Open Memory Forensics Workshop 2012
This half-day workshop will be held prior to the 2013 Open Source Digital Forensics Conference (OSDFC) in Chantilly, VA, USA, on November 4, 2013. Details about the location will be provided upon registration. Pre-registration is required and space is limited, so register early. Please note that it will NOT be possible to register at the door.
Date: Monday, October 2, 2013
Location: Chantilly, VA
Sponsors: The Order of Volatility (OOV)
Similar to previous years, there will be a $50 registration fee. 100% of the proceeds are donated to charity. Last year, all workshop proceeds were donated to the National Center for Missing & Exploited Children.
Special registration consideration will be given to those who are active contributors to open source forensics tools. You can contact us to reserve your seat.
Analyzing Linux Rootkits with Volatility
This presentation went over a number of the new Linux plugins and showed how to use them when investigating Linux kernel rootkits. All of the plugins and functionality shown is part of the 2.2 Volatility release.
Presenter: Andrew Case
Mining the PFN Database for Malware Artifacts
There are few people in the world who know more about physical memory acquisition and analysis than Mr. Garner; President of GMG Systems, Inc. and author of KnTTools. At a rare conference appearance, George discussed how he leverages the PFN database to attribute pages of physical memory to owning processes and drivers. This OMFW talk was enlightening, as George shared stories of tracking single UDP packets between hosts in China, his experiences single-stepping through the Windows kernel, and how he tracked a TDI object with an NTFS pool tag in deallocated memory.
Presenter: George M. Garner, Jr.
The Analysis of Process Token Privileges
Reverse engineering windows systems nowadays involves looking at static data, such as executables, symbols, pdbs, and/or dynamic data when debugging with a tool like windbg. Determining data structures and the meaning of their content has proven to be time consuming, especially when dealing with undocumented objects. This presentation tackles the problem by describing a novel approach, which utilizes the Volatility Framework and F-response to monitor changes taking place on a live system’s RAM that appear as a result of manipulating the targeted structures’ content. The technique is used in the discovery of the process privileges on Windows operating systems and the development of a new plugin. The presentation also provides examples of how the new plugin is used to discover malicious activity.
Presenter: Cem Gurkok
Reconstructing the MBR and MFT from Memory
This presentation introduced two new Volatility plugins: mbrparser and mftparser which will be released in Volatility 2.3. These plugins empower the investigator to explore possible MBR infections or in the case of mftparser, files that are in use on the system. There are real examples in the slides which you can view for yourself. You can find the mbrparser plugin in the Volatility 2.3 branch and the mftparser will appear there sometime soon.
Presenter: Jamie Levy
Malware in the Windows GUI Subsystem
This presentation introduced Volatility's new win32k suite - a set of plugins and APIs that make it possible to perform malware analysis and memory forensics based on artifacts in the Windows GUI subsystem. This subsystem plays a part in nearly everything you do and everything you see on a Windows computer, so it is rich with evidence and was largely unexplored and undocumented from a malware and forensics perspective. There are not many tools, even for live systems, that can give you the type of visibility into this exciting realm of Windows internals that Volatility can now provide.
The topics discussed were also seen during of the Month of Volatility Plugins, including sessions, clipboard data and clipboard snooping, window stations, desktops, desktop heaps, atoms and atom tables, USER handles, GDI timers, windows, message hooks, event hooks, and screenshots.
Presenter: Michael Ligh
Datalore: Android Memory Analysis
This presentation went over the Android specific analysis capabilities of Volatility as well as showed how to use LiME to capture physical memory from Android devices. This functionality will be included in the 2.3 Volatility release.
Presenter: Joe Sylve