I've found several repositories of Yara rules for scanning fie systems,
but so far, none written for scanning memory. Does anyone know of (or
have) a Yara rule collection for memory images?
Thanks!
---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus
We are very excited to announce that the speaker lineup for BSidesNOLA 2018 is out!
We have some of the best speakers in the industry in order to cover a variety of topics in digital forensics, incident response,
malware analysis, and more.
The full lineup can be found here:
www.bsidesnola.com <http://www.bsidesnola.com/>
Please register ahead of time if you wish to attend ($15), and please spread the word to your coworkers and friends.
— The BSidesNOLA Team
To all concerned,
A coworker and I have authored an ingestion tool for Splunk called
Ta-Volatility, https://splunkbase.splunk.com/app/3919/, that takes json
formatted unified_outputs from volatility. As it stands right now, it can
handle over 160 plugins across windows, linux and mac, and we're adding
more every day. We are adding unified outputs to the standard plugins that
do not have them, github PR #501
<https://github.com/volatilityfoundation/volatility/pull/501>. The app
will support the latest version of volatility (volatilityfoundation or
mutedmouse's fork, https://github.com/mutedmouse/ta-volatility) The app's
setup page describes the required folder structure. The source by default
is "volatility" and the index is main by default, although you can set this
by adding index=<yourindex> in the inputs.conf file.
Below is a sample sankey visualization from an analyzed windows 10 system's
ingested pslist plugin output.
Enjoy and please let us know if there is anything you would like added
(aside from charts and dashboards - those are coming 😀 ).
V/r,
Chris
We are excited to announce our full list of public trainings for 2018!
There will be three offerings this year, including two in Herndon (Spring and Fall) and one in Amsterdam in September.
Full information, including updates to the course for the new year, can be found on our blog post:
https://volatility-labs.blogspot.com/2018/02/malware-and-memory-forensics-t… <https://volatility-labs.blogspot.com/2018/02/malware-and-memory-forensics-t…>
Our classes tend to sell out early so please contact us as soon as you have interest in a particular offering.
We look forward to meeting many new students this year!
— The Volatility Team
We are pleased to announce that registration and the Call for Papers for BSidesNOLA 2018 are now open!
Full information can be found at: http://www.bsidesnola.com
This will be our 6th year, and we are expecting continued growth in attendance - our goal is to eclipse 250 attendees this year.
We have also changed venues to the world famous Roosevelt Hotel, which is only a 1 minute walk from the French Quarter.
We hope to see everyone at the event, and we are looking forward to many great talk submissions.
If you would like to help spread the event on Twitter, then please RT this announcement:
https://twitter.com/BSidesNOLA/status/956545409589108737
Finally, we are also now seeking sponsors. If your company is interested then please email bsidesnola [AT] gmail.com or reply privately to this email.
Thanks,
The BSidesNOLA Team
We are excited to announce that the results of the 2017 Volatility Plugin Contest are in:
https://volatility-labs.blogspot.com/2017/11/results-from-5th-annual-2017-v…
We had many novel submissions this year across a wide variety of operating systems, malware detection strategies, and userland application artifacts.
Thanks to everyone who submitted and contributed new capabilities to open source memory forensics!
Thanks,
The Volatility Team
We just published a blog post detailing the infrastructure, initial
infection strategies, and payloads of the resurgent OceanLotus threat group:
https://www.volexity.com/blog/2017/11/06/oceanlotus-blossoms-mass-digital-s…
A follow up post detailing the phishing activity and malware
infrastructure is coming soon.
Comments welcome!
--
Thanks,
Andrew (@attrc)
Hi guys,
I'm trying to recover a php script from a suspected system. The file was
stored in a tmpfs filesystem and i cannot recover it. In the php process
(running from cli) i can see references to the script but can't find the
code.
The suspected system in running Debian 8.9: Linux version 3.16.0-4-amd64
(gcc version 4.8.4 (Debian 4.8.4-1) ) #1 SMP Debian 3.16.43-2+deb8u5
(2017-09-19).
I've tried to use linux_tempfs to recover /dev/shm from memory but got some
errors with volatility with no success:
# ~/bin/vol26 --plugins=profiles --profile=LinuxDebian89x64 -d -f
memory.dump linux_tmpfs -S 4 -D dump/
[...]
WARNING : volatility.debug : NoneObject as string: Invalid offset 0 for
dereferencing name as String WARNING : volatility.debug : NoneObject as
string: Invalid offset 0 for dereferencing name as String WARNING :
volatility.debug : NoneObject as string: Invalid offset 0 for dereferencing
name as String WARNING : volatility.debug : NoneObject as string: Invalid
offset 0 for dereferencing name as String WARNING : volatility.debug :
NoneObject as string: Invalid offset 0 for dereferencing name as String
The php process has pid 1234, using volatility linux_dump_map on that
process I see the following strings in dumped file
task.1234.0x7f003ddf3000.vma:
/dev/shm/script.php(1) : eval()'d code0x7f003ddf303f
/dev/shm/script.php(1) : eval()'d code0x7f003ddf8e2e
/dev/shm/script.php(1) : eval()'d code0x7f003ddf952a
/dev/shm/script.php(1) : eval()'d code0x7f003ddfa588
/dev/shm/script.php(1) : eval()'d code0x7f003ddfa7f3
I'm stuck now trying to recover the php eval'd code, any ideas?
Thanks
Valter
We are excited to announce that two of our public trainings for 2018
have now been scheduled!
The first will be in April in Herndon, VA:
https://www.memoryanalysis.net/single-post/2017/09/30/New-Event-in-Herndon-…
The second will be in Herndon in October:
https://www.memoryanalysis.net/single-post/2017/09/30/New-Event-in-Herndon-…
We are also in the process of scheduling public trainings in Australia
for Q1 2018 and Europe for Q3. We will send out an update when these are
confirmed, but please contact us if you would like to be placed on the
notification list for either course.
To see some of the recent updates to the course, be sure to check out
our blog post:
https://volatility-labs.blogspot.com/2017/06/our-newly-updated-memory-foren…
Also, we are continuing to have many repeat students - for which we are
very grateful! If you are a previous student and wish to attend again,
then please inquire with us about the repeat-student discount.
Finally, if you will be around during OSDFCON in a few weeks then let
us know if you would like to meet up as most of the team will be in town.
-- The Volatility Team
Hello vol-users!
I'm working on a forensics case where I have multiple memory scrapes with
strange volatility output. This has down some rabbit holes and I'm at the
point where signs are pointing to anti-forensics. This has led me to dig
into how pool tag scanning works and I've found several articles
referencing a apparently still yet unreleased (mentioned in 2014, and 2016)
Volatility plugin called TCPScan which uses an alternative method (which
uses methods that are not detailed).
You can find references to the plugin here:
https://scudette.blogspot.com/2014/02/anti-forensics-and-
memory-analysis.html
https://findingbad.blogspot.com/2016/09/forensic-analysis-
of-anti-forensic.html
Does anyone have access to or can anyone put me in touch with anyone who
has access to this plugin? Or can anyone talk to the methods that it uses
to scan for connections?
Thanks,
Nate Subra
