4:12 p.m.
Hello All,
We are writing to announce a few new things related to Volatility and
memory forensics.
First, we have posted the last week of the Month of Volatility plugins:
Post 1: Detecting Malware with GDI Timers and Callbacks
This posts covers analyzing malware samples that use timer callbacks to
schedule actions.
http://volatility-labs.blogspot.com/2012/10/movp-41-detecting-malware-with-…
Post 2: Taking Screenshots from Memory Dumps
This posts covers the data structures and algorithms required to recreate
the state of the screen (a screenshot) at the time of the memory capture.
http://volatility-labs.blogspot.com/2012/10/movp-43-taking-screenshots-from…
Post 3: Recovering Master Boot Records (MBRs) from Memory
This post covers recovering the MBR from memory and detecting bootkits.
http://volatility-labs.blogspot.com/2012/10/movp-43-recovering-master-boot-…
Post 4: Cache Rules Everything Around Me(mory)
This post covers a new plugin that can recover in-tact files from the
Windows Cache Manager.
http://volatility-labs.blogspot.com/2012/10/movp-44-cache-rules-everything-…
Post 5: Phalanx 2 Revealed: Using Volatility to Analyze an Advanced Linux
Rootkit
This post covers analyzing the Phalax2 rootkit with Volatility and other
reversing tools.
http://volatility-labs.blogspot.com/2012/10/phalanx-2-revealed-using-volati…
Second, slides from the 2012 Open Memory Forensics Workshop are being put
online:
Datalore: Android Memory Analysis:
http://volatility-labs.blogspot.com/2012/10/omfw-2012-datalore-android-memo…
Malware In the Windows GUI Subsystem:
http://volatility-labs.blogspot.com/2012/10/omfw-2012-malware-in-windows-gu…
Reconstructing the MBR and MFT from Memory:
http://volatility-labs.blogspot.com/2012/10/omfw-2012-reconstructing-mbr-an…
Analyzing Linux Kernel Rootkits with Volatility:
http://volatility-labs.blogspot.com/2012/10/omfw-2012-analyzing-linux-kerne…
Finally, we have posted our writeup on solving the GrrCon network forensics
challenge using only memory analysis:
http://volatility-labs.blogspot.com/2012/10/solving-grrcon-network-forensic…
If you have any questions or comments please either comment on the
respective blog post or reply to the list.
Thanks,
Andrew
6:12 p.m.
New subject: Last week of MoVP, OMFW 2012 slides, and the GrrCon network forensics challenge
To all the volatility contributors:
The work all of you have done is awesome! Truly a unbelievable
contribution.
Thank you
Sent from my iPhone
On Oct 12, 2012, at 1:13 PM, Andrew Case <atcuno(a)gmail.com> wrote:
Hello All,
We are writing to announce a few new things related to Volatility and
memory forensics.
First, we have posted the last week of the Month of Volatility plugins:
Post 1: Detecting Malware with GDI Timers and Callbacks
This posts covers analyzing malware samples that use timer callbacks to
schedule actions.
http://volatility-labs.blogspot.com/2012/10/movp-41-detecting-malware-with-…
Post 2: Taking Screenshots from Memory Dumps
This posts covers the data structures and algorithms required to recreate
the state of the screen (a screenshot) at the time of the memory capture.
http://volatility-labs.blogspot.com/2012/10/movp-43-taking-screenshots-from…
Post 3: Recovering Master Boot Records (MBRs) from Memory
This post covers recovering the MBR from memory and detecting bootkits.
http://volatility-labs.blogspot.com/2012/10/movp-43-recovering-master-boot-…
Post 4: Cache Rules Everything Around Me(mory)
This post covers a new plugin that can recover in-tact files from the
Windows Cache Manager.
http://volatility-labs.blogspot.com/2012/10/movp-44-cache-rules-everything-…
Post 5: Phalanx 2 Revealed: Using Volatility to Analyze an Advanced Linux
Rootkit
This post covers analyzing the Phalax2 rootkit with Volatility and other
reversing tools.
http://volatility-labs.blogspot.com/2012/10/phalanx-2-revealed-using-volati…
Second, slides from the 2012 Open Memory Forensics Workshop are being put
online:
Datalore: Android Memory Analysis:
http://volatility-labs.blogspot.com/2012/10/omfw-2012-datalore-android-memo…
Malware In the Windows GUI Subsystem:
http://volatility-labs.blogspot.com/2012/10/omfw-2012-malware-in-windows-gu…
Reconstructing the MBR and MFT from Memory:
http://volatility-labs.blogspot.com/2012/10/omfw-2012-reconstructing-mbr-an…
Analyzing Linux Kernel Rootkits with Volatility:
http://volatility-labs.blogspot.com/2012/10/omfw-2012-analyzing-linux-kerne…
Finally, we have posted our writeup on solving the GrrCon network forensics
challenge using only memory analysis:
http://volatility-labs.blogspot.com/2012/10/solving-grrcon-network-forensic…
If you have any questions or comments please either comment on the
respective blog post or reply to the list.
Thanks,
Andrew
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
2:41 p.m.
New subject: Last week of MoVP, OMFW 2012 slides, and the GrrCon network forensics challenge
Some additional posts are available.
OMFW 2012: The Analysis of Process Token Privileges by Cem Gurkok
http://volatility-labs.blogspot.com/2012/10/omfw-2012-analysis-of-process-t…
OMFW 2012: Mining the PFN Database for Malware Artifacts by George M.
Garner Jr.
http://volatility-labs.blogspot.com/2012/10/omfw-2012-mining-pfn-database-f…
Reverse Engineering Poison Ivy's Injected Code Fragments
http://volatility-labs.blogspot.com/2012/10/reverse-engineering-poison-ivys…
Enjoy!
On Fri, Oct 12, 2012 at 4:12 PM, Andrew Case <atcuno(a)gmail.com> wrote:
Hello All,
We are writing to announce a few new things related to Volatility and
memory forensics.
First, we have posted the last week of the Month of Volatility plugins:
Post 1: Detecting Malware with GDI Timers and Callbacks
This posts covers analyzing malware samples that use timer callbacks to
schedule actions.
http://volatility-labs.blogspot.com/2012/10/movp-41-detecting-malware-with-…
Post 2: Taking Screenshots from Memory Dumps
This posts covers the data structures and algorithms required to recreate
the state of the screen (a screenshot) at the time of the memory capture.
http://volatility-labs.blogspot.com/2012/10/movp-43-taking-screenshots-from…
Post 3: Recovering Master Boot Records (MBRs) from Memory
This post covers recovering the MBR from memory and detecting bootkits.
http://volatility-labs.blogspot.com/2012/10/movp-43-recovering-master-boot-…
Post 4: Cache Rules Everything Around Me(mory)
This post covers a new plugin that can recover in-tact files from the
Windows Cache Manager.
http://volatility-labs.blogspot.com/2012/10/movp-44-cache-rules-everything-…
Post 5: Phalanx 2 Revealed: Using Volatility to Analyze an Advanced Linux
Rootkit
This post covers analyzing the Phalax2 rootkit with Volatility and other
reversing tools.
http://volatility-labs.blogspot.com/2012/10/phalanx-2-revealed-using-volati…
Second, slides from the 2012 Open Memory Forensics Workshop are being put
online:
Datalore: Android Memory Analysis:
http://volatility-labs.blogspot.com/2012/10/omfw-2012-datalore-android-memo…
Malware In the Windows GUI Subsystem:
http://volatility-labs.blogspot.com/2012/10/omfw-2012-malware-in-windows-gu…
Reconstructing the MBR and MFT from Memory:
http://volatility-labs.blogspot.com/2012/10/omfw-2012-reconstructing-mbr-an…
Analyzing Linux Kernel Rootkits with Volatility:
http://volatility-labs.blogspot.com/2012/10/omfw-2012-analyzing-linux-kerne…
Finally, we have posted our writeup on solving the GrrCon network
forensics challenge using only memory analysis:
http://volatility-labs.blogspot.com/2012/10/solving-grrcon-network-forensic…
If you have any questions or comments please either comment on the
respective blog post or reply to the list.
Thanks,
Andrew
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
4409
days inactive
4416
days old
vol-users@lists.volatilityfoundation.org
2 comments
3 participants
participants (3)
-
Andrew Case -
david nardoni -
Michael Hale Ligh