash dump from a system that was hanging during the boot process. It demonstrates the power of memory analysis beyond just forensics and security.
Download Link: http://downloads.volatilityfoundation.org/contest/2013/JeremyJones_Illumos.zip
Acknowledgements
A special thanks goes out to the Hex-Rays team for providing the inspiration and template for this contest.
Rules of Engagement
- The goal of the contest is to create innovative, interesting, and useful extensions for The Volatility Framework. While extensions written in Python are preferred, extensions written in other languages will also be considered.
- The submitted extensions should work with the Volatility 2.2 (or greater) release and should have been implemented after the initial contest announcement (1/14/2013).
- The top 5 winners of the contest will get the prizes mentioned above.
- Volatility core developers are not eligible.
- Submissions should be sent to volcon2013@memoryanalysis.net. The submission should include the source code, a short description of how the extension is used, and a signed “Individual Contributor License Agreement”.
- By submitting an entry, you declare that you own the copyright to the source code and are authorized to submit it.
- All submissions should be received no later than August 1, 2013. The winner will be announced the following week. We recommend submitting early. In the case of similar submissions, preference will be shown to early submissions.
- The Volatility Project core developers will decide the winners based on the following criteria: creativity, usefulness, effort, completeness, submission date, and clarity of documentation.
- In order to collect the cash prizes, the winner will need to provide a legal picture identification and bank account information within 30 days of notification. The bank transfer will be made within two weeks after the winner is authenticated.
- Group entries are allowed; the prize will be paid (or seat will be registered, if the training option is desired) to the person designated by the group.
- Upon approval from the winners, their names/aliases will be listed on the “Volatility Hall of Fame” web page for the world to admire.
- Selected contestants may also be asked to present their work at the 2013 Open Memory Forensics Workshop or have their research featured on the Volatility Labs Blog.