Some additional posts are available. <div><br></div><div>OMFW 2012: The Analysis of Process Token Privileges by Cem Gurkok</div><div><a href="http://volatility-labs.blogspot.com/2012/10/omfw-2012-analysis-of-process-token.html">http://volatility-labs.blogspot.com/2012/10/omfw-2012-analysis-of-process-token.html</a></div>
<div><br></div><div>OMFW 2012: Mining the PFN Database for Malware Artifacts by George M. Garner Jr. </div><div><a href="http://volatility-labs.blogspot.com/2012/10/omfw-2012-mining-pfn-database-for.html">http://volatility-labs.blogspot.com/2012/10/omfw-2012-mining-pfn-database-for.html</a></div>
<div><br></div><div>Reverse Engineering Poison Ivy&#39;s Injected Code Fragments</div><div><a href="http://volatility-labs.blogspot.com/2012/10/reverse-engineering-poison-ivys.html">http://volatility-labs.blogspot.com/2012/10/reverse-engineering-poison-ivys.html</a></div>
<div><br></div><div>Enjoy!</div><div><br><div class="gmail_quote">On Fri, Oct 12, 2012 at 4:12 PM, Andrew Case <span dir="ltr">&lt;<a href="mailto:atcuno@gmail.com" target="_blank">atcuno@gmail.com</a>&gt;</span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hello All,<br><div class="gmail_quote"><br>We are writing to announce a few new things related to Volatility and memory forensics.<br>
<br>First, we have posted the last week of the Month of Volatility plugins:<br><br>Post 1: Detecting Malware with GDI Timers and Callbacks<br>


<br>
This posts covers analyzing malware samples that use timer callbacks to schedule actions.<br>
<br>
<a href="http://volatility-labs.blogspot.com/2012/10/movp-41-detecting-malware-with-gdi.html" target="_blank">http://volatility-labs.blogspot.com/2012/10/movp-41-detecting-malware-with-gdi.html</a><br>
<br>
Post 2: Taking Screenshots from Memory Dumps<br>
<br>
This posts covers the data structures and algorithms required to 
recreate the state of the screen (a screenshot) at the time of the 
memory capture. <br>
<br>
<a href="http://volatility-labs.blogspot.com/2012/10/movp-43-taking-screenshots-from-memory.html" target="_blank">http://volatility-labs.blogspot.com/2012/10/movp-43-taking-screenshots-from-memory.html</a> <br>
<br>
Post 3: Recovering Master Boot Records (MBRs) from Memory<br>
<br>
This post covers recovering the MBR from memory and detecting bootkits.<br>
<br>
<a href="http://volatility-labs.blogspot.com/2012/10/movp-43-recovering-master-boot-records.html" target="_blank">http://volatility-labs.blogspot.com/2012/10/movp-43-recovering-master-boot-records.html</a> <br>
<br>
Post 4: Cache Rules Everything Around Me(mory)<br>
<br>
This post covers a new plugin that can recover in-tact files from the Windows Cache Manager. <br>
<br>
<a href="http://volatility-labs.blogspot.com/2012/10/movp-44-cache-rules-everything-around.html" target="_blank">http://volatility-labs.blogspot.com/2012/10/movp-44-cache-rules-everything-around.html</a><br>
<br>
Post 5: Phalanx 2 Revealed: Using Volatility to Analyze an Advanced Linux Rootkit<br>
<br>
This post covers analyzing the Phalax2 rootkit with Volatility and other reversing tools.<br>
<br>
<a href="http://volatility-labs.blogspot.com/2012/10/phalanx-2-revealed-using-volatility-to.html" target="_blank">http://volatility-labs.blogspot.com/2012/10/phalanx-2-revealed-using-volatility-to.html</a><br><br>Second, slides from the 2012 Open Memory Forensics Workshop are being put online:<br>


<br>Datalore: Android Memory Analysis: <a href="http://volatility-labs.blogspot.com/2012/10/omfw-2012-datalore-android-memory.html" target="_blank">http://volatility-labs.blogspot.com/2012/10/omfw-2012-datalore-android-memory.html</a><br>


<br>Malware In the Windows GUI Subsystem: <a href="http://volatility-labs.blogspot.com/2012/10/omfw-2012-malware-in-windows-gui.html" target="_blank">http://volatility-labs.blogspot.com/2012/10/omfw-2012-malware-in-windows-gui.html</a><br>


<br>Reconstructing the MBR and MFT from Memory: <a href="http://volatility-labs.blogspot.com/2012/10/omfw-2012-reconstructing-mbr-and-mft.html" target="_blank">http://volatility-labs.blogspot.com/2012/10/omfw-2012-reconstructing-mbr-and-mft.html</a><br>


<br>Analyzing Linux Kernel Rootkits with Volatility: <a href="http://volatility-labs.blogspot.com/2012/10/omfw-2012-analyzing-linux-kernel.html" target="_blank">http://volatility-labs.blogspot.com/2012/10/omfw-2012-analyzing-linux-kernel.html</a><br>


<br>Finally, we have posted our writeup on solving the GrrCon network forensics challenge using only memory analysis:<br><br><a href="http://volatility-labs.blogspot.com/2012/10/solving-grrcon-network-forensics.html" target="_blank">http://volatility-labs.blogspot.com/2012/10/solving-grrcon-network-forensics.html</a><br>


<br>If you have any questions or comments please either comment on the respective blog post or reply to the list.<br><br>Thanks,<br>Andrew<br><br><br><br>
</div><br>
<br>_______________________________________________<br>
Vol-users mailing list<br>
<a href="mailto:Vol-users@volatilityfoundation.org">Vol-users@volatilesystems.com</a><br>
<a href="http://lists.volatilityfoundation.org/mailman/listinfo/vol-users" target="_blank">http://lists.volatilityfoundation.org/mailman/listinfo/vol-users</a><br>
<br></blockquote></div><br></div>