Curt,
You always ask the good questions...We are currently in the process of
finalizing the specifics of the logistics. My goal was to get this email
out and see if there was anyone else interested in speaking. I will send
an update by the end of the week discussing the "where and when..".
Hope all is well!
AW
On Wed, 13 Apr 2011, Curt Wilson wrote:
>
> AAron,
>
> Is there a date and location?
>
> Thanks
> Curt Wilson
>
>
> On 4/12/2011 10:21 PM, AAron Walters wrote:
>>
>> After the amazing success of OMFW 2008 and a <cough>little</cough>
>> hiatus, we are currently in the process of planning OMFW 2011. OMFW is
>> the single most important event for those who are interested in the
>> deep technical aspects of digital investigations and forensics. It is
>> intended for those people who realize the only real defense against a
>> creative technical human adversary is creative technical human
>> analyst. No shady vendors trying to describe how they re-implemented
>> open source tools or boisterous trainers attempting to discuss topics
>> they only superficially understand. This is your opportunity to learn
>> directly from an international cadre of pioneering researchers and
>> practitioners who have been shaping the field of memory analysis since
>> its inception.
>>
>> If you are interested in getting involved or have an exciting topic
>> you would like to present, please let the team know. For those who
>> want to attend, please be sure to check back frequently for
>> registration details. Due to the overwhelming response in 2008, we
>> were not able to fulfill all the registration requests, so please be
>> sure to register early! There will be a number of surprises and I
>> guarantee it will be an event you won't want to miss! Check out what
>> previous attendees of OMFW have said:
>>
>> "AAron was able to bring together an outstanding group of folks
>> interested in "memory forensics" and there was some spirited
>> discussion among the participants along with some really outstanding
>> talks/demos. It was also great to be able to put faces to folks who
>> until then had only been handles in IRC or names on e-mail/blog posts
>> in the past."
>> -Jim Clausing: SANS Internet Storm Center Handler
>>
>> "My first impression of the event was that the underground could have
>> set digital forensics back 3-5 years if they had attacked our small
>> conference room. Where else do you have Eoghan Casey, Brian Carrier,
>> Harlan Carvey, Michael Cohen, Brendan Dolan-Gavitt, George Garner Jr.,
>> Jesse Kornblum, Andreas Schuster, Aaron Walters, et al, in the same
>> room? I thought Brian Dykstra framed the situation properly when
>> asking the following: "I know this is an easy question for all you
>> 'beautiful minds,' but...""
>> -Richard Bejtlich: TaoSecurity
>>
>>
>> Current invited speakers include:
>>
>> Andrew Case (attc)
>> Michael Cohen (scudette)
>> Brendan Dolan-Gavitt (moyix)
>> Jamie Levy (gleeda)
>> Michael Hale Ligh (MHL)
>> AAron Walters
>>
>> More to be announced....
>>
>> _______________________________________________
>> Vol-users mailing list
>> Vol-users(a)volatilityfoundation.org
>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>
>
> --
> ---
> Curt Wilson - Perpetual Horizon Security Research
> SIUC IT Security Officer + Security Engineer
>
After the amazing success of OMFW 2008 and a <cough>little</cough> hiatus,
we are currently in the process of planning OMFW 2011. OMFW is the single
most important event for those who are interested in the deep technical
aspects of digital investigations and forensics. It is intended for those
people who realize the only real defense against a creative technical
human adversary is creative technical human analyst. No shady vendors
trying to describe how they re-implemented open source tools or boisterous
trainers attempting to discuss topics they only superficially understand.
This is your opportunity to learn directly from an international cadre of
pioneering researchers and practitioners who have been shaping the field
of memory analysis since its inception.
If you are interested in getting involved or have an exciting topic you
would like to present, please let the team know. For those who want to
attend, please be sure to check back frequently for registration details.
Due to the overwhelming response in 2008, we were not able to fulfill all
the registration requests, so please be sure to register early! There will
be a number of surprises and I guarantee it will be an event you won't
want to miss! Check out what previous attendees of OMFW have said:
"AAron was able to bring together an outstanding group of folks interested
in "memory forensics" and there was some spirited discussion among the
participants along with some really outstanding talks/demos. It was also
great to be able to put faces to folks who until then had only been
handles in IRC or names on e-mail/blog posts in the past."
-Jim Clausing: SANS Internet Storm Center Handler
"My first impression of the event was that the underground could have set
digital forensics back 3-5 years if they had attacked our small conference
room. Where else do you have Eoghan Casey, Brian Carrier, Harlan Carvey,
Michael Cohen, Brendan Dolan-Gavitt, George Garner Jr., Jesse Kornblum,
Andreas Schuster, Aaron Walters, et al, in the same room? I thought Brian
Dykstra framed the situation properly when asking the following: "I know
this is an easy question for all you 'beautiful minds,' but...""
-Richard Bejtlich: TaoSecurity
Current invited speakers include:
Andrew Case (attc)
Michael Cohen (scudette)
Brendan Dolan-Gavitt (moyix)
Jamie Levy (gleeda)
Michael Hale Ligh (MHL)
AAron Walters
More to be announced....
Hi All,
I've been using Volatility few days ago, and I'm still new at this time.
and until now I only use it only to look at it with regular orders...like
1. pslist
2. files
3.connections
4.etc.
And I know, the information obtained from the volatility by the extraction of digital artifacts from volatile memory (RAM) is very useful in the investigation, but I do not know how to utilize, maximize, and use that information obtained by the volatility.
and I know, here is the place of great people who can teach me how to better optimize the extraction of information on the results of volatility.
Is there that can help me to better optimize the volatility ... please help me.
I will very grateful for all help.
Regards.
Kalmaun.
Hello all,
After I had changed to Win7 64 I've tried to install Volatility 1.4RC1
doing the following:
- installing Python 2.7 x64
- installing a precompiled pccrypto 2.3.1 x64 bit from
http://archive.warshaft.com/pycrypto-2.3.1.win7x64-py2.7x64.7z
- compiling the modules did not work.
- getting rc1 via wget and via SVN-checkout both
When starting Volatility I get the following error message:
C:\Micha\Forensics\Volatility-14rc1>python volatility
C:\Python27\python.exe: can't find '__main__' module in 'volatility'
What went wrong?
Cu
Michael
Thanks for your suggestion. I did try hibr2bin.exe, that didn't work
either (error was: "Failed. Cannot open file. Please check if the file
is not being used")
The first page (4096 Byte) of the file is empty - but as far as I know
that shouldn't be a problem.
Christian
On 11/17/2010 02:40 PM, Johnathan Bridbord wrote:
> Christian-
>
> Perhaps try the following syntax:
>
> #python volatility hibinfo -f /tmp/hiberfil.sys -d /tmp/hiberfil.dd
>
> I recommend Matt's standalone windows executable hibr2bin from moonsol.
>
> Thanks,
> JB
> Sent via BlackBerry by AT&T
>
> -----Original Message-----
> From: Christian Herndler <christian(a)herndler.com>
> Sender: vol-users-bounces(a)volatilityfoundation.org
> Date: Wed, 17 Nov 2010 08:55:24
> To: <vol-users(a)volatilityfoundation.org>
> Subject: [Vol-users] Problem converting hiberfil.sys
>
> Hello,
>
> I tried to convert a hiberfil.sys from WindowsXP SP0 German and get the
> following error:
>
> .
> /volatility hibinfo -f /tmp/hiberfil.sys -d /tmp/hiberfil.dd
> Traceback (most recent call last):
> File "./volatility", line 219, in <module>
> main()
> File "./volatility", line 212, in main
> modules[argv[1]].execute(argv[1], argv[2:])
> File "/opt/Volatility/vmodules.py", line 62, in execute
> self.cmd_execute(module, args)
> File "/opt/Volatility/vmodules.py", line 1616, in hibinfo
> hiberAS = WindowsHiberFileSpace32(fileAS,0,0)
> File "/opt/Volatility/forensics/win32/hiber_addrspace.py", line 146,
> in __init__
> for i in range(0,EntryCount):
> OverflowError: range() result has too many items
>
> any ideas ?
>
> Christian
> _______________________________________________
> Vol-users mailing list
> Vol-users(a)volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
Hello,
I tried to convert a hiberfil.sys from WindowsXP SP0 German and get the
following error:
.
/volatility hibinfo -f /tmp/hiberfil.sys -d /tmp/hiberfil.dd
Traceback (most recent call last):
File "./volatility", line 219, in <module>
main()
File "./volatility", line 212, in main
modules[argv[1]].execute(argv[1], argv[2:])
File "/opt/Volatility/vmodules.py", line 62, in execute
self.cmd_execute(module, args)
File "/opt/Volatility/vmodules.py", line 1616, in hibinfo
hiberAS = WindowsHiberFileSpace32(fileAS,0,0)
File "/opt/Volatility/forensics/win32/hiber_addrspace.py", line 146,
in __init__
for i in range(0,EntryCount):
OverflowError: range() result has too many items
any ideas ?
Christian
Following the instructions provided by Bradley Schatz [1] I added a
new profile for
Windows Vista SP2.
since the code is actively revised it's obvious that not all commands
work how is
expected, but I'm very surprised that the command kpcrscan always get
the same value:
C:\Volatility-1.4_rc1>volatility.py --profile=VistaSP2x86 -f
vistasp2.dmp kpcrscan
Volatile Systems Volatility Framework 1.4_rc1
Potential KPCR structure virtual addresses:
Phys addr 00150000 Virt addr ffdff000
_KPCR: ffdff000
obviously this is not correct
0: kd> !pcr
KPCR for Processor 0 at 81d45800:
Major 1 Minor 1
NtTib.ExceptionList: ffffffff
NtTib.StackBase: 00000000
NtTib.StackLimit: 00000000
NtTib.SubSystemTib: 80151000
NtTib.Version: 001d39f9
NtTib.UserPointer: 00000001
NtTib.SelfTib: 00000000
SelfPcr: 81d45800
Prcb: 81d45920
Irql: 00000002
IRR: 00000000
IDR: ffffffff
InterruptMode: 00000000
IDT: 81bff400
GDT: 81bff000
TSS: 80151000
CurrentThread: 81d49640
NextThread: 00000000
IdleThread: 81d49640
DpcQueue:
The volatility code version is the latest available via subversion (r493).
[1]
http://blog.schatzforensic.com.au/2010/05/adding-new-structure-definitions-…
---
La verdad nos hara libres
http://neosysforensics.blogspot.comhttp://www.wadalbertia.org
-<|:-P[G]
First, sorry for my poor english :(
Following the instructions provided by Bradley Schatz [1] I dont get
load the new profile:
C:\Volatility-1.4_rc1>dir plugins\overlays\Windows\vista_*
...
26/09/2010 22:47 2.232 vista_sp0_x86.py
26/09/2010 22:48 2.357 vista_sp0_x86.pyc
26/09/2010 22:47 286.008 vista_sp0_x86_vtypes.py
26/09/2010 22:48 192.774 vista_sp0_x86_vtypes.pyc
01/10/2010 23:18 2.235 vista_sp2_x86.py
01/10/2010 23:19 2.360 vista_sp2_x86.pyc
01/10/2010 22:36 315.748 vista_sp2_x86_vtypes.py
01/10/2010 23:19 207.429 vista_sp2_x86_vtypes.pyc
...
C:\Volatility-1.4_rc1>volatility.py --info
Volatile Systems Volatility Framework 1.4_rc1
...
PROFILES
--------
VistaSP0x86 - A Profile for Windows Vista SP0 x86
Win7SP0x86 - A Profile for Windows 7 SP0 x86
WinXPSP2 - A Profile for Windows XP SP2
WinXPSP3 - A Profile for windows XP SP3
...
What am I doing wrong?
[1]
http://blog.schatzforensic.com.au/2010/05/adding-new-structure-definitions-…
---
La verdad nos hara libres
http://neosysforensics.blogspot.comhttp://www.wadalbertia.org
-<|:-P[G]
Hi
i am using dfrws forensic challenge image from 2005 (both images). when I
tried any option (pslist, connections etc) i get Unable to locate valid DTB
in image. When i use psscan or connscan, i get no output. i am using
volatility version 1.3 on Ubuntu.
Zack
