As members of the Volatility mailing list, you know that memory
acquisition has proven to be one of the most important and precarious
aspects of digital investigations. Over the years, you have seen the
Volatility team spend a lot of time troubleshooting issues that were
ultimately caused by failed or corrupted acquisition attempts. You have
also seen our colleague, George M. Garner, lead spirited debates about the
reliability of proposed acquisition tools and techniques. With George’s
untimely passing last summer, the industry not only lost one of the most
robust Window’s acquisition tools, but it also lost an industry thought
leader who held the forensics community to a higher standard.
Unfortunately, many investigators still blindly trust free and commercial
acquisition tools without understanding the associated risks and
limitations. While these tools may be readily accessible, many are
unsupported or have been effectively abandoned by their original
developers who have moved on to pursue other projects. As an example,
Google’s GRR project recently disabled their memory forensics capabilities
because it was introducing instabilities, and it wasn’t being actively
maintained. A recent empirical study also showed that most open source or
commercial Windows memory acquisition tools either failed to collect or
crashed systems with modern security features enabled. We can also share
countless stories of investigators and law enforcement officers returning
to their labs only to discover that their memory acquisitions had failed.
There is a growing need for a reliable and actively supported memory
acquisition capability across Windows, Linux, and macOS.
If you follow us on twitter (@volatility) or have taken our training
classes within the last couple of years, you have heard about Volexity’s
Surge Collect. Surge Collect provides a reliable and commercially
supported collection capability with flexible storage options. Surge
Collect can also be easily integrated with Tanium, Carbon Black, and other
enterprise software agents. It is currently in use by many of the largest
federal and local law enforcement agencies around the world. Surge
Collect is also actively used by leading incident response firms,
technology companies, telecommunication providers, universities, Fortune
companies, and branches of the military.
If you are looking for a commercially supported acquisition solution with
dedicated development and support teams for Windows, Linux, and macOS, I
recommend you check out Volexity’s Surge Collect. Hopefully, this will
FINALLY give investigators a reliable and flexible acquisition capability
they can depend on and allow the Volatility team to focus more of our time
on developing exciting new memory analysis capabilities!
Thanks,
AAron Walters
Original author of Volatility
Founder of The Volatility Foundation
The next stop for our training course is Amsterdam in September. This will be our only public offering in Europe in 2018.
Historically our courses have sold out around a month in advance, so please contact us ASAP if you wish to attend.
For our US-based students, we will be back in Herndon in October.
Full information on both offerings can be found here:
https://volatility-labs.blogspot.com/2018/02/malware-and-memory-forensics-t…
We look forward to meeting many new Volatility users at these events!
We are excited to announce that the 2018 Volatility Plugin Contest and the inaugural Volatility Analysis Contest are now accepting submissions until October 1, 2018. Winners of each contest will receive over $2,500 in cash prizes and the highly coveted Volatility swag (t-shirts, stickers, etc.)!
Full details can be found on our blog post:
https://volatility-labs.blogspot.com/2018/05/the-6th-annual-volatility-plug…
Please let us know if you have any questions, and good luck to all!
I've found several repositories of Yara rules for scanning fie systems,
but so far, none written for scanning memory. Does anyone know of (or
have) a Yara rule collection for memory images?
Thanks!
---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus
We are very excited to announce that the speaker lineup for BSidesNOLA 2018 is out!
We have some of the best speakers in the industry in order to cover a variety of topics in digital forensics, incident response,
malware analysis, and more.
The full lineup can be found here:
www.bsidesnola.com <http://www.bsidesnola.com/>
Please register ahead of time if you wish to attend ($15), and please spread the word to your coworkers and friends.
— The BSidesNOLA Team
To all concerned,
A coworker and I have authored an ingestion tool for Splunk called
Ta-Volatility, https://splunkbase.splunk.com/app/3919/, that takes json
formatted unified_outputs from volatility. As it stands right now, it can
handle over 160 plugins across windows, linux and mac, and we're adding
more every day. We are adding unified outputs to the standard plugins that
do not have them, github PR #501
<https://github.com/volatilityfoundation/volatility/pull/501>. The app
will support the latest version of volatility (volatilityfoundation or
mutedmouse's fork, https://github.com/mutedmouse/ta-volatility) The app's
setup page describes the required folder structure. The source by default
is "volatility" and the index is main by default, although you can set this
by adding index=<yourindex> in the inputs.conf file.
Below is a sample sankey visualization from an analyzed windows 10 system's
ingested pslist plugin output.
Enjoy and please let us know if there is anything you would like added
(aside from charts and dashboards - those are coming 😀 ).
V/r,
Chris
We are excited to announce our full list of public trainings for 2018!
There will be three offerings this year, including two in Herndon (Spring and Fall) and one in Amsterdam in September.
Full information, including updates to the course for the new year, can be found on our blog post:
https://volatility-labs.blogspot.com/2018/02/malware-and-memory-forensics-t… <https://volatility-labs.blogspot.com/2018/02/malware-and-memory-forensics-t…>
Our classes tend to sell out early so please contact us as soon as you have interest in a particular offering.
We look forward to meeting many new students this year!
— The Volatility Team
We are pleased to announce that registration and the Call for Papers for BSidesNOLA 2018 are now open!
Full information can be found at: http://www.bsidesnola.com
This will be our 6th year, and we are expecting continued growth in attendance - our goal is to eclipse 250 attendees this year.
We have also changed venues to the world famous Roosevelt Hotel, which is only a 1 minute walk from the French Quarter.
We hope to see everyone at the event, and we are looking forward to many great talk submissions.
If you would like to help spread the event on Twitter, then please RT this announcement:
https://twitter.com/BSidesNOLA/status/956545409589108737
Finally, we are also now seeking sponsors. If your company is interested then please email bsidesnola [AT] gmail.com or reply privately to this email.
Thanks,
The BSidesNOLA Team
We are excited to announce that the results of the 2017 Volatility Plugin Contest are in:
https://volatility-labs.blogspot.com/2017/11/results-from-5th-annual-2017-v…
We had many novel submissions this year across a wide variety of operating systems, malware detection strategies, and userland application artifacts.
Thanks to everyone who submitted and contributed new capabilities to open source memory forensics!
Thanks,
The Volatility Team
We just published a blog post detailing the infrastructure, initial
infection strategies, and payloads of the resurgent OceanLotus threat group:
https://www.volexity.com/blog/2017/11/06/oceanlotus-blossoms-mass-digital-s…
A follow up post detailing the phishing activity and malware
infrastructure is coming soon.
Comments welcome!
--
Thanks,
Andrew (@attrc)
