To all the volatility contributors:

The work all of you have done is awesome!  Truly a unbelievable contribution. 

Thank you 

Sent from my iPhone

On Oct 12, 2012, at 1:13 PM, Andrew Case <> wrote:

Hello All,

We are writing to announce a few new things related to Volatility and memory forensics.

First, we have posted the last week of the Month of Volatility plugins:

Post 1: Detecting Malware with GDI Timers and Callbacks

This posts covers analyzing malware samples that use timer callbacks to schedule actions.

Post 2: Taking Screenshots from Memory Dumps

This posts covers the data structures and algorithms required to recreate the state of the screen (a screenshot) at the time of the memory capture.

Post 3: Recovering Master Boot Records (MBRs) from Memory

This post covers recovering the MBR from memory and detecting bootkits.

Post 4: Cache Rules Everything Around Me(mory)

This post covers a new plugin that can recover in-tact files from the Windows Cache Manager.

Post 5: Phalanx 2 Revealed: Using Volatility to Analyze an Advanced Linux Rootkit

This post covers analyzing the Phalax2 rootkit with Volatility and other reversing tools.

Second, slides from the 2012 Open Memory Forensics Workshop are being put online:

Datalore: Android Memory Analysis:

Malware In the Windows GUI Subsystem:

Reconstructing the MBR and MFT from Memory:

Analyzing Linux Kernel Rootkits with Volatility:

Finally, we have posted our writeup on solving the GrrCon network forensics challenge using only memory analysis:

If you have any questions or comments please either comment on the respective blog post or reply to the list.


Vol-users mailing list