Friday, June 29, 2012
Announcing Mac Support in Volatility
I am writing to announce that Volatility now supports captures from Mac systems! I gave a talk on the new capabilities at the recent SANS DFIR Summit. The presentation can be found here. Complete information on how to access the branch and create profiles can be found here:
http://code.google.com/p/volatility/wiki/MacMemoryForensics
The wiki page will be updated as user-visible changes are made to the branch. Otherwise, you should check back here often as many more plugins and analysis features will be released in the coming months.
If you have any questions you can find me on Twitter (@attrc), leave a comment on the blog, or shoot me an Email.
Wednesday, June 20, 2012
SANS Summit Pre-Talk Teaser
A week from today I will be speaking at the SANS DFIR Summit about the research and development I performed to add Mac OS X support to Volatility. The proliferation of Macs for both business and personal use is well known, and investigators will be increasingly seeing them during their course of work.
While there are a number of people who have analyzed Mac's on-disk artifacts, including upcoming talks at the summit by Sarah Edwards, there has been little documented work covering the in-memory data structures and algorithms. Previous work by Matthew Suiche as well as by the Volafox team have covered the beginnings of Mac memory analysis, but both stopped short of the full coverage needed for deep investigations.
During the presentation, I will be discussing the types of artifacts recoverable through Volatility's Mac support, such as process listings, memory maps, loaded kernel extensions, network connections, and also some Mac-specific constructs such as the I/O Registry. The new Mac support also includes the ability to handle both 32 and 64 bit Mac memory reader captures, and I will be discussing this as well as how to use Mac Memory reader during investigations. I will conclude the talk by going over some interesting kernel-level Mac rootkits that alter dynamic data structures and discuss how Volatility can be used to detect them.
Since everyone in the audience will not be a programmer and/or expert on operating systems internals, I have abstracted some of the details away, but a light dive into kernel internals is inevitable when dealing with kernel memory analysis.
After the talk, the source code for all of the current Mac support and analysis plugins will be available within the Volatility SVN repository. People will then be able to use the functionality themselves as well as provide testing of the new features. The Mac support is under active development and I expect many new features to be added soon as well as stabilizing of the existing source code.
If you have any questions or comments before the talk, please send an Email or reply in the comments.
For those attending the first day of the conference, I highly suggest you check out the talk by Joe Sylve as he will be discussing acquiring memory from Android devices and then subsequent analysis with Volatility.
While there are a number of people who have analyzed Mac's on-disk artifacts, including upcoming talks at the summit by Sarah Edwards, there has been little documented work covering the in-memory data structures and algorithms. Previous work by Matthew Suiche as well as by the Volafox team have covered the beginnings of Mac memory analysis, but both stopped short of the full coverage needed for deep investigations.
During the presentation, I will be discussing the types of artifacts recoverable through Volatility's Mac support, such as process listings, memory maps, loaded kernel extensions, network connections, and also some Mac-specific constructs such as the I/O Registry. The new Mac support also includes the ability to handle both 32 and 64 bit Mac memory reader captures, and I will be discussing this as well as how to use Mac Memory reader during investigations. I will conclude the talk by going over some interesting kernel-level Mac rootkits that alter dynamic data structures and discuss how Volatility can be used to detect them.
Since everyone in the audience will not be a programmer and/or expert on operating systems internals, I have abstracted some of the details away, but a light dive into kernel internals is inevitable when dealing with kernel memory analysis.
After the talk, the source code for all of the current Mac support and analysis plugins will be available within the Volatility SVN repository. People will then be able to use the functionality themselves as well as provide testing of the new features. The Mac support is under active development and I expect many new features to be added soon as well as stabilizing of the existing source code.
If you have any questions or comments before the talk, please send an Email or reply in the comments.
For those attending the first day of the conference, I highly suggest you check out the talk by Joe Sylve as he will be discussing acquiring memory from Android devices and then subsequent analysis with Volatility.
Monday, June 4, 2012
A New Blog!
Hello and welcome to my new blog where I will be posting about my research into memory and disk forensics as well as other related topics. For those who do not know me, my name is Andrew Case, I am active on twitter (@attrc), and I have a collection of my past works and speaking engagements organized on my personal website: http://www.memoryanalysis.net/
I know that many people read the blog at http://dfsforensics.blogspot.com and I will still be posting there about Registry Decoder and possibly other projects. The DFS blog is still being actively maintained by @jtsylve and @vicomarziale.
If you have any questions, comments, or need to contact me, please either leave a post in the comments or use one of the methods listed here.
Thanks and hope you enjoy the new blog!
I know that many people read the blog at http://dfsforensics.blogspot.com and I will still be posting there about Registry Decoder and possibly other projects. The DFS blog is still being actively maintained by @jtsylve and @vicomarziale.
If you have any questions, comments, or need to contact me, please either leave a post in the comments or use one of the methods listed here.
Thanks and hope you enjoy the new blog!
Subscribe to:
Posts (Atom)