Tuesday, November 21, 2017

Results from the (5th Annual) 2017 Volatility Plugin Contest are in!

Congratulations to all the participants! This year's contest resulted in a ton of new and exciting functionality available to law enforcement agents, DF/IR practitioners, malware analysts, and researchers around the globe, which can immediately be transitioned into their workflows. That's the whole spirit of open source memory forensics with Volatility, and we're once again very proud to sponsor a contest with such impressive results.

After over 10 years of development with the Volatility Framework and 4 years of previous plugin contests, you might think that there's nothing left to do, but the community continuously proves otherwise. This year, in particular, we were super impressed not only with the creativity and quality of the submissions, but the fact that several works were influenced by or in support of submissions from previous contests.   

Everyone is a winner in this contest. Although a few developers will walk away with prizes, they all solved a problem that they (and inevitably others) faced, gained experience writing Python plugins, and learned some intricacies of memory analysis internals. The capability to program around technical issues and design/implement solutions is a gift. You can applaud by following the authors on Twitter/GitHub/LinkedIn, providing feedback on their ideas, and helping to improve their code with testing, documentation, or contributing patches.


Here is a break down of the placements and prizes


1st place and $1500 USD cash or a Free Seat at Malware and Memory Forensics Training by the Volatility Project goes to:
Xabier Ugarte-Pedrero from Cisco Talos for PyREBox
2nd place and $500 USD cash goes to:
KSL Group (Kyle Ness, Shachaf Atun, and Liam Stein) for Threadmap
3rd place and $250 USD cash goes to:
Peter Kálnai and Michel Poslušný from ESET for Browserhooks
4th place and Volatility Swag goes to:
(tie) Michael Brown for SQLite Artifacts and Adam Bridge for Linux (X) Windows
5th place and Volatility Swag goes to:
Frank Block for Linux Glibc Heap Analysis

Here is a detailed summary of the submissions. If you have feedback for the authors, we're sure they'd love to hear your thoughts.


1st: Xabier Ugarte-Pedrero (Cisco Talos): PyREBox

PyREBox provides an extensible reverse engineering sandbox that combines debugging capabilities with introspection. The analyst can interact with the whole system emulator, QEMU, guest either manually, using IPython, or by creating Python scripts. Unlike previous reverse engineering platforms, PyREBox, is explicitly designed for modern threat analysts and the tasks they commonly perform. PyREBox also leverages Volatility to help bridge the semantic gap challenges typically associated with virtual machine introspection.

2nd: Liam, Shachaf and Kyle (KSL Group): Threadmap

The KSL Group (Kyle Ness, Shachaf Atun, Liam Stein) submitted the threadmap plugin, which is the result of their extensive research comparing and contrasting weaknesses in existing tools for identifying code injection based on process hollowing. The authors found an obvious gap between the prevalence of attacks in the wild that leverage process hollowing and the strength of tools that can perform detection reliably. Based on the documentation provided alongside the Volatility plugin, the authors not only analyzed existing malware samples (i.e. a reactive approach) but also developed their own variations of process hollowing that are likely to be seen in the near future - and included coverage for those types of attacks as well.

https://github.com/kslgroup/threadmap

3rd: Peter Kalnai and Michal Poslusny (ESET): Browserhooks

Something magical happens when reverse engineers write Volatility plugins. Peter and Michal from ESET have been tracking banking trojans and MITB malware for a while now, documenting the methods that malicious authors take to subvert victim systems - in particular, how they find and hook the SSL VMT (virtual method table) even in browsers such as Chromium-based browsers that static link with the SSL libraries, change regularly, and don't export the table locations. Studying the pros/cons of attacker methodologies, learning from them in order to create a more robust detection platform, and immediately transitioning that knowledge into a capability analysts can use (via Volatility) requires a unique skill set. In addition to exploring these previously undetected API hooks, the authors also extended Volatility's apihooks plugin to work on WOW64 processes (32-bit processes on a 64-bit architecture) and integrated their work into VolUtility - a submission to last year's plugin contest.

https://github.com/eset/volatility-browserhooks
https://www.virusbulletin.com/conference/vb2017/abstracts/browser-attack-points-still-abused-banking-trojans
https://www.virusbulletin.com/uploads/pdf/conference_slides/2017/Kalnai-VB2017-browser-attack-points-trojans.pdf

4th (tie): Michael Brown: SQLite Artifacts

Michael Brown wrote a seriously cool set of Volatility plugins to interrogate SQL artifacts in RAM. Influenced by Dave Lassalle's previous work for the 2014 Volatility Plugin Contest, Michael wrote a more generalized version of the SQL tools that can search for any table schema. In his own words, "You can enter your own schema, but Sqlitefind can also automatically find table definitions in the sqlite_master table, so the user doesn't need to know the schema beforehand! You can even discover tables that you didn't know were in memory." Given the number of applications that rely on sqlite3 under the hood, this opens doors to an unexplored world of application artifacts.

https://github.com/mbrown1413/SqliteFind

4th (tie): Adam Bridge: Linux (X) Windows & Atoms

Adam's contribution to this year's contest is the first of its kind - a set of plugins to analyze forensic artifacts of the X Window System environment on Linux. The data structures recovered by the plugins are tied to the X server itself, thus they work independently of the Linux distribution or window manager. Captured information includes details about each window, such as X and Y co-ordinates, width and height dimensions, parent window objects, window IDs, color schemes, and atom associations. Natively, the plugins can be used to determine titles of browser windows (URLs visited), titles of LibreOffice applications (opened documents), and in the future - potentially even a screen shots plugin for Linux!

https://twitter.com/bridgeythegeek
https://github.com/bridgeythegeek

5th: Frank Block: Linux Glibc Heap Analysis

Frank's submission to this year's contest introduces a library to parse the user mode heap of a process using Glibc (currently supports x86/x64 and Glibc versions 2.20 - 2.25), an API for developers to create their own plugins, and two example plugins that demonstrate the forensic value - command shell history (zsh) and password management (keepassx). We are super impressed with the level of effort Frank put into this suite of tools. Not only did he implement a model of multiple Glibc versions, but he documented the library's internals, produced a 60+ page academic technical report and published a condensed 10-page DFRWS paper.

https://authors.elsevier.com/sd/article/S1742287617301895 (DFRWS Paper)
https://opus4.kobv.de/opus4-fau/frontdoor/index/index/docId/8340
https://insinuator.net/author/fblock/


The following submissions appear in the order they were received. As previously mentioned, these developers deserve huge props. We look forward to seeing future work by these authors!


Mark McKinnon: Volatility Autopsy Modules

Mark's work on integrating Volatility output into the Autopsy GUI will undoubtedly make life easier for many investigators. Whether they're not familiar with using command line tools, they're uncomfortable in a Linux environment, or if they just want to save time and visualize memory artifacts across various different cases in the same interface, this is a huge advantage for Autopsy users. The module includes a generic interface that allows running any Volatility plugin that supports SQLite rendering. It also contains more specialized modules that take the output of Volatility's dumpfiles (extract files from RAM) and imagecopy (convert hiber/crash to raw) plugins and make their results available in Autopsy as well, creating a near full circle of analysis between disk and memory, all captured in the same GUI.

https://twitter.com/markmckinnon
https://github.com/markmckinnon
https://www.linkedin.com/in/mark-mckinnon-9b08715
https://medium.com/@markmckinnon_80619
https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Volatility
https://medium.com/@markmckinnon_80619/volatility-autopsy-plugin-module-8beecea6396

Javier Vicente Vallejo: Symbolizemod

As a malware analyst, Javier starts most of his work with Windbg or Volatility and then pivots to IDA Pro to gain a detailed understanding of the malicious code. In this line of work, having access to symbols for the malware being disassembled or debugged is practically a requirement if you want to be efficient. The symbolizemod plugin lets you extract variables and symbols from a particular memory region and exports them as a DBG file, which is a common format understood by IDA Pro and Windbg. The end goal is similar to Volatility's existing impscan plugin, except impscan only exports in text and IDC formats. In fact, symbolizemod also includes a command line switch to leverage impscan's engine for enumerating symbols. By default, however, symbolizemod uses its own engine (called "raw mode") which in some cases can produce different results.

https://vallejo.cc/
https://github.com/vallejocc
https://twitter.com/vallejocc

Alessandro De Vito: Chrome Ragamuffin

Chrome Ragamuffin is part of a larger research project started by Alessandro over a year ago. Although the research is ongoing, Alessandro's Volatility plugin is already full of features and it's one of the most compelling examples of recovering application level artifacts that we've seen. Overcoming challenges such as incognito mode and the fact that Chrome updates automatically nearly every time you launch it, Alessandro managed to dissect critical in-memory data structures related to the browser's DOM and the user's navigation. Alessandro has presented his work at OSDFC and Bsides Zurich, showing how to analyze memory to detect CSRF, clickjacking, phishing, and malicious redirects.



Here are a few additional resources regarding previous contests and community-driven plugins:


Volatility Foundation Contest Home Page: http://www.volatilityfoundation.org/contest

Volatility 2016 Plugin Contest Results: http://www.volatilityfoundation.org/2016
Volatility 2015 Plugin Contest Results: http://www.volatilityfoundation.org/2015
Volatility 2014 Plugin Contest Results: http://www.volatilityfoundation.org/2014-cjpn
Volatility 2013 Plugin Contest Results: http://www.volatilityfoundation.org/2013-c19yz

Volatility Community GitHub Repository: https://github.com/volatilityfoundation/community

Tuesday, June 6, 2017

Our Newly Updated Memory Forensics and Malware Analysis Course is Headed to Herndon and London!

As we head into summer, we wanted to let everyone know that for 2017 we only have two remaining public offerings of our highly popular and newly updated Malware and Memory Forensics training course. If you would like to join us, our international course will be in London during the week of September 18th - 22nd, and our US course will be back in Herndon during the week of October 16th - 20th.

Our cutting edge materials are one of the main reasons students value our course. We don't teach the same concepts year after year. Instead, we update our class regularly, to stay in sync with (and in some cases, ahead of) the rapidly changing attack surfaces, advances in defense technologies, malware hiding tricks, and operating system forensics artifacts. A few recent additions include:

  • Windows 10 security features, such as Device Guard, Credential Guard, Isolated User Mode, Protected Processes, etc.
  • Challenges of recent hibernation file analysis, the impact of new sleep modes, and hybrid style hibernations 
  • How to analyze RAM backed page files on Windows 10 & memory compression 
  • The Linux subsystem of Windows 10 and the associated memory artifacts
  • Memory-only Powershell and .NET based attacks
  • New event log sources that compliment memory forensics

Not only only will you be learning these memory forensics topics directly from the authors of the Volatility Framework and the Art of Memory Forensics, but you will also receive Volatility stickers, a branded USB drive, a copy of the Art of Memory Forensics (digital or print), and various opportunities to win SyncStops - all nicely documented by a former student:
One of the most popular class contests is our CTF that pits individuals (or teams of two) against the rest of the class, in a challenge that involves analyzing Windows and Linux memory samples in a scenario resembling events that unfolded during the 2016 U.S. Presidential Election.
To continue providing the most up-to-date memory forensics training available anywhere in the world, our instructors constantly perform high impact, real-world DFIR  (1, 2, 3, 4, 5). The knowledge gained during these investigation is immediately transitioned into content and labs for our training courses:

Besides the core knowledge needed to perform effective memory forensics, we also teach the latest tools and techniques for reliable memory acquisition. Students will gain experience using Volexity Surge Collect Pro for robust, fast, and secure collection of Windows memory to local and remote/network-based destinations. Students can purchase Surge licenses at a discounted price during course registration (see Memory Forensics Training FAQ) or separately after the class.

In closing this update, we would again like to thank the DFIR community for its continued support of the Volatility project and our associated training course. In particular, all the newcomers who are just starting to explore memory analysis, as well as our alumni and numerous repeat students who just can't get enough!

On a side note, if you are going to be at DFRWS or Black Hat this summer then be sure to come introduce yourself!

-- The Volatility Team

Thursday, April 20, 2017

The (5th Annual) 2017 Volatility Plugin Contest is Live!

Its that time again, folks! The 2017 Volatility Plugin contest is now live and accepting submissions until October 1st, 2017. Winners of this year's contest will be receiving over $2,250 in cash prizes as well as plenty of Volatility swag (t-shirts, stickers, mugs, sync stops, etc).

The purpose of the contest is to encourage open memory forensics research and development. It is a great opportunity for students to become familiar with memory forensics, develop a master's thesis or PhD project, as well as gain experience that will be very desirable by future employers. For those already in the field, submitting to the contest is a great way to gain experience and visibility in the memory forensics community. After the contest is over we promote the work in our conference presentations, blogs, and social media.

If you are looking for inspiration or to see the past winners, please check out the pages from 201320142015, and 2016. You will find projects that allow for inspection of virtual machines guests from the view of the host, recovery of in-memory browser artifacts, methods to detect stealthy rootkits, and much more.

If you have any questions please feel free to reach out to us. 

We are looking forward to another year of innovative open source research!