Yesterday we published a new blog post on using bulk_extractor during
memory forensics investigations. The writeup focused on the ability to
create PCAP files of resident network data inside a memory capture. If
you are not using this capability in your investigations then you are
definitely missing out!
http://volatility-labs.blogspot.com/2015/01/incorporating-disk-forensics-wi…
--
Thanks,
Andrew (@attrc)
We are pleased to announce that BSidesNOLA 2015 will take place on
Saturday, May 30th in the heart of downtown New Orleans. Full details
can be found on the following page:
http://www.securitybsides.com/w/page/91550808/BSidesNOLA
Our call for papers is currently open and we will be accepting
submissions through March 1st. Please spend time on your CFP
submission(s) as we receive a large number each year and inevitably have
to reject some of them. If you look at our lineup from last year
(http://www.securitybsides.com/w/page/71231585/BsidesNola2014) and the
year before (http://www.securitybsides.com/w/page/62741761/BsidesNola)
you will see that we attract some of the best speakers and researchers
in the industry. You don't want to miss our speakers' party so send us
your best stuff!
Also, we are very excited to announce that Chris Rohlf will be keynoting
this year. He has many years experience in the industry and is currently
in charge of all penetration testing efforts inside of Yahoo. He will be
speaking on performing offensive computer operations at scale.
Please let us know if you have any questions, and if you plan to attend
you must register on the Eventbrite page!
--
Thanks,
Andrew (@attrc)
Was writing to let everyone know that the DFRWS challenge is out for
this year and it involves analyzing both a usual linux memory sample as
well as analyzing GPU memory from a nvidia device. The challenge's
creator worked with nvidia to have an acquisition tool capable of
getting the memory off the devices. The latest git version of Volatility
can analyze the Linux side, but the real purpose of the challenge is to
encourage memory forensics research against the GPU. Hoping for some
exciting results from it!
http://www.cs.uno.edu/~golden/gpu-malware-research.html
--
Thanks,
Andrew (@attrc)
vol-users,
If anyone is planning to attend ShmooCon today and wants to meet up,
please send me a note offlist. We can discuss features you would like to
see integrated into future releases, the benefits of Volatility training,
half-baked anti-forensics schemes, why Andrew only drinks Champagne, and
where we are headed with Volatility 3.0!
AAron Walters
The Volatility Foundation
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hi folks,
Sorry for the short notice. We have 4 seats available for our Malware
and Memory Forensics Training class in Ottawa in February. Send me a
note if you're interested. It will probably be the only time we're in
Canada in 2015.
Cheers!
MHL
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - https://gpgtools.org
iF4EAREKAAYFAlS0MwUACgkQXnt9v1O0LItfcAD+O6PZ8v4/nowcwbW3z8SCNMf1
KUXdE4fFu5jEUivfJYIA/0DzpkzsaViQ//bwuRse3kKGnrAmTwKVFpfZMJiAWO8j
=N5qi
-----END PGP SIGNATURE-----
WARNING : volatility.obj : NoneObject as string: Pointer Owner invalid
I saw some people also having the same issues, but I am not seeing the fix anywhere. Suggestions?
Imagine my chagrin to find that the new volatility site contains exactly what I proposed below. Mea culpa for referencing old directions and code... :-/
For those that come after me, take a look at https://github.com/volatilityfoundation/volatility/wiki/Linux and specifically:
"You can find a repository of pre-built profiles at the volatilityfoundation/profiles Github.”
Cheers,
Jesse
On Dec 29, 2014, at 7:32 PM, Jesse Bowling <jessebowling(a)gmail.com> wrote:
> Hello,
>
> Hoping someone on the list has a profile for Centos 6.5 running a 2.6.32-431.17.1.el6.x86_64 kernel they wouldn’t mind sharing...It’s a non-standard thing for my environment, so I don’t have a similar box to build from (and am hoping to save the time of building a machine just for this)...
>
> Tangential to this, are there any repositories of Volatility profiles for Linux? I noticed Ken Pryor’s Github repo which seems like a great idea (and platform) for this, however he only has a few Ubuntu versions and it doesn’t look like it’s been updated in a while...Any interest from the Volatility team in starting something similar (if it’s not already happening and I just don’t know about it)?
>
> Cheers,
>
> Jesse
Hi James,
I have updated timeliner to work with the new OpenPyxl API. Just for
reference, my install is from [1]. In addition to this, I have also
added xlsx output as a renderer for the unified output [2]. So you
should be able to get xlsx output from any plugin that has already been
converted. You can see which plugins have this support by using the
--help/-h switch. For example:
$ python vol.py -f mem.img pslist --help
[snip]
Module Output Options: dot, html, json, quicktext, sqlite, text, xlsx
[snip]
$ python vol.py -f mem.img pslist --output=xlsx --output-file=pslist.xlsx
All the best,
-Jamie
[1] https://pypi.python.org/pypi/openpyxl
[2]
https://github.com/volatilityfoundation/volatility/commit/c4a9a732c9411e7b0…
On 12/19/14 7:40 AM, James Lay wrote:
> On Fri, 2014-12-19 at 03:01 +0000, Jamie Levy wrote:
>> OpenPyxl just changed their API and it is no longer compatible. I am in the process of fixing the timeliner plugin to use the new API.
>>
>> Also, the excel output for psxview has already been converted to the new API.
>>
>> All the best,
>>
>> -Jamie
>>
>>
>>
>> ------Original Message------
>> From: James Lay
>> Sender: vol-users-bounces(a)volatilityfoundation.org <mailto:vol-users-bounces@volatilityfoundation.org>
>> To: Volatility
>> ReplyTo: jlay(a)slave-tothe-box.net <mailto:jlay@slave-tothe-box.net>
>> Subject: [Vol-users] Trick to getting xlsx output
>> Sent: Dec 18, 2014 6:27 PM
>>
>> Hey all,
>>
>> Using 2.4...not able to get xlsx output...greeted with:
>>
>> Volatility Foundation Volatility Framework 2.4
>> ERROR : volatility.plugins.timeliner: You must install OpenPyxl for
>> xlsx format:
>> https://bitbucket.org/ericgazoni/openpyxl/wiki/Home
>>
>> My install method for volatility was download, extract, move to
>> /opt/volatility, and python vol.py from there.
>> My install method for openpyxl was:
>>
>> hg clone https://bitbucket.org/openpyxl/openpyxl
>> cd openpyxl
>> python setup.py build
>> sudo python setup.py install
>>
>> Is there anything else I need to check? I see a slew of items in:
>>
>> /usr/local/lib/python2.7/dist-packages/openpyxl-2.1.4-py2.7.egg/
>>
>> Thank you.
>>
>> James
>> _______________________________________________
>> Vol-users mailing list
>> Vol-users(a)volatilityfoundation.org <mailto:Vol-users@volatilityfoundation.org>
>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>>
>
> Awesome....looking forward to it...thank you.
>
> James
--
Jamie Levy (@gleeda)
Blog: http://volatility-labs.blogspot.com/
GPG: http://pgp.mit.edu/pks/lookup?op=get&search=0x196B2AB527A4AC92
Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92
OpenPyxl just changed their API and it is no longer compatible. I am in the process of fixing the timeliner plugin to use the new API.
Also, the excel output for psxview has already been converted to the new API.
All the best,
-Jamie
------Original Message------
From: James Lay
Sender: vol-users-bounces(a)volatilesystems.com
To: Volatility
ReplyTo: jlay(a)slave-tothe-box.net
Subject: [Vol-users] Trick to getting xlsx output
Sent: Dec 18, 2014 6:27 PM
Hey all,
Using 2.4...not able to get xlsx output...greeted with:
Volatility Foundation Volatility Framework 2.4
ERROR : volatility.plugins.timeliner: You must install OpenPyxl for
xlsx format:
https://bitbucket.org/ericgazoni/openpyxl/wiki/Home
My install method for volatility was download, extract, move to
/opt/volatility, and python vol.py from there.
My install method for openpyxl was:
hg clone https://bitbucket.org/openpyxl/openpyxl
cd openpyxl
python setup.py build
sudo python setup.py install
Is there anything else I need to check? I see a slew of items in:
/usr/local/lib/python2.7/dist-packages/openpyxl-2.1.4-py2.7.egg/
Thank you.
James
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilesystems.com
http://lists.volatilesystems.com/mailman/listinfo/vol-users
