2015 Volatility Plugin Contest
The contest is straightforward: Create an innovative and useful extension to The Volatility Framework and win the contest!
1st place wins one free seat at any future Windows Malware and Memory Forensics Training *or* 1500 USD cash
2nd place wins 500 USD cash
3rd place wins 250 USD cash
4th and 5th place wins Volatility swag (T-shirts, Stickers, etc)
All participants who place will receive a signed copy of The Art of Memory Forensics.
The competition this year was fierce! We received 12 plugins to the contest. Similar to last year, ranking the submissions was one of the hardest things we’ve had to do. Each plugin is unique in its own way and introduces a capability to open source memory forensics that didn’t previously exist. Although a few people will receive prizes for their work, the real winners in this contest are the practitioners and investigators in the community that perform memory forensics. We’re talking about the federal government who used Volatility on some of the nation’s most prominent cases and the law enforcement groups that used it as the primary tool to force a child pornographer into a guilty plea (see you in about 10 years, wish it were more!). We’re talking about Det. Michael Chaves who used memory forensics to help crack a case involving POS breaches that lead to losses of over $100K. We’re talking about all the analysts who rely on open source forensics to identify and track malicious code and threat actors in their networks and those of their clients.
Needless to say, we're very proud of everyone who submitted to the contest.
Here are this year’s rankings:
Fred House, Andrew Davis, and Claudiu Teodorescu for the shimcachemem plugin.
James Habben for the Evolve web interface to Volatility.
Philip Huppert for the VM migration address space.
Ying Li for the linux python strings and SSH agent plugins.
Adam Bridge for the NDIS packet scanning plugin.
Here is a detailed summary of the submissions. If you have feedback for the authors, we're sure they'd love to hear your thoughts.
1st: Shimcache Memory Scan
This plugin by FireEye and Mandiant researchers Fred House, Andrew Davis, and Claudiu Teodorescu parses the Windows Application Compatibility Database (aka, ShimCache) from the module or process memory that contain the database. In the authors' own words:
Shim cache is a highly valuable forensic artifact used to identify evidence of file execution. In addition to recording potential file executions, the cache is ordered, meaning that an analyst can identify other files that may have executed before or after a file of interest.
Most forensic tools that parse the shim cache rely on the cache stored in the Windows registry. The cache in the registry is only updated when a system is shutdown so this approach has the disadvantage of only parsing cache entries since the last shutdown. On systems that are not rebooted regularly (e.g., production servers) an analyst must either use out-of-date shim cache data or request a system reboot.
This plugin parses the shim cache directly from the module or process containing the cache, thereby providing analysts access to the most up-to-date cache. The plugin supports Windows XP SP2 through Windows 2012 R2 on both 32 and 64 bit architectures.
Fred's Twitter: @0xF2EDCA5A
Claudiu's Twitter: @cteo13
FireEye's blog post: https://www.fireeye.com/blog/threat-research/2015/10/shim_shady_live_inv.html
Shimcachemem Submission: https://github.com/volatilityfoundation/community/tree/master/ShimcacheMemory
2nd: James Habben: Evolve Web Interface
This submission provides a web interface to Volatility built with AJAX, jQuery, and JSON. It allows the user to run several plugins at once and leverage the power of multi-processing. It shows the plugins' status and places the completed plugins near the top for easy access. The output is easily searchable given its sqlite3 backend and there is a "morph" option as well for highlighting interesting artifacts. In fact, users can create their own morphs using a plugin-based template system. Existing morphs include associating country codes with IP addresses and marking filenames that do not match the NSRL list.
James' Submission: https://github.com/JamesHabben/evolve
James' Twitter: @JamesHabben
James' GitHub: https://github.com/jameshabben
Evolve Videos: https://youtu.be/55G2oGPQHF8 and https://youtu.be/mqMuQQowqM
3rd: Philip Huppert: VM Live Migration
This submission includes an address space plugin for accessing memory samples found in network data captured during a VMotion live migration. In particular, it currently supports analysis of samples collected during VMotion migrations between ESXi hosts. This allows an analyst to access the entire runtime state of a virtual machine as it is being transferred between two physical hosts over the network. This has a number of valuable applications toward virtual machine introspection and forensics investigations of cloud environments.
Philip's plugin represents interesting implications toward VM's that migrate between different cloud providers or countries. Wireshark has the capability to analyze the traffic protocols but not the payload of the traffic, so this is a new and exciting capability for both forensic researchers and offensive security analysts.
Philip's Submission: https://github.com/volatilityfoundation/community/tree/master/PhilipHuppert
Philip's Twitter: @oilheap
Philip's GitHub: https://github.com/Phaeilo
4th: Ying Li: Python Strings and SSH Keys
This submission includes a collection of plugins for analyzing memory samples acquired from 64-bit Linux systems. The plugins were initially presented at PyCon 2015. The first plugin in the submission, linux_python_strings, extracts memory resident Python strings from the heap of Python processes. This is accomplished by scanning the heap for Python string objects. The advantage of this approach is that we are able to leverage context that the interpreter has about the particular string and how it is being used. The author also includes a plugin for extracting strings stored in Python dictionaries. The context provided by this plugin could allow an analyst to determine which strings were associated as key-value pairs. The final plugin, linux_ssh_keys, will extract RSA keys from the heap of ssh-agent processes. These keys could be useful when investigating lateral movement or performing an investigation of a suspected person's machine.
Ying's plugins continue the trend of moving further up the analysis stack into the application to extract more memory resident context. As for RSA keys, extracting crypto artifacts is always interesting. To date, we haven't seen anyone extract the RSA keys from ssh-agents with Volatility. Additionally, Ying created an automated test harness for generating memory samples, which we thought was particularly useful.
Ying's Submission: https://github.com/volatilityfoundation/community/tree/master/YingLi
Ying's Twitter: @cyli
Ying's GitHub: https://github.com/cyli
Ying's PyCon 2015 Talk: https://www.youtube.com/watch?v=tMKXcc2-xO8
5th: Adam Bridge: NDIS Packet Scan
This submission carves packets and ethernet frames from NDIS shared memory sections (regions of RAM shared between the OS and DMA NIC). Although tools exist to scan an arbitrary binary file for packets, the extra context that Adam's plugin provides is extremely valuable. For example, the methodology is far less likely to produce false positives or report fake/decoy packets. In addition to outputting text and pcap formatted results, the plugin also decodes NetBIOS names found in DNS traffic and extracts slack space between packet payloads that other tools may miss. This research represents the beginning of a very exciting realm of future plugins that focus on NDIS private data structures including data waiting in sent/received buffers.
Adam's Submission: https://github.com/volatilityfoundation/community/tree/master/AdamBridge
Adam's Twitter: @bridgeythegeek
Adam's GitHub: https://github.com/bridgeythegee
The following submissions appear in the order they were received. As previously mentioned, everyone succeeded in solving a specific problem that they (and undoubtedly others) faced. For this, they deserve huge props. We look forward to seeing future work by these authors!
Joe Greenwood: Hacking Team RCS Attribution
This plugin searches a memory dump for evidence of the Hacking Team Galileo Remote Control System (RCS), and attempts to attribute the infection to particular Hacking Team client. One of our favorite aspects of this plugin is that it detects RCS based on its predictable named shared memory sections, a creative alternative to scanning for the typical byte signatures and mutexes. Its also a really nice touch to provide the extra attribution context via the watermark lookups.
Joe's Submission: https://github.com/volatilityfoundation/community/tree/master/JoeGreenwood
Joe's Twitter: @SeawolfRN
Joe's (4ARMED) GitHub: https://github.com/4ARMED
Joe's Blog: https://www.4armed.com/blog/memory-forensics-detecting-galileo-rcs-windows/
Alexander Tarasenko: Pykd/Windbg Address Space
This submission lets you integrate Volatility into Windbg through Pykd. You're then able to query for addresses of critical data structures, functions, and other variables using the debugging APIs. Additionally, you can connect Volatility to a running Windows system in debugging mode and run Volatility plugins against the live system, which particularly comes in handy for malware/rootkit analysis (not necessarily IR/forensics).
The author of this address space also mentioned a new project named Karmadbg (see the link below) which is a GUI intended for development of new debugging and memory analysis scripts. Check it out! Unfortunately, documentation in English is not yet available.
Alexander's Submission: https://github.com/volatilityfoundation/community/tree/master/AlexanderTarasenko
Pykd's Twitter: @pykd and @pykd_dev
Pykd's Website: https://pykd.codeplex.com
Karmadbg's Website: https://karmadbg.codeplex.com
Loïc Jaquemet: Haystack
These plugins are an interface between the Volatility framework and the haystack framework. While Volatility establishes a forensic framework to analyse a system's RAM, the haystack framework is intended to analyse a process's RAM, allowing an analyst to search for defined structures in a process's memory. You can build structure definitions from known/public C header files or with Python's ctypes library (based on undocumented or reverse engineered data structures) and then plug them into this framework to scan across process heaps, all process memory allocations, etc. The author provided examples of constraints that can find openssl cipher contexts, session keys, and passphrases, but its surely not limited to those types of data. Give it a shot and see what you can find!
Loïc's Submission: https://github.com/volatilityfoundation/community/tree/master/Lo%C3%AFcJaquemet
Loïc's Twitter: @trolldbois
Loïc's GitHub: https://github.com/trolldbois
The python-haystack module: https://github.com/trolldbois/python-haystack
May Medhat (et. al.): GVol Tool
This tool by EG-CERT researchers May Medhat and Mohamad Shawkey provides a (thick) GUI front end for Volatility written in Java. It lets you run preconfigured batch scripts against a memory dump with just a couple mouse clicks or you can customize your own batch scripts. You can choose from categories such as Rootkits, Kernel Artifacts, Networking, etc. and they link up with Volatility plugins in the backend. We imagine this tool will be very handy for analysts who are not comfortable on the command line or with Volatility usage in general. Additionally, for those who are seasoned Volatility users, this tool can reduce the amount of time you spend typing commands before you actually dive into the details of your case.
May's GitHub: https://github.com/May-Medhat
Mohomad's GitHub: https://github.com/m-shawkey
GVol User Guide: https://github.com/eg-cert/GVol/blob/master/docs/GVol-User%20Guide.pdf
EG-CERT's GitHub: https://github.com/eg-cert/GVol
Monnappa Ka: Linux Memory Diff
This plugin uses the Volatility advanced memory forensics framework to run various plugins against a clean and infected Linux memory image and reports the changes. Many times while doing memory analysis (or malware analysis) an analyst is presented with an abundance of data and the analyst has to manually find the malicious artifacts from that data which takes time and effort. This tool helps in solving that problem by comparing the results between the clean and infected memory images. This tool helps speed up analysis, reduce manual effort and allows you to focus on the relevant data.
Monnappa's Submission: https://github.com/volatilityfoundation/community/tree/master/MonnappaKa
Monnappa's Twitter: @monnappa22
Monnappa's GitHub: https://github.com/monnappa22
Monnappa's Blog: http://malware-unplugged.blogspot.com
Memory Diff Analysis of Linux Malware Tsunami
Memory Diff Analysis of Linux Rootkit Xingiquan
Memory Diff Analysis of Average Coder Linux Rootkit
Bart Inglot: Scheduled Task and Job Scanners
This plugin scans for job files and prints out their information. It's useful from a DFIR perspective, since job files are often used by attackers in order to run programs with SYSTEM privileges, run at scheduled moments, or to move laterally within a network. Aside from the job plugin for Volatility, adapted from Jamie Levy's jobparser.py (http://gleeda.blogspot.com/2012/09/job-file-parser.html) Bart also has written standalone carvers for jobs and scheduled tasks that work against memory samples, disk images, and other binary files.
Bart's Submission: https://github.com/volatilityfoundation/community/tree/master/BartoszInglot
Bart's Twitter: @BartInglot
Bart's GitHub: https://github.com/binglot
Bart's Blog: http://passionateaboutis.blogspot.com
Past Contest Results
Before getting involved, if you wanted to see what participants have done in the past, take a look at the 2014 Plugin Contest Results and/or 2013 Plugin Contest Results.
Rules of Engagement
The goal of the contest is to create innovative, interesting, and useful extensions for The Volatility Framework. While extensions written in Python are preferred, extensions written in other languages will also be considered.
The submitted extensions should work with the Volatility 2.4 (or greater) release.
The top 5 winners of the contest will get the prizes mentioned above.
Volatility core developers are not eligible.
Submissions should be sent to firstname.lastname@example.org. The submission should include the source code, a memory sample demonstrating the capabilities, description of how the extension is used, a write up describing the motivation for the work and why it should win the contest, and a signed "Individual Contributor License Agreement" (please request a copy prior to your submission).
If you submit multiple plugins, please specify if they should be evaluated as an individual or multiple entries.
By submitting an entry, you declare that you own the copyright to the source code and are authorized to submit it.
All submissions should be received no later than October 1, 2015. The winners will be announced before October 31, 2015. We recommend submitting early. In the case of similar submissions, preference will be shown to early submissions.
The Volatility Project core developers will decide the winners based on the following criteria: creativity, usefulness, effort, completeness, submission date, and clarity of documentation.
In order to collect the cash prizes, the winner will need to provide a legal picture identification and bank account information within 30 days of notification. The bank transfer will be made within two weeks after the winner is authenticated.
Group entries are allowed; the prize will be paid (or seat will be registered, if the training option is desired) to the person designated by the group.
Upon approval from the winners, their names/aliases will be listed on the "Volatility Plugin Contest" web page for the world to admire.
Selected contestants may also be asked to present their work at a future Open Memory Forensics Workshop and/or have their research featured on the Volatility Labs Blog.
Frequently Asked Questions
Does my submission have to be a "plugin"?
No, your submission does not need to be implemented as an actual Volatility plugin that executes through vol.py. For example, you can submit a tool that imports Volatility as a library and performs various tasks, one of which includes memory forensiscs using the Volatility APIs.
Will my submission still be considered if it was previously released?
Yes, as long as the submission is your original creation, you can submit it to the contest. It doesn't matter if you've previously released the code, presented the topic at a conference, etc.
Can I (or my company) donate to the contest?
Yes, we (and the participants) would be grateful to receive donations. The Volatility Foundation is a 501(c)(3) so your donation is tax deductable. The amount you donate will be divided among the first, second, and third place winners. Your donation will increase the currently advertized prizes - it will not be used to substitute the values we've already pledged. To make a donation, contact us.