All,
My Forensic team is hiring two paid Forensic Interns for the summer of 2017
in the Northern Virginia area. We are charged with directly supporting
Sony's global SOC, which ends up touching many core facets of digital
forensics and incident response including:
memory analysis
disk analysis
mobile device forensics
timeline investigations
research and development projects
data analytics
If you are interested please feel free to apply directly on the job listing
below. If you have any questions you can reach out to me directly.
https://careers.sony.com/sony/?_3x3524903Z2U14Kdf8024bc-fbd2-4d8e-96d7-d7a5…
I'll also be doing some recruiting at BSides New Orleans
<http://www.securitybsides.com/w/page/113990746/BSidesNOLA%202017> on 4/1
where i'll be talking about a case study on Andromeda malware.
Best Regards,
Jared Greenhill (@jared703)
Hi all,
I feel like I'm missing something obvious. Consider the following from
volshell.
Profile is Win10x64 in case it matters; I'd already imported messagehooks
(mh).
>>> sc()
Current context: System @ 0xffffe00012a61840, pid=4, ppid=0 DTB=0x1aa000
>>> for winsta, atom_tables in mh.calculate():
... for desktop in winsta.desktops():
... for wnd, _level in desktop.windows(desktop.DeskInfo.spwnd):
... if wnd.cbwndExtra == 8:
... break
>>> wnd
[tagWND spwndNext] @ 0xFFFFF90140A04AD0
>>> dt(wnd)
[tagWND spwndNext] @ 0xFFFFF90140A04AD0
0x0 : head 18446736382507371216
0x28 : bActiveFrame 0
0x28 : bAnsiCreator 0
--SNIP--
0x120 : bLinked 1
0x120 : bRedirectedForPrint 0
0x120 : bVerticallyMaximizedLeft 0
0x120 : bVerticallyMaximizedRight 0
>>> dt('tagWND', wnd.v())
ERROR: could not instantiate object
Reason: Invalid Address 0xFFFFF90140A04AD0, instantiating tagWND
>>> hex(wnd.v())
'0xfffff90140a04ad0L'
>>> db(wnd.v())
Memory unreadable at fffff90140a04ad0
Why is the memory address unreadable? Is my error in assuming that object
'wnd' is made up of bytes located at 0xFFFFF90140A04AD0?
Given the address is in Kernel space, I should be able to access it right?
Any pointers appreciated! (Pardon the pun.)
Adam
This release improves support for Windows 10 and adds support for
Windows Server 2016, Mac OS Sierra 10.12, and Linux with KASLR kernels.
A lot of bug fixes went into this release as well as performance
enhancements (especially related to page table parsing and virtual
address space scanning).
Here's the TL;DR:
The release page, with standalone binary downloads for 64-bit Windows,
Linux, and Mac:
http://www.volatilityfoundation.org/26
Information on new Volatility 2.6 profiles:
https://github.com/volatilityfoundation/volatility/wiki/2.6-Win-Profiles
Python source code packages:
https://github.com/volatilityfoundation/volatility/releases
We look forward to working with you all in the new year!
The Volatility Team
Hello All,
We are excited to announce that the date for BSidesNOLA 2017 is set and
that the CFP is live.
BSidesNOLA will take place on April 1st, 2017 in downtown New Orleans.
This will be our 5th year running, and we are expecting another sell out
crowd. If you have never been before, it is a day full of infosec talks,
networking, and contests along with plenty of local New Orleans food and
drinks - all for $15.
If you plan to submit to the CFP then please take your time in crafting
your submission. We don't review the submissions until after the
deadline ends so there is no benefit to submitting early. We also have a
highly competitive CFP, and every year we have to reject 15 or more
talks. Give us your best so this doesn't happen to you!
Full information, including venue, how to register ($15 for all day),
and the CFP details can be found at:
http://www.securitybsides.com/w/page/113990746/BSidesNOLA
If you have any questions then please contact us at bsidesnola [@@@]
gmail.com.
Thanks,
The BSidesNOLA Team
Our next public training in April in Reston is on pace to sell out
pretty quickly. Please contact us ASAP if you wish to attend:
http://www.memoryanalysis.net/memory-forensics-training
Also, our private training slots for next year are filling fast as well.
These are a great way to raise the skillset of your entire team up at
once. We also have several add-ons that previous private training
clients chose and found great value in - such as customization of
content as well us building labs around memory samples from your own
previous internal investigations (NDAs expected for this). Please
contact us off list if interested in a private training.
--
Thanks,
Andrew (@attrc)
We are excited to announce that the results of the 2016 Volatility
Plugin Contest are in:
https://volatility-labs.blogspot.com/2016/12/results-from-2016-volatility-p…
We received a record number of submissions this year, and we are looking
forward to seeing these plugins be adopted in the field.
Be sure to congratulate the winners on Twitter and LinkedIn and when you
see them at conferences and trainings.
We also wanted to thank Airbnb again for their donation of $999 to the
prize pool. It is great to see organizations supporting open source
research in the digital forensics and incident response fields.
Thanks,
The Volatility Team
In case you don’t follow us on twitter (@volatility), we wanted to send a
quick reminder that the 2016 Volatility Plugin Contest will be ending on
October 1, 2016. This is your chance to win over $3200 in cash and prizes!
http://www.volatilityfoundation.org/2016
A special thanks to Airbnb (@airbnb) and Volexity (@volexity) for
sponsoring this year’s contest!
Thanks,
AAron Walters
The Volatility Foundation
Hi all,
Because the universe hates me, I've been given an E01 of a RAM dump (from
Win7SP1x64) and I have to use Windows to run Volatility.
I have p99 of tAoMF in front of me.
I tried the "Mount in FTK Imager and point to Z:\unallocated space" thing,
but pslist showed only 1 entry which looked very corrupt.
I don't have access to EnCase to mount it from there.
So I'd like to use libewf. But can I even use it on Windows?? If I compile
the library, how do I tell Volatility about the libewf.dll?
Basically, how do I use Volatility with libewf on Windows?
Thank you,
Adam
Bridgey,
I haven't been in this EWF situation for memory yet but I'd probably try
imagecopy first:
vol.exe -f image.e01 --profile=<yourprofile> -O image.raw
If that didn't work, I'd use Tom's #2 and load the .E01 in FTK imager and
image that mounted volume.
If that didn't work I'd try load the evidence into encase 7.x - right click
on the evidence --> evidence --> device --> share --> Mount as Emulated
Disk and then use FTK imager to image that mounted volume to .raw
JG
On Tue, Aug 16, 2016 at 11:03 AM, Tom Yarrish <tom(a)yarrish.com> wrote:
> IIRC volatility should be able to handle an E01 file natively now (unless
> that's a *nix only thing). But another option would be either 1) Arsenal
> Image Mounter (which works much better than FTK, EnCase, etc IMO) or 2) Use
> FTK to covert the E01 image to a RAW image file and then just run that
> through volatility.
>
> Thanks,
> Tom
>
>
> PGP Key ID - B32585D0
>
> On Tue, Aug 16, 2016 at 2:39 PM, Bridgey theGeek <bridgeythegeek(a)gmail.com
> > wrote:
>
>> Hi all,
>>
>> Because the universe hates me, I've been given an E01 of a RAM dump (from
>> Win7SP1x64) and I have to use Windows to run Volatility.
>>
>> I have p99 of tAoMF in front of me.
>>
>> I tried the "Mount in FTK Imager and point to Z:\unallocated space"
>> thing, but pslist showed only 1 entry which looked very corrupt.
>>
>> I don't have access to EnCase to mount it from there.
>>
>> So I'd like to use libewf. But can I even use it on Windows?? If I
>> compile the library, how do I tell Volatility about the libewf.dll?
>>
>>
>> Basically, how do I use Volatility with libewf on Windows?
>>
>> Thank you,
>> Adam
>>
>> _______________________________________________
>> Vol-users mailing list
>> Vol-users(a)volatilityfoundation.org
>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>>
>>
>
> _______________________________________________
> Vol-users mailing list
> Vol-users(a)volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>
>
