10:12 a.m.
I concur with your point about needing to use all three tools. Each has its own strengths
and weaknesses. I use HBGary Responder Pro primarily and fall over to Volatility or
Mandiant Memoryze when I come across something HBGary can't do (or I don't know
how to do in HBGary).
To your point about analyzing network connections, I have recently observed cases where
Volatility "connections" produces no output at all and HBGary does. In that
situation Volatility "connscan" does find connections, but the lists doesn't
100% match HBGary.
I am also a little concerned about what appears to me to be a drop in development activity
around Volatility. Is Mandiant Memoryze going to take over the top slot? Right now, I
see Mandiant Memoryze as third best behind HBGary and Volatility, but Volatility can't
stand still.
For example, does anyone know if there any plans to provide functionaility similar to
HBGary's new Digital DNA in Volatility?
If anyone wants to share information or experiences across all three applications or
memory dump analysis in general, feel free to contact me at
david(a)sharpebusinesssolutions.com.
-- David
--- cutaway(a)cutawaysecurity.com wrote:
From: "Don C. Weber" <cutaway(a)cutawaysecurity.com>
To: vol-users(a)volatilesystems.com
Subject: [Vol-users] Volatility's Network Connections
Date: Wed, 6 May 2009 08:48:47 -0500
I wanted to let you know that while using Volatility and several other
memory analysis tools I received some conflicting information associated with
network connections. I did a quick blog post on the subject that can be read
here: http://www.cutawaysecurity.com/blog/archives/523 . It looks like
Volatility shows more information than the others in some instances.
Also, if you have additional information or detail on this please post a
comment or let me know so that I can add an update to the post.
--
--------------------------
Don C. Weber
Information Security Consultant
Cutaway Security
CISSP, GIAC
#########################################
Website: http://www.cutawaysecurity.com
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilesystems.com
http://lists.volatilesystems.com/mailman/listinfo/vol-users
11:03 p.m.
New subject: Volatility's Network Connections
David,
To your point about analyzing network connections, I
have recently
observed cases where Volatility "connections" produces no output at all
and HBGary does. In that situation Volatility "connscan" does find
connections, but the lists doesn't 100% match HBGary.
Did you send in a bug report? Are you sure you are using the most up to
date version of "connscan" or connscan2? Have you done any research into
why this may be happening?
I am also a little concerned about what appears to me
to be a drop in
development activity around Volatility. Is Mandiant Memoryze going to
take over the top slot? Right now, I see Mandiant Memoryze as third
best behind HBGary and Volatility, but Volatility can't stand still.
Ahhhh...I wouldn't say that development has dropped off. In fact, I know
of a number of amazing projects leveraging the power of Volatility.
There is probably more development going on now than ever before.
Unfortunately, many of the devs have changed the method that they are
releasing plugins/projects or have decided not to release them publicly.
If you are concerned about a drop in development, please feel free to get
involved. This really is a community effort.
For example, does anyone know if there any plans to
provide
functionaility similar to HBGary's new Digital DNA in Volatility?
Do you think this would be an useful endeavor? If so, please feel free to
start leading up such an effort. I'm not totally convinced simply telling
me what APIs are being used is particularly useful.
Thanks,
AW
10:08 a.m.
New subject: Volatility's Network Connections
On Mon, May 11, 2009 at 12:03 PM, AAron Walters <awalters(a)4tphi.net> wrote:
David,
BTW, could you explain the internal difference between connscan and
connscan2? I struggle to understand their differences, as there is no
documentation at all.
Thanks,
J
To your point about analyzing network
connections, I have recently
observed cases where Volatility "connections" produces no output at all and
HBGary does. In that situation Volatility "connscan" does find connections,
but the lists doesn't 100% match HBGary.
Did you send in a bug report? Are you sure you are using the most up to date
version of "connscan" or connscan2? Have you done any research into why
this may be happening? 
11:09 p.m.
New subject: Volatility's Network Connections
On Thu, May 7, 2009 at 08:12, <david(a)sharpebusinesssolutions.com> wrote:
<snip unsupported advertisement>
This is the second post I've seen you make in recent weeks to forensic
lists with a thinly-veiled advertisements for a relatively unknown
tool hosted on a site with an expired SSL certificate. What is your
game?
10:15 a.m.
New subject: Volatility's Network Connections
On Thu, May 7, 2009 at 10:12 AM, <david(a)sharpebusinesssolutions.com> wrote:
I concur with your point about needing to use all three tools. Each has its own
strengths and weaknesses. I use HBGary Responder Pro primarily and fall over to
Volatility or Mandiant Memoryze when I come across something HBGary can't do (or I
don't know how to do in HBGary).
To your point about analyzing network connections, I have recently observed cases where
Volatility "connections" produces no output at all and HBGary does. In that
situation Volatility "connscan" does find connections, but the lists doesn't
100% match HBGary.
Hi David,
When you say "connscan", have you also used "connscan2"?
Thank you,
Richard
9:32 p.m.
New subject: Volatility's Network Connections
On May 7, 2009, at 10:12 AM, "" <david(a)sharpebusinesssolutions.com>
<david(a)sharpebusinesssolutions.com> wrote:
To your point about analyzing network connections, I have recently
observed cases where Volatility "connections" produces no output at
all and HBGary does. In that situation Volatility "connscan" does
find connections, but the lists doesn't 100% match HBGary.
I made a post on Don's blog theorizing about why this might be the case:
http://www.cutawaysecurity.com/blog/archives/523/comment-
page-1#comment-31116
Basically, it comes down to the difference between connections and
connscan2. Also, if sockets or connections returns no output, you may
need to try the SVN version -- one of the post-SP3 hotfixes broke our
ability to examine sockets and connections, and we had to add a new
set of offsets to fix it.
As always, if you find it doesn't work on an XP image, please let us
know so we can fix it :)
I am also a little concerned about what appears to me
to be a drop
in development activity around Volatility. Is Mandiant Memoryze
going to take over the top slot? Right now, I see Mandiant
Memoryze as third best behind HBGary and Volatility, but Volatility
can't stand still.
I don't think there's been a drop in development activity. It's been
a while since our last release, but a lot of activity has been taking
place in the world of Volatility plugins. Andreas Schuster has
recently released several new plugins that can find some less well-
known artifacts of malware, and Jesse Kornblum has released a
Volatility plugin to search memory for TrueCrypt passphrases.
I've also released a set of plugins for examining registry data, and
shown how to integrate with other popular tools like RegRipper. I'm
also working on some plugins that let you look at the state of on-
screen graphical elements like windows, buttons, etc.
For example, does anyone know if there any plans to
provide
functionaility similar to HBGary's new Digital DNA in Volatility?
I don't have any plans to do it myself, but Volatility would provide
an excellent platform to anyone who wanted to build it :)
Cheers,
Brendan
If anyone wants to share information or experiences
across all
three applications or memory dump analysis in general, feel free to
contact me at david(a)sharpebusinesssolutions.com.
-- David
--- cutaway(a)cutawaysecurity.com wrote:
From: "Don C. Weber" <cutaway(a)cutawaysecurity.com>
To: vol-users(a)volatilityfoundation.org
Subject: [Vol-users] Volatility's Network Connections
Date: Wed, 6 May 2009 08:48:47 -0500
I wanted to let you know that while using Volatility and several
other
memory analysis tools I received some conflicting information
associated with
network connections. I did a quick blog post on the subject that
can be read
here: http://www.cutawaysecurity.com/blog/archives/523 . It looks
like
Volatility shows more information than the others in some instances.
Also, if you have additional information or detail on this
please post a
comment or let me know so that I can add an update to the post.
--
--------------------------
Don C. Weber
Information Security Consultant
Cutaway Security
CISSP, GIAC
#########################################
Website: http://www.cutawaysecurity.com
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
10:18 p.m.
New subject: Volatility's Network Connections
On Mon, May 11, 2009 at 9:32 PM, Brendan Dolan-Gavitt <
bdolangavitt(a)wesleyan.edu> wrote:
I am also a little concerned about what appears to me
to be a drop in
Andreas' plug-ins are great and I can't wait to check out your new ones,
Brendan. I'll be releasing 4-5 new plug-ins for detecting rootkit behavior
over the next few weeks. If anyone has suggestions for useful plug-ins,
send them my way or announce them here so we can get it going.
For example, does anyone know if there any plans to provide functionaility
development activity around Volatility. Is
Mandiant Memoryze going to take
over the top slot? Right now, I see Mandiant Memoryze as third best behind
HBGary and Volatility, but Volatility can't stand still.
I don't think there's been a drop in development activity. It's been a
while since our last release, but a lot of activity has been taking place in
the world of Volatility plugins. Andreas Schuster has recently released
several new plugins that can find some less well-known artifacts of malware,
and Jesse Kornblum has released a Volatility plugin to search memory for
TrueCrypt passphrases.
I've also released a set of plugins for examining registry data, and shown
how to integrate with other popular tools like RegRipper. I'm also working
on some plugins that let you look at the state of on-screen graphical
elements like windows, buttons, etc.
similar to HBGary's new Digital DNA in
Volatility?
I don't have any plans to do it myself, but Volatility would provide an
excellent platform to anyone who wanted to build it
:)
An easy way to implement something similar is by using a combination of
pyssdeep (fuzzy hashing of memory segments in Python -
http://code.google.com/p/pyssdeep/) and YARA (malware classification in
Python - http://code.google.com/p/yara-project/) I'm sure the guys at
HBGary have some more advanced things going on with their product, but with
a bit of dedicated work in creating YARA rules and assigning appropriate
weights (for example, use of "WriteProcessMemory" is 5 points, use of
"StartServiceA" is 3 points, etc), you could generate a very useful
alternative.
MHL
5665
days inactive
5670
days old
vol-users@lists.volatilityfoundation.org
6 comments
7 participants
participants (7)
-
AAron Walters -
Brendan Dolan-Gavitt -
david@sharpebusinesssolutions.com -
Jun Koi -
Michael Hale Ligh -
RB -
Richard Bejtlich