Wednesday, April 9, 2014

Building a Decoder for the CVE-2014-0502 Shellcode

Yesterday on the Volatility Labs blog I published a post on analyzing some interesting shellcode from a recent attack campaign and 0day exploit. The shellcode was encrypted multiple times and required full static reversing before revealing the algorithm needed to decrypt the backdoor URL. I think you will like it:

http://volatility-labs.blogspot.com/2014/04/building-decoder-for-cve-2014-0502.html


Monday, November 25, 2013

Our Registry Forensics Master Class is now Live!



I am very happy to announce that the Registry Forensics Master Class that I developed in conjunction with 504ENSICS is now live. The master class is completely focused on registry forensics, and takes students from the basics through advanced topics and analysis techniques. A few of the topics covered include:


  • Acquiring hives from both disk images and memory samples
  • Understanding the raw artifacts contained in the variety of hives
  • Analyzing the artifacts using a number of popular forensics tools
  • Scripting registry forensics tools for automated and repeatable analysis
  • Timelining registry contents
  • Baselining hives to determine activities caused by malware and user actions
  • Incorporating Windows backup facilities into registry analysis
  • Investigating the registry in volatile memory (RAM)
  • Analyzing malware in the registry 
  •  Defeating anti-forensics


The class is an online, self-paced course that mimics what would be covered in a 2-3 day in-person offering. Each lesson in the course includes a lecture that teaches a specific topic in registry forensics followed by a hands-on exercise. The exercises are completed in online Windows and Linux virtual machines that are pre-configured with all the tools and materials needed. To ensure students are learning the material, each exercise includes questions that must be answered in the quiz module. This module tracks a student’s progress, and can produce reports of the student’s grades so that course can be justified to managers and directors. Each exercise also comes with a complete lab guide that walks the student through how to answer each question as the instructors would.

The course ends with a large investigation that requires combining skills learned throughout the class. After completing the course, students will be able to immediately use the techniques learned in real-world investigations involving digital forensics, incident response handling, and malware analysis.

Leading up to our public release we asked Ken Pryor (@kdpryor), a well-known digital forensics analyst, to review the course. Upon completion, he provided the following feedback:

“The Windows Registry Master Class is a great course for new and veteran analysts alike. I entered the course expecting to learn a little something, but came out of it feeling like I got so much more than I had bargained for. Each module of the course taught me something new. The excellent labs reinforced what I learned in the modules and gave me the ability to gain firsthand knowledge of the material. I strongly recommend this course for analysts of all skill levels, as I believe everyone can gain from it.”

For more information on the course or to register, please see the Hacker Academy page where it is hosted here. If you have any questions about the course use the comment section below or email me at andrew [at] memoryanalysis.net. While the course is primarily offered online, we also have the ability to give the course to in-person groups.  If you have a group that is interested in these private offerings then please contact us as well.

Thanks,
Andrew (@attrc)

Tuesday, July 16, 2013

Results of the 4cast Awards Nominations

As previously announced, I was nominated for 'Digital Forensics Examiner of the Year' at the Forensics 4cast Awards. The awards ceremony was held last week during the DFIR summit, and I voted the winner in the category. I am very grateful for this award and recognition and hope to have another strong showing next year!

Monday, July 8, 2013

Interview on the Healthy Paranoia podcast

I was recently interviewed on the Healthy Paranoia podcast about memory forensics during DFIR as well as other related topics. It was a really fun time, and I hope to be on the show again in the future. Read about the interview and listen to the MP3 here:

http://packetpushers.net/healthy-paranoia-show-14-digital-forensics-and-incident-response-with-andrew-case/

Please contact me if you any feedback or comments about the show.

Thanks,
Andrew (@attrc)

Thursday, June 13, 2013

Final Week of Month of Volatility Plugins II is posted

We are writing as the final week of the second installment of the Month of Volatility Plugins is now posted. Volatility 2.3 is currently in beta, and the blog posts are focusing on new features in this version. 

This week's posts discussed a number of new and updated plugins used to analyze Mac systems. 

The first post demonstrated leveraging process cross-view analysis for Mac rootkit detection: 

http://volatility-labs.blogspot.com/2013/06/movp-ii-41-leveraging-process-cross.html 

The second post covered dumping, scanning, and searching process memory:

http://volatility-labs.blogspot.com/2013/06/movp-ii-42-dumping-scanning-and.html 

The third post discussed how to recover networking information:  

http://volatility-labs.blogspot.com/2013/06/movp-ii-43-recovering-mac-os-x-network.html 

The fourth post showed a number of artifacts in Mac kernel memory:  

http://volatility-labs.blogspot.com/2013/06/movp-ii-44-whats-in-your-mac-osx-kernel.html 

The fifth post analyzed the Rubilyn kernel rootkit and detected it in a number of ways:

http://volatility-labs.blogspot.com/2013/06/movp-ii-45-mac-volatility-vs-rubilyn.html 

We hope you have enjoyed this month's posts and will be trying 2.3 when its released!

Thanks,

Andrew (@attrc)

Wednesday, May 29, 2013

Second Week of Month of Volatility Plugins II is posted

We are writing as the second week of the second installment of the
Month of Volatility Plugins is now posted. Volatility 2.3 is currently
in beta, and the blog posts are focusing on new features in this
version. This week's posts discussed a number of new and updated
plugins used to analyze Windows systems.

The first post discussed recovering RSA Private Keys and SSL
Certificates from memory:

http://volatility-labs.blogspot.com/2013/05/movp-ii-21-rsa-private-keys-and.html

The second post discussed recovering information about unloaded kernel
modules from memory:

http://volatility-labs.blogspot.com/2013/05/movp-ii-22-unloaded-windows-kernel_22.html

The third post showed how to create timelines with in-memory data
using Volatility:

http://volatility-labs.blogspot.com/2013/05/movp-ii-23-creating-timelines-with.html

The fourth post demonstrated how to recover MFT entries and utilize
them during investigations:

http://volatility-labs.blogspot.com/2013/05/movp-ii-24-reconstructing-master-file.html

The last post highlighted a number of new and updated plugins that are
very useful during investigations:

http://volatility-labs.blogspot.com/2013/05/movp-ii-25-new-and-improved-windows.html

We hope you enjoy the posts, and the third week of posts will begin
tomorrow and cover a number of new plugins to help analyze Linux and
Android samples.

If you have any questions or comments please comment on an individual
blog post or reply to this email.

Thanks,
Andrew (@attrc)

First week of Month of Volatility Plugins II is posted

We are writing as the first week of the second installment of the
Month of Volatility Plugins is now posted. Volatility 2.3 is currently
in beta, and the blog posts are focusing on new features in this
version. This week's posts discussed a number of new address spaces we
have added to support new hardware architectures and file formats.

The first one is the MachO address space used to support Mac Memory Reader:

http://volatility-labs.blogspot.com/2013/05/movp-ii-11-mach-o-address-space.html

The second is an address space used to support VirtualBox:

http://volatility-labs.blogspot.com/2013/05/movp-ii-12-virtualbox-elf64-core-dumps.html

The third address space allows for analysis of VMware snapshot files
(.vmss and .vmsn):

http://volatility-labs.blogspot.com/2013/05/movp-ii-13-vmware-snapshot-and-saved.html

The fourth address space supports the hpak format of the HBGary Fast
Dump acquisition tool:

http://volatility-labs.blogspot.com/2013/05/movp-ii-14-new-hpak-address-space.html

The final address space discussed adds support for the ARM
architecture. This is leveraged by Volatility's Android support:

http://volatility-labs.blogspot.com/2013/05/movp-ii-15-arm-address-space-volatility.html

We hope you enjoy the posts, and the second installment of posts will
begin tomorrow and cover a number of new plugins to help analyzing
Windows samples.

If you have any questions or comments please comment on an individual
blog post or email the author.

Thanks,
Andrew (@attrc)