Hi all,
I'm wondering that I can use volatile to get the free memory pages of
the operating system. I have looked up wiki pages but couldn't find
any primitive operation that returns a list of free memory pages.
I believe getting free memory pages will be beneficial to many areas
including VM migration and efficient memory management of the multiple
VMs. Does anyone has idea?
--
Kiryong
Hello,
We wanted to take the opportunity to point you to a blog post which gives a
preview of some of the research we've been working on at 504ENSICS Labs in
the area of Android memory analysis. This time we are demoing a feature
that will allow automatted volatility plugin generation with our Dalvik
Inspector tool. We think our results will be of great interest to the DFIR
community and look forward to your feed back. We plan on releasing the
tool this year at Black Hat.
The blog post can be found here:
http://www.504ensics.com/automated-volatility-plugin-generation-with-dalvik…
---
*Joe T. Sylve, M.S.*
Co-Founder
504ENSICS Labs
(504) 210-8270 (Office)
http://www.504ensics.com
PGP Key: http://www.504ensics.com/pgp_keys/joesylve.asc
For those of you interested in applying memory forensics to your
malware analysis and rootkit detection efforts, we've just posted a
new blog with some exciting news and updates:
http://volatility-labs.blogspot.com/2013/05/whats-happening-in-world-of-vol…
* Volatility 2.3 will enter beta this week and we'll introduce the new
features over the next four weeks (Month of Volatility Plugins II).
* There are three training courses open for registration (Reston in
June, Netherlands in September, Vermont in November). Email
voltraining(a)memoryanalysis.net for details.
* The plugin contest submissions are starting to trickle in. Enter to
win over $2250 in cash or a free seat at an upcoming training.
* This year's Open Memory Forensics Workshop will be in Chantilly VA
on November 4th, alongside OSDFC (Open Source Digital Forensics
Conference). CFP to be announced soon.
All the best,
Jamie / @gleeda
The Volatility Project
--
PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92
Hi List,
It's my first post here, so first of all, thanks a lot for this project !
I'm currently working with Volatility 2.2 (testing with 2.3 too) to link it with
DFF [1]. I've almost finished my module but a co-worker provided me a dump
acquired via VirtualBox. Thereferore, I used latest vboxelf.py available in
trunk on the svn but here is the problem:
DFF'API provides some mechanism to represent file mapping: logical offset, size,
physical offset and underlying file for each chunk of data. This is how we are
able to have access to all exe, dlls and modules without having to extract them
with Volatility. Precisely, I adapted the code used by procexedump to be able to
push each chunk. At least, I have the same sha1 than files created with
procexedump even if some chunk are overlapping but this is off topic
So, when having the following layers, everything is ok:
AS Layer 1 JKIA32PagedMemoryPae ( Kernel AS )
AS Layer 2 dffAdressSpace ( /Logical files/ds_fuzz_hidden_proc.img )
__But__ when dealing with the following ones:
AS Layer 1 JKIA32PagedMemoryPae ( Kernel AS )
AS Layer 2 VirtualBoxCoreDumpElf64 ( Unnamed AS )
AS Layer 3 dffAdressSpace ( /Logical files/Window7_2013-04-24_18_51_39.310504 )
Content for each exe, dll and module is wrong. In the code where I push chunk
for each files, I use vtop() method of the corresponding address space but since
there is another level here, I'm missing the last translation of the address.
The vtop() returns what could be seen as a virtual address for the Layer 2.
So I dug the code of vboxelf.py and saw there was a get_addr() method I could
use but it is not a "standardized" method. The issue would be the same with a
dump acquired with Lime for example (which has __get_offset() method itself).
So here is my question, could it be possible to implement a standard method in
each address space plugins to be able to obtain the corresponding address for
the underlying layer ? Finally, either having a global function iterating on
each layer to provide the "absolute" physical address or something like that.
Regards,
[1] http://www.digital-forensic.org/
--
Frédéric Baguelin frederic.baguelin(a)arxsys.fr
ArxSys SAS, Directeur technique
Tél: +33 146 362 522
Hi,
I am trying to get the value of the symbol "bt_proto" using the member
function get_symbol, I checked using gdb that this symbol is a part of the
bluetooth kernel module. But, I get the following error message
"volatility.plugins.overlays.linux.linux: Requested symbol bt_proto not
found in module kernel". Any thoughts why this might be happening?
Thanks!
Regards
Pranjal Jumde
We are happy to announce that our memory forensics training course
will be going to the Netherlands in September:
http://volatility-labs.blogspot.com/2013/04/memory-forensics-training-nethe…
This course is taught directly by Volatility developers, and will
provide intense training in memory forensics for incident response,
malware analysis, and digital forensic investigation.
This will be our only course outside of the USA in 2013, and we have
already had a number of people inquire about attending, so please
contact us ASAP if you are interested in taking it.
Thanks,
Andrew (@attrc)
Hello all,
I have arrived at an implementation part of my research and I was
wondering if you have any advice or documentation on some "pythonisms"
and "volatility-isms" I could be using to do this implementation.
My question is two-fold:
1) I have acquired a small part of memory using read/zread and want to
match (not search) this part of memory to a specific pattern. Do you
know of any pythonisms I could be using, other than checking and
matching byte by byte? Is there some type pattern I could use? I
suspect I'll just have to evaluate a list of rules, but I figured I'd
ask anyway.
2) Some parts of memory I am interested in are originally (C) structs,
I'd like to map these to objects similar to the way this is done for
structs like 'task_struct' and 'mm_struct', is there any documentation
on the way this is done?
If it matters, this is all in process address space.
Cheers,
Edwin
Hello guys,
After several months I have the alpha version of my plugin.
Actaeon is a tool to perform memory forensics of virtualization
environments.
Starting from a physical memory dump, Actaeon can achieve three important
goals: 1) locate any Hypervisor (virtual machine monitor) that uses the
Intel VT-x technology, 2) detect and analyze nested virtualization and show
the relationships among different hypervisors running on the same machine,
and 3) provide a transparent mechanism to recognize and support the address
space of the virtual machines.
You can have more information by visiting the following site:
http://s3.eurecom.fr/tools/actaeon/
I would like to have feedback (positive or negative) and ideas from you.
Let's improve Actaeon and Volatility :)
--
/mariano
