Hello,
We wanted to take the opportunity to point you to a blog post which gives a
preview of some of the research we've been working on at 504ENSICS Labs in
the area of Android memory analysis. This time we are demoing a feature
that will allow automatted volatility plugin generation with our Dalvik
Inspector tool. We think our results will be of great interest to the DFIR
community and look forward to your feed back. We plan on releasing the
tool this year at Black Hat.
The blog post can be found here:
http://www.504ensics.com/automated-volatility-plugin-generation-with-dalvik…
---
*Joe T. Sylve, M.S.*
Co-Founder
504ENSICS Labs
(504) 210-8270 (Office)
http://www.504ensics.com
PGP Key: http://www.504ensics.com/pgp_keys/joesylve.asc
Greetings
I am looking at Win 7 x86 SP1 memory and I dont understand why I am seeing
"established connections" but no PID or Process with it.
0x2d07480 TCPv4 10.22.41.40:58767
38.126.225.229:43405ESTABLISHED -------- --------------
0x1367da70 TCPv4 10.22.41.40:59302
151.213.50.211:22031ESTABLISHED -------- --------------
In addition I am seeing stuff "listening" and it contains the PID and
Process.
0xdb838178 TCPv4 0.0.0.0:49154 0.0.0.0:0
LISTENING 996 svchost.exe
0xdb850ab0 TCPv4 0.0.0.0:49155 0.0.0.0:0
LISTENING 1440 spoolsv.exe
0xdb855e78 TCPv4 0.0.0.0:49155 0.0.0.0:0
LISTENING 1440 spoolsv.exe
So my question is why can I see the listening processes but im not getting
the Process that are established?
Thanks for the help
Lou
For those of you interested in applying memory forensics to your
malware analysis and rootkit detection efforts, we've just posted a
new blog with some exciting news and updates:
http://volatility-labs.blogspot.com/2013/05/whats-happening-in-world-of-vol…
* Volatility 2.3 will enter beta this week and we'll introduce the new
features over the next four weeks (Month of Volatility Plugins II).
* There are three training courses open for registration (Reston in
June, Netherlands in September, Vermont in November). Email
voltraining(a)memoryanalysis.net for details.
* The plugin contest submissions are starting to trickle in. Enter to
win over $2250 in cash or a free seat at an upcoming training.
* This year's Open Memory Forensics Workshop will be in Chantilly VA
on November 4th, alongside OSDFC (Open Source Digital Forensics
Conference). CFP to be announced soon.
All the best,
Jamie / @gleeda
The Volatility Project
--
PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92
We are happy to announce that our memory forensics training course
will be going to the Netherlands in September:
http://volatility-labs.blogspot.com/2013/04/memory-forensics-training-nethe…
This course is taught directly by Volatility developers, and will
provide intense training in memory forensics for incident response,
malware analysis, and digital forensic investigation.
This will be our only course outside of the USA in 2013, and we have
already had a number of people inquire about attending, so please
contact us ASAP if you are interested in taking it.
Thanks,
Andrew (@attrc)
Hi all,
I've just created a profile for my Ubuntu 12.04 (3.5.0-25) and I've
dumped the memory using virtualbox guestcoredump.
Using the linux_proc_maps plugin I get the following output:
http://paste.ubuntu.com/5576450/
I was expecting similar output to "cat /proc/<pid>/maps". As you can
see, these "-0x4...000" addresses are obviously wrong. Is this I am
doing wrong myself, or is this a bug? It happens for other processes
as well.
If this is a bug I'll make a new issue in the tracker with the steps
I've followed to produce this.
Cheers,
Edwin
HI,
There was some talk on the #volatility irc channel.. Won't go into details,
Basically, wondering how one can use vtop from volshell as it is not a
plugin.
thanks
