I was writing to announce that week 3 of the month of Volatility plugins
is finished, and we now have five more in-depth blog posts covering Windows
and Linux internals and rootkit detection as well as a bonus plugin that analyzes Internet Explorer browsing history. These have all been posted on
the Volatility Labs blog.
Post 1: Detecting Malware Hooks in the Windows GUI Subsystem
This Windows focused post covers detecting malware hooks in the Windows GUI subsystem, including message hooks and event hooks, and what effects these hooks can have on a compromised system.
http://volatility-labs.blogspot.com/2012/09/movp-31-detecting-malware-hooks-in.html
Post 2: Shellbags in Memory, SetRegTime, and TrueCrypt Volumes
This Windows focused post covers finding and recovering shellbags from memory, the forensics importance of shellbags, and analyzes the effects of anti-forensics on shellbag timestamps. It concludes with covering the traces left in shellbags by TrueCrypt.
http://volatility-labs.blogspot.com/2012/09/movp-32-shellbags-in-memory-setregtime.html
Post 3: Analyzing USER Handles and the Win32k.sys Gahti
This Windows focused post introduces two new plugins, one named gahti that determines the various different types of USER objects on a system and another named userhandles which traverses the handle table entries and associates them with the owning processes or threads
http://volatility-labs.blogspot.com/2012/09/movp-33-analyzing-user-handles-and.html
Post 4: Recovering tagCLIPDATA: What's In Your Clipboard?
This Windows focused post covers recovery of the Windows clipboard from physical memory.
http://volatility-labs.blogspot.com/2012/09/movp-34-recovering-tagclipdata-whats-in.html
Post 5: Analyzing the 2008 DFRWS Challenge with Volatility
This Linux focused post analyzes the 2008 memory challenge with Volatility. It walks through the artifacts produced by the winning team and shows how to recover the same information with Volatility. It then shows plugins in Volatility that can recover artifacts not produced by the winning team.
http://volatility-labs.blogspot.com/2012/09/movp-35-analyzing-2008-dfrws-challenge.html
Bonus Post: HowTo: Scan for Internet Cache/History and URLs
This Windows focused post covers how to recover Internet Explorer's cache and history from a memory sample.
http://volatility-labs.blogspot.com/2012/09/howto-scan-for-internet-cachehistory.html
If you have any questions or comments on the posts, please leave a comment on the respective post on the Volatility Labs blog.
Friday, September 28, 2012
Friday, September 21, 2012
Week 2 of the Month of Volatility Plugins posted!
Post 1: Atoms (The New Mutex), Classes and DLL Injection
This Windows focused post covers investigating malware and understanding infections by analyzing the atom tables.
http://volatility-labs.blogspot.com/2012/09/movp-21-atoms-new-mutex-classes-and-dll.html
Post 2: Malware in your Windows
This Windows focused post covers enumerating and analyzing windows in the GUI subsystem.
http://volatility-labs.blogspot.com/2012/09/movp-22-malware-in-your-windows.html
Post 3: Event logs and Service SIDs
This Windows focused post demonstrates recovering event logs from memory and calculating service SIDs.
http://volatility-labs.blogspot.com/2012/09/movp-23-event-logs-and-service-sids.html
Post 4: Analyzing the Jynx rootkit and LD_PRELOAD
This Linux focused post covers analyzing the Jynx rootkit as well as generic methods for analyzing LD_PRELOAD based rootkits.
http://volatility-labs.blogspot.com/2012/09/movp-24-analyzing-jynx-rootkit-and.html
Post 5: Investigating In-Memory Network Data with Volatility
This Linux focused post goes through each of the Linux Volatility plugins related to recovering network data from memory, such as network connections, packets, and the routing cache.
http://volatility-labs.blogspot.com/2012/09/movp-25-investigating-in-memory-network.html
If you have any questions or comments on the posts, please leave a comment on the respective post on the Volatility Labs blog.
Friday, September 14, 2012
Week 1 of the Month of Volatility Plugins posted!
I was writing to announce that week 1 of the month of Volatility plugins is finished, and we now have five in-depth blog posts covering Windows and Linux internals and rootkit detection. These have all been posted to the new Volatility Labs blog.
Post 1: Logon Sessions, Processes, and Images
This Windows focused post covers linking processes to their logon session, detecting hidden processes using session structures, and determining the loaded the drivers mapped into each session.
http://volatility-labs.
Post 2: Window Stations and Clipboard Malware
This Windows focused post covers enumerating and analyzing window stations and clipboard monitoring malware.
http://volatility-labs.
Post 3: Desktops, Heaps, and Ransomware
This Windows focused post covers finding rogue desktops used to hide applications and created by ransomware, linking threads to desktops, analyzing the desktop heap for memory corruptions, and profiling heap allocations to locate USER objects.
http://volatility-labs.
Post 4: Average Coder Rootkit, Bash History, and Elevated Processes
This Linux focused post covers analyzing the Average Coder rootkit, recovering .bash_history from memory, even when faced with anti-forensics, and finding elevated processes.
http://volatility-labs.
Post 5: KBeast Rootkit, Detecting Hidden Modules, and sysfs
This Linux focused post covers analyzing the KBeast rootkit, finding modules unlinked from the module list, and the forensic values of sysfs.
http://volatility-labs.
If you have any questions or comments on the posts, please leave a comment on the respective post on the Volatility Labs blog.
Post 1: Logon Sessions, Processes, and Images
This Windows focused post covers linking processes to their logon session, detecting hidden processes using session structures, and determining the loaded the drivers mapped into each session.
http://volatility-labs.
Post 2: Window Stations and Clipboard Malware
This Windows focused post covers enumerating and analyzing window stations and clipboard monitoring malware.
http://volatility-labs.
Post 3: Desktops, Heaps, and Ransomware
This Windows focused post covers finding rogue desktops used to hide applications and created by ransomware, linking threads to desktops, analyzing the desktop heap for memory corruptions, and profiling heap allocations to locate USER objects.
http://volatility-labs.
Post 4: Average Coder Rootkit, Bash History, and Elevated Processes
This Linux focused post covers analyzing the Average Coder rootkit, recovering .bash_history from memory, even when faced with anti-forensics, and finding elevated processes.
http://volatility-labs.
Post 5: KBeast Rootkit, Detecting Hidden Modules, and sysfs
This Linux focused post covers analyzing the KBeast rootkit, finding modules unlinked from the module list, and the forensic values of sysfs.
http://volatility-labs.
If you have any questions or comments on the posts, please leave a comment on the respective post on the Volatility Labs blog.
Subscribe to:
Posts (Atom)