On Mon, May 11, 2009 at 9:32 PM, Brendan Dolan-Gavitt <bdolangavitt@wesleyan.edu> wrote:
I am also a little concerned about what appears to me to be a drop in development activity around Volatility.  Is Mandiant Memoryze going to take over the top slot?  Right now, I see Mandiant Memoryze as third best behind HBGary and Volatility, but Volatility can't stand still.

I don't think there's been a drop in development activity. It's been a while since our last release, but a lot of activity has been taking place in the world of Volatility plugins. Andreas Schuster has recently released several new plugins that can find some less well-known artifacts of malware, and Jesse Kornblum has released a Volatility plugin to search memory for TrueCrypt passphrases.

I've also released a set of plugins for examining registry data, and shown how to integrate with other popular tools like RegRipper. I'm also working on some plugins that let you look at the state of on-screen graphical elements like windows, buttons, etc.

Andreas' plug-ins are great and I can't wait to check out your new ones, Brendan. I'll be releasing 4-5 new plug-ins for detecting rootkit behavior over the next few weeks.  If anyone has suggestions for useful plug-ins, send them my way or announce them here so we can get it going.

For example, does anyone know if there any plans to provide functionaility similar to HBGary's new Digital DNA in Volatility?

I don't have any plans to do it myself, but Volatility would provide an excellent platform to anyone who wanted to build it :)

An easy way to implement something similar is by using a combination of pyssdeep (fuzzy hashing of memory segments in Python - http://code.google.com/p/pyssdeep/) and YARA (malware classification in Python - http://code.google.com/p/yara-project/). I'm sure the guys at HBGary have some more advanced things going on with their product, but with a bit of dedicated work in creating YARA rules and assigning appropriate weights (for example, use of "WriteProcessMemory" is 5 points, use of "StartServiceA" is 3 points, etc), you could generate a very useful alternative.