Monday, November 25, 2013

Our Registry Forensics Master Class is now Live!

I am very happy to announce that the Registry Forensics Master Class that I developed in conjunction with 504ENSICS is now live. The master class is completely focused on registry forensics, and takes students from the basics through advanced topics and analysis techniques. A few of the topics covered include:

  • Acquiring hives from both disk images and memory samples
  • Understanding the raw artifacts contained in the variety of hives
  • Analyzing the artifacts using a number of popular forensics tools
  • Scripting registry forensics tools for automated and repeatable analysis
  • Timelining registry contents
  • Baselining hives to determine activities caused by malware and user actions
  • Incorporating Windows backup facilities into registry analysis
  • Investigating the registry in volatile memory (RAM)
  • Analyzing malware in the registry 
  •  Defeating anti-forensics

The class is an online, self-paced course that mimics what would be covered in a 2-3 day in-person offering. Each lesson in the course includes a lecture that teaches a specific topic in registry forensics followed by a hands-on exercise. The exercises are completed in online Windows and Linux virtual machines that are pre-configured with all the tools and materials needed. To ensure students are learning the material, each exercise includes questions that must be answered in the quiz module. This module tracks a student’s progress, and can produce reports of the student’s grades so that course can be justified to managers and directors. Each exercise also comes with a complete lab guide that walks the student through how to answer each question as the instructors would.

The course ends with a large investigation that requires combining skills learned throughout the class. After completing the course, students will be able to immediately use the techniques learned in real-world investigations involving digital forensics, incident response handling, and malware analysis.

Leading up to our public release we asked Ken Pryor (@kdpryor), a well-known digital forensics analyst, to review the course. Upon completion, he provided the following feedback:

“The Windows Registry Master Class is a great course for new and veteran analysts alike. I entered the course expecting to learn a little something, but came out of it feeling like I got so much more than I had bargained for. Each module of the course taught me something new. The excellent labs reinforced what I learned in the modules and gave me the ability to gain firsthand knowledge of the material. I strongly recommend this course for analysts of all skill levels, as I believe everyone can gain from it.”

For more information on the course or to register, please see the Hacker Academy page where it is hosted here. If you have any questions about the course use the comment section below or email me at andrew [at] While the course is primarily offered online, we also have the ability to give the course to in-person groups.  If you have a group that is interested in these private offerings then please contact us as well.

Andrew (@attrc)

Tuesday, July 16, 2013

Results of the 4cast Awards Nominations

As previously announced, I was nominated for 'Digital Forensics Examiner of the Year' at the Forensics 4cast Awards. The awards ceremony was held last week during the DFIR summit, and I voted the winner in the category. I am very grateful for this award and recognition and hope to have another strong showing next year!

Monday, July 8, 2013

Interview on the Healthy Paranoia podcast

I was recently interviewed on the Healthy Paranoia podcast about memory forensics during DFIR as well as other related topics. It was a really fun time, and I hope to be on the show again in the future. Read about the interview and listen to the MP3 here:

Please contact me if you any feedback or comments about the show.

Andrew (@attrc)

Thursday, June 13, 2013

Final Week of Month of Volatility Plugins II is posted

We are writing as the final week of the second installment of the Month of Volatility Plugins is now posted. Volatility 2.3 is currently in beta, and the blog posts are focusing on new features in this version. 

This week's posts discussed a number of new and updated plugins used to analyze Mac systems. 

The first post demonstrated leveraging process cross-view analysis for Mac rootkit detection: 

The second post covered dumping, scanning, and searching process memory: 

The third post discussed how to recover networking information: 

The fourth post showed a number of artifacts in Mac kernel memory: 

The fifth post analyzed the Rubilyn kernel rootkit and detected it in a number of ways: 

We hope you have enjoyed this month's posts and will be trying 2.3 when its released!


Andrew (@attrc)

Wednesday, May 29, 2013

Second Week of Month of Volatility Plugins II is posted

We are writing as the second week of the second installment of the
Month of Volatility Plugins is now posted. Volatility 2.3 is currently
in beta, and the blog posts are focusing on new features in this
version. This week's posts discussed a number of new and updated
plugins used to analyze Windows systems.

The first post discussed recovering RSA Private Keys and SSL
Certificates from memory:

The second post discussed recovering information about unloaded kernel
modules from memory:

The third post showed how to create timelines with in-memory data
using Volatility:

The fourth post demonstrated how to recover MFT entries and utilize
them during investigations:

The last post highlighted a number of new and updated plugins that are
very useful during investigations:

We hope you enjoy the posts, and the third week of posts will begin
tomorrow and cover a number of new plugins to help analyze Linux and
Android samples.

If you have any questions or comments please comment on an individual
blog post or reply to this email.

Andrew (@attrc)

First week of Month of Volatility Plugins II is posted

We are writing as the first week of the second installment of the
Month of Volatility Plugins is now posted. Volatility 2.3 is currently
in beta, and the blog posts are focusing on new features in this
version. This week's posts discussed a number of new address spaces we
have added to support new hardware architectures and file formats.

The first one is the MachO address space used to support Mac Memory Reader:

The second is an address space used to support VirtualBox:

The third address space allows for analysis of VMware snapshot files
(.vmss and .vmsn):

The fourth address space supports the hpak format of the HBGary Fast
Dump acquisition tool:

The final address space discussed adds support for the ARM
architecture. This is leveraged by Volatility's Android support:

We hope you enjoy the posts, and the second installment of posts will
begin tomorrow and cover a number of new plugins to help analyzing
Windows samples.

If you have any questions or comments please comment on an individual
blog post or email the author.

Andrew (@attrc)

Tuesday, March 12, 2013

BSides New Orleans Speaker Lineup Published

We are writing to announce that the BSides New Orleans speaker lineup is now released. For those unaware, BSides New Orleans is a free, all day information security conference taking place on May 25th in New Orleans. We received so many strong submissions, from companies such as Google, Ernst & Young, Mad Security, and HP, that we have expanded the conference to 3 tracks for a total of 18 presentations. Complete information about the conference and speakers can be found here:

Between the strong lineup and the fact that the conference is New Orleans, we expect the seats to fill fast. If you want to attend (free), you must fill out the EventBrite form referenced on the wiki page. You only have to give your name and email for registration, and we promise not to spam you. If you have any questions about the event, please email bsidesnola [ @ ]

Andrew (@attrc)

Friday, February 15, 2013

Memory Forensics Talk at RSA!

On Wednesday of RSA I will be giving a talk titled:

"Memory Forensics: Defeating Disk Encryption, Skilled Attackers and Malware"

 This talk will focus on three key points:

1) Showcasing the power and usefulness of memory forensics
2) Distinguishing memory forensics from disk forensics
3) Highlighting why live forensics should not be used and instead analysts should switch to using offline memory forensics

Throughout the talk there will be many examples of powerful rootkits, techniques of advanced attackers, and looking at Android and software-based disk encryption.

If you are interested in the talk and plan on attending, please add it to your conference calendar:

If you have any questions about the talk or or want to meet up at RSA then please contact me or ping me on Twitter (@attrc).

Friday, January 25, 2013

BSides is coming to New Orleans!

I am happy to announce that we will be putting on a BSides in New Orleans on May 25. Full information can be found here:

We already have Mike Murray confirmed as our keynote, and have had a few well-known researchers express interest in speaking. The CFP is open until March 11, so start thinking of topics!

Monday, January 14, 2013

Windows Malware and Memory Forensics Training in The Windy City!

The next journey to the center of Windows Memory Forensics starts in Chicago this March! 

We are pleased to announce the second public offering of the Windows Malware and Memory Forensics Training by The Volatility Project. This is the only memory forensics course officially designed, sponsored, and taught by the Volatility developers. One of the main reasons we made Volatility open-source is to encourage and facilitate a deeper understanding of how memory analysis works, where the evidence originates, and how to interpret the data collected by the framework's extensive set of plugins. Now you can learn about these benefits first hand from the developers of the most powerful, flexible, and innovative memory forensics tool. 

Appraisal from your peers who attended the first course this past December:

Please see the following details about the upcoming training event:

Dates: Monday, March 18th through Friday, March 22nd 2013
Location: Downtown Chicago, IL (exact location will be shared upon registration)
Instructors: Michael Ligh (@iMHLv2), Andrew Case (@attrc), Jamie Levy (@gleeda)

For more information about the course, view the Volatility Training Flyer (to download a copy of the PDF, click File > Download). To request a link to the online registration site or to receive a detailed course agenda/outline, please send an email voltraining [at]

The 1st Annual Volatility Framework Plugin Contest

We are pleased to announce the 1st Annual Volatility Plugin Contest. This contest is inspired and modeled after the Hex-Rays Plugin Contest.  As in the case of IDA, Volatility was designed with the belief that talented analysts should only be limited by their creativity not the tools they use. In this spirit, Volatility has a flexible architecture that can be extended in numerous ways: analysis plugins (operating system plugins, application plugins, etc), volshell commands, address spaces, profiles, or user interfaces. This contest is intended to inspire people to demonstrate their creativity, become a memory analysis pioneer, win the admiration of your peers, and give back to the community.

The contest is straightforward: Create an innovative and useful extension to The Volatility Framework and win the contest!

  • 1st place wins one free seat at any future Windows Malware and Memory Forensics Training *or* 1500 USD cash
  • 2nd place wins 500 USD cash
  • 3rd place wins 250 USD cash
  • 4th and 5th place wins Volatility swag (T-shirts, Stickers, etc)

Everyone but the Volatility core developers can participate.

Rules of Engagement

  1. The goal of the contest is to create innovative, interesting, and useful extensions for The Volatility Framework. While extensions written in Python are preferred, extensions written in other languages will also be considered.
  2. The submitted extensions should work with the Volatility 2.2 (or greater) release and should have been implemented after the initial contest announcement (1/14/2013).
  3. The top 5 winners of the contest will get the prizes mentioned above.
  4. Volatility core developers are not eligible.
  5. Submissions should be sent to The submission should include the source code, a short description of how the extension is used, and a signed "Individual Contributor License Agreement".
  6. By submitting an entry, you declare that you own the copyright to the source code and are authorized to submit it.
  7. All submissions should be received no later than August 1, 2013. The winner will be announced the following week. We recommend submitting early. In the case of similar submissions, preference will be shown to early submissions.
  8. The Volatility Project core developers will decide the winners based on the following criteria: creativity, usefulness, effort, completeness, submission date, and clarity of documentation.
  9. In order to collect the cash prizes, the winner will need to provide a legal picture identification and bank account information within 30 days of notification. The bank transfer will be made within two weeks after the winner is authenticated.
  10. Group entries are allowed; the prize will be paid (or seat will be registered, if the training option is desired) to the person designated by the group.
  11. Upon approval from the winners, their names/aliases will be listed on the "Volatility Hall of Fame" web page for the world to admire.
  12. Selected contestants may also be asked to present their work at the 2013 Open Memory Forensics Workshop or have their research featured on the Volatility Labs Blog.


A special thanks goes out to the Hex-Rays team for providing the inspiration and template for this contest.