The American Academy of Forensic Sciences has recently posted program
information for the 2008 Annual Meeting. There are a number of
interesting talks during the Digital Evidence Session. The session
program can be found under the General Scientific Sessions Schedules
(http://www.aafs.org/pdf/08General.pdf) In particular, we will presenting
on our collaborative effort with NIST:
"Using Hashing to Improve Volatile Memory Forensic Analysis", AAron R.
Walters, MS*; Blake Matheny, BS; Douglas White, MS
Thanks,
AW
It was only a matter of time....
In case you might have missed it during the holidays, the latest version
of PyFlag now leverages the Volatility Framework to add volatile memory
analysis to it's outstanding list of capabilities. As a result, making
PyFlag the first and only tool publically available that allows the
digital investigator to correlate disk images, log files, network traffic,
and RAM captures all within an intuitive interface. While the current
functionality is still preliminary, just imagine the possibilities!
Since PyFlag loads memory images through its standard IO source interface,
it is also now possible to store your memory images using the EWF format,
commonly used in commercial tools. Once the memory image is uploaded to
PyFlag, information can either be accessed through a browseable /proc
interface or through the Stats view. Michael Cohen and his team have
provided a tutorial and image to get you started:
http://www.pyflag.net/cgi-bin/moin.cgi/MemoryForensicsTutorial
As I mentioned in a previous post, a special thanks to Europol for
bringing our teams together through the High Tech Crime Expert Meeting.
I also want to thank Michael Cohen for the great work he has done with
PyFlag and his contributions to Volatility! Stay tuned for further
exciting collaborations and future Volatility releases in 2008!
Thanks,
AW
Hello,
I was just running Volatility on a couple of Linux boxes and received quite
different results. I have tested this on two other boxes to verify the
results and it seems to be a dual core issue.
Here is the expected output on a single core system:
$ cat /proc/version
Linux version 2.6.22.9-91.fc7
$ python -V
Python 2.5
$ Volatility-1.1.1/volatility pslist -f image.vmem
Name Pid PPid Thds Hnds Time
System 4 0 44 182 Thu Jan 01 00:00:00 1970
smss.exe 336 4 3 21 Mon Oct 29 19:23:16 2007
csrss.exe 392 336 9 287 Mon Oct 29 19:23:18 2007
winlogon.exe 416 336 24 453 Mon Oct 29 19:23:19 2007
services.exe 460 416 19 371 Mon Oct 29 19:23:20 2007
lsass.exe 472 416 26 319 Mon Oct 29 19:23:20 2007
svchost.exe 640 460 10 210 Mon Oct 29 19:23:21 2007
svchost.exe 684 460 79 1023 Mon Oct 29 19:23:21 2007
svchost.exe 780 460 4 67 Mon Oct 29 19:23:22 2007
svchost.exe 812 460 12 141 Mon Oct 29 19:23:23 2007
userinit.exe 1000 416 2 32 Mon Oct 29 19:23:25 2007
explorer.exe 1020 1000 12 231 Mon Oct 29 19:23:25 2007
spoolsv.exe 1048 460 6 37 Mon Oct 29 19:23:25 2007
msmsgs.exe 1468 1020 5 124 Mon Oct 29 19:23:33 2007
rundll32.exe 1524 1020 1 72 Mon Oct 29 19:23:37 2007
And here is the output from a dual core system:
$ cat /proc/version
Linux version 2.6.9-55.0.12.ELsmp
$ python -V
Python 2.3.4
$ Volatility-1.1.1/volatility pslist -f image.vmem
/home/jlevy/forensic/Volatility-1.1.1/forensics/x86.py:101: FutureWarning:
x<<y losing bits or changing sign will return a long in Python 2.4 and up
return (pgd_entry & ((ptrs_per_pgd-1) << 22)) | (vaddr &
~((ptrs_per_pgd-1) << 22))
Name Pid PPid Thds Hnds Time
System 4 0 44 182 Thu Jan 01 00:00:00 1970
/home/jlevy/forensic/Volatility-1.1.1/forensics/win32/datetime.py:58:
FutureWarning: x<<y losing bits or changing sign will return a long in
Python 2.4 and up
return (high_time << 32) | low_time
smss.exe 336 4 3 21 Thu Jan 01 00:00:00 1970
csrss.exe 392 336 9 287 Thu Jan 01 00:00:00 1970
winlogon.exe 416 336 24 453 Thu Jan 01 00:00:00 1970
services.exe 460 416 19 371 Thu Jan 01 00:00:00 1970
lsass.exe 472 416 26 319 Thu Jan 01 00:00:00 1970
svchost.exe 640 460 10 210 Thu Jan 01 00:00:00 1970
svchost.exe 684 460 79 1023 Thu Jan 01 00:00:00 1970
svchost.exe 780 460 4 67 Thu Jan 01 00:00:00 1970
svchost.exe 812 460 12 141 Thu Jan 01 00:00:00 1970
userinit.exe 1000 416 2 32 Thu Jan 01 00:00:00 1970
explorer.exe 1020 1000 12 231 Thu Jan 01 00:00:00 1970
spoolsv.exe 1048 460 6 37 Thu Jan 01 00:00:00 1970
msmsgs.exe 1468 1020 5 124 Thu Jan 01 00:00:00 1970
rundll32.exe 1524 1020 1 72 Thu Jan 01 00:00:00 1970
$ Volatility-1.1.1/volatility vaddump -f image.vmem
/home/jlevy/forensic/Volatility-1.1.1/forensics/x86.py:101: FutureWarning:
x<<y losing bits or changing sign will return a long in Python 2.4 and up
return (pgd_entry & ((ptrs_per_pgd-1) << 22)) | (vaddr &
~((ptrs_per_pgd-1) << 22))
The above errors on the dual system have been observed on a dual core laptop
running Ubuntu as well... I was wondering if others have seen this, and if
there is a work around yet?
During the course of a day, I typically come across a number of useful
"things" related to volatile memory analysis. Often, I don't have the time
to post a complete blog entry so I've decided to start a tumblelog:
http://volatility.tumblr.com/
In particular, you may want to check out the hypothetical dialog between a
defense attorney and a forensic examiner about volatile memory.
http://volatility.tumblr.com/post/15164622
By the way, if any of you are interested in what is happening with
Volatility development. We are getting ready to release Volatility 1.2. We
mentioned it on the vol-dev list a couple of weeks ago:
http://www.volatilityfoundation.org/pipermail/vol-dev/2007-September/000001…
I would especially like to thank both Brendan Dolan-Gavitt and Andreas
Schuster for all their help and contributions. I would also like to thank
those who have provided feedback and bug reports.
thanks,
AW
The agenda for the 2008 DoD Cyber Crime Conference has been posted:
http://www.technologyforums.com/8CC/trackagenda.asp
I'll be giving a talk during the Research and Development Track at 0830
January 16, 2008. In this talk I will be discussing the latest
advancements in the area of Volatile Memory Analysis and how they affect
the way we perform digital investigations.
Title:
Advanced Volatile Memory Analysis
Abstract:
This session will focus on advanced techniques being used in
volatile memory analysis (VMA) and our experiences while performing VMA.
We will also discuss a number of open source tools and resources we have
made available to the digital investigation community. The session will
also explore how we are using VMA to perform automated malware analysis.
Finally, we will demonstrate how we are combining VMA with file system
analysis to help reconstruct and visualize the digital crime scene.
AW
These scripts were recently sent to me by a Volatility user, the methUd,
and I thought others might find them useful. These scripts will allow you
to run all the Volatility modules against a single image or against a
directory of images. Enjoy!!
AW
