Wednesday, December 31, 2014

Acquiring Memor(ies) from 2014

2014 is extremely volatile. Any minute now, it will be gone. Thus, we wanted to take a minute and preserve some of the more exciting memories. Specifically, we wanted to summarize how the memory forensics field and Volatility community has progressed this year.
  • Volatility 2.4 was released - our most stable and fully featured code base, supporting all of the major versions of Windows, Linux, and Mac. The release includes Windows 8 and Server 2012 support, despite the encrypted debugging structures. Windows 10 beta support is also available.
  • We also moved to Github, which makes it easier for other developers to submit patches and pull requests. A separate repository stores Linux and Mac profiles. The 2.5 release is also under way. 
  • Extraction of TrueCrypt cached passwords and master keys become even easier than it was before, with new plugins that execute a structured approach at locating and recovering the data. The capability was also ported to Linux, and a member of the community completed a similar plugin for dm-crypt.
  • Our 5-day hands-on Malware and Memory Forensics training course proliferated to over 10 events (public and private) across the United States, Europe, and Australia. Testimonials from attendees are available here and registration is open for classes in 2015.
  • The Volatility Foundation was established as a 501(c)(3) non-profit organization. A new website was created to aggregate the foundation's resources. Among other things, the site describes the various ways to get involved with the community. The Volatility(R) name also became a registered trademark of the Volatility Foundation.
  • Volexity, LLC became a corporate sponsor of the Volatility Foundation and named core developer Michael Hale Ligh as its CTO. Volexity is a security firm based out of the Washington, D.C. area that specializes in assisting organizations with threat intelligence, incident response, forensics, and trusted security advisory.
  • The Volatility Plugin Contest received an extremely generous donation from Facebook and generated an enormous amount of new capabilities from various talented developers and researchers. 
  • The Volatility Team partnered with GMG Systems, Inc. to offer KnTTools (incl. KnTDD) at a discounted rate to students in our training course. KnTTools is the most reliable, robust, and fully featured memory acquisition suite for Windows. 
  • Volatility and memory forensics were represented at almost all security and technology related conferences, including (but not limited to) Blackhat USA, Defcon, OMFW, OSDFC, API Cybersecurity, SecTor, Archc0n, Alabama Cyber Security Summit, National Cyber Crime Conference, RSA USA, BSides, and Recon.
  • Volatility was used by Det. Michael Chaves to track down high profile ATM skimmers. It was used by European law enforcement to produce the primary source of evidence that put away a child sex offender for over 10 years. It was used by the United States Government on various occasions to investigate cases involving espionage, cyber terrorism, and major botnet rings.
  • Volatility developer Andrew Case and Golden G. Richard III won best paper at DFRWS 2014 for In lieu of swap: Analyzing compressed RAM in Mac OS X and Linux.
  • We enjoyed a record breaking number of attendees at Open Memory Forensics Workshop (OMFW) 2014 and a serious group of awesome talks. Later that week, Next Generation Memory Forensics was presented at OSDFC
  • The Art of Memory Forensics was published in August, a 900-page book that covers Windows, Linux, and Mac topics in depth. To date, its the most thorough and illustrative written source of memory forensics knowledge. Please remember to check the errata page and also the sample memory images that are accompanied with lab questions and answers (free online download). 
  • A Reddit Ask Me Anything (AMA) was conducted on Art of Memory Forensics. We appreciate all the great questions!  
  • An entire chapter of Black Hat Python was devoted to using Volatility for offensive purposes during pentests (extracting password hashes, injecting code, etc). 
  • We presented some Volatility capabilities at Blackhat Arsenal and later created a YouTube channel with recordings of the demos. There was also a book signing in the Blackhat bookstore, which was an exciting way for us to meet new Volatility users in person.
 Thanks to all who played a part! We look forward to an even more productive 2015!