Open Memory Forensics Workshop 2013
This half-day workshop will be held prior to the 2013 Open Source Digital Forensics Conference (OSDFC) in Chantilly, VA, USA, on November 4, 2013. Details about the location will be provided upon registration. Pre-registration is required and space is limited, so register early. Please note that it will NOT be possible to register at the door.
Date: Monday, November 4, 2013
Location: Chantilly, VA
Sponsors: The Order of Volatility (OOV), The Volatility Foundation, 2013 Open Source Digital Forensics Conference
Similar to previous years, there will be a $50 registration fee. 100% of the proceeds are donated to charity. Last year, all workshop proceeds were donated to the National Center for Missing & Exploited Children.
Special registration consideration will be given to those who are active contributors to open source forensics tools. You can contact us to reserve your seat.
A State of Volatility
This talk discusses the current state of the Volatility Project. This includes the highlights of the Volatility 2.3 release and an overview of the Volatility roadmap. It also presents the results from the 1st Annual Volatility Plugin Contest. Finally, the presentation concludes by discussing the newly formed Volatility Foundation.
Presenter: AAron Walters
This talk will step through a very brief history of Volatility, then cover the structure of the core, before explaining the primary techniques currently used in the Object, Address Space and Profile classes, as well as touching on some helper objects. The middle will cover several design decisions later found to be poor, and whether/when those can be resolved. Finally, an outline of new structures designed to overcome several of the limitations in the current Volatility will be shown.
Presenter: Mike Auty
Bringing Mac Memory Forensics to the Mainstream
Volatility now includes full Mac support for all versions from 10.5.x through the latest 10.8.x, both 32 and 64 bit. This presentation will show how these capabilities can be used in a variety of scenarios including digital forensics, incident response, and malware analysis. The presentation will also highlight many of the challenges that had to be overcome in pursuit of comprehensive Mac memory analysis support. Many of these challenges are unique to Mac, and required deep understanding of the often “interesting” design decisions made by the operating system developers.
Presenter: Andrew Case
Computer Forensic Evidence Acquisition: Leaving No Stone Unturned
This talk discusses frequently overlooked storage locations on systems (BIOS, VBR, APIC, Device Firmware, Expansion ROMS, Video RAM, etc) that are increasingly targeted by sophisticated adversaries. It highlights recent offensive research and discusses the challenges associated with collecting forensics data.
Presenter: George M. Garner Jr. (GMG Systems, Inc.)
View Online: <coming soon>
All Your Social Media are belong to Volatility
Volatility is by far the richest memory forensic toolkit available. This year they upped the ante by inviting regular mortals to write plug-ins and submit them for the greater good. This session will demo my submissions for forensic recovery of social media artifacts from Facebook and Twitter. We will have the audience participate live by engaging with a Twitter and Facebook account, dump the memory of the victim machine and see what we can recover via Volatility. If time allows we will have a look at the code with an eye on encouraging more plugins for other social media sites; Tumblr, Pinterest, Flickr, Youtube, etc await!
Presenter: Jeff Bryner
View Online: http://jeffbryner.com/omfw2013/
Memoirs of a Hindsight Hero: Detecting Rootkits in OS X
The OS X Kernel has become a popular target for malicious adversaries. At the moment there are tools that provide detection for basic OS X rootkit techniques, such as executable substitution or direct function modification (e.g. the Rubilyn rootkit). Advanced rootkits often leverage more advanced capabilities that are harder to detect, such as function inlining, DTrace hooks, call reference modification, shadow syscall and trustedbsd policy tables. In this presentation, I will be exploring how to attack the OS X syscall table and other kernel objects with these advanced techniques and how to detect these modifications in memory using the Volatility Framework. The presentation will include demonstrations of system manipulation on a live system and subsequent detection using the new Volatility Framework plugin.
Presenter: Cem Gurkok
Every Step You Take: Profiling the System
As DFIR investigations become more complicated, often spanning several machines, there is a need to employ some mechanisms in the memory forensics realm which are already heavily used in disk forensics. Some of these mechanisms include: whitelisting/blacklisting, indicators of compromise (IOCs) and profiling. This talk will cover new plugins that enable the investigator to create, combine and modify baseline profiles, to easily see items on either side of a baseline profile and hunt for IOCs across the enterprise
Presenter: Jamie Levy
Mastering TrueCrypt and Windows 8 / Server 2012 Memory Forensics
This talk provides a how-to on leveraging memory forensics to investigate and defeat TrueCrypt hard disk encryption. We’ll walk through scenarios involving different suspects who used file-based containers, non-system partitions (i.e. flash drives), and full drive encryption to hide their assets. During the demonstrations, you’ll learn about three new Volatility plugins for recovering cached TrueCrypt passphrases, identifying the exact paths to the file-based containers, and extracting master keys even when suspects stray from AES and use non-default algorithms like Serpent and Twofish. As a subtle facet, we’ll be doing all of this on 32- and 64-bit Windows 8 and Server 2012 memory dumps - the first major new Windows operating system supported by Volatility in nearly two years.
Presenter: Michael Ligh
Dalvik Memory Analysis and a Call to ARMs
This talk will detail our DARPA Cyber Fast Track research effort for parsing Dalvik-level constructs from memory captures of Android devices. These include (at least) all of the built-in types, class names, statics, methods and variables, and similar information with values for object instances. In our effort we also have created, a free GUI-based browser, called Dalvik Inspector, with browsing, searching, and automated Volatility plugin generation capabilities for analysis of the raw parsed data. This tool facilitates deep, standalone analysis of application-internal structure. This talk will conclude with a discussion and appeal to the research community in regards to open research problems that need to be addressed in order to make Android memory analysis viable for the community at large.
Presenter: Joe Sylve