| Volatility Call for Bugs |
[Jul. 5th, 2009|12:38 pm] |
We are aiming to release a new version of the Volatility Framework for memory analysis at the start of August 2009. Although no software is ever perfect, we'd like to publish the best possible code. As such, we're asking everybody to please test out the current version and tell us about any bugs they find.
The code is available on the Volatility homepage on Google Code. As noted on their site, you can download the latest version using Subversion as follows:
svn checkout http://volatility.googlecode.com/svn/trunk/ volatility-read-only
You can download some sample memory images from NIST or hogfly's memory exemplar project, but please feel free to test the framework with your own memory images. Lots of testing has been done with the above images, so the best way to find new bugs is with new memory images! Remember the framework only supports Windows XP Service Pack 2 and 3.
When you find a bug, you can post a comment here, visit the developers on IRC at #Volatility on freenode.net, or write to the developer's mailing list.
Even better than finding a bug is fixing one! By all means please take a stab at fixing whatever problems you find. The best way to submit patches is to make changes to the checked out code and generate a patch file. You can create a patch file like this:
svn diff > mypatches
Here's an example patch to let Volatility run on big-endian systems. Good hunting! |
|
|
| Looking back on sample memory images |
[Jun. 12th, 2009|07:09 am] |
Four years after posting sample memory images I am proud of my decision, glad to have given researchers a common data set to work with, and heartened by the community's respect for my privacy.
Back in the summer of 2005 the only publicly available memory images were the two from the DFRWS Memory Analysis Challenge. Partially inspired by the challenge, I decided to publish a set of standard memory images for researchers. The idea was to create a common data set we could all use. When somebody developed a new technique, they could explain the method and show the results of using it on the common data set. Other researchers could repeat the method on the same data and then critique the method.
I posted a set of five memory images. Three of them were from a test system and contained no real data. They were just a clean operating system install booted up. The last two of the images, however, xp-laptop-2005-06-25 and xp-laptop-2005-07-04, were memory images from a computer that had been used in the real world. The system, a laptop borrowed from a friend, was being used by S— for schoolwork.
At the time I thought about the risks of posting data from a machine S— and my friend had been using, but my conclusion was "I've rebooted the machine and only my data should be in RAM."
Oh, how wrong I was.
There has been an astounding amount of memory analysis research since that summer. We've developed methods to recover amazing things. Network packets, connection information, hidden processes, handle tables, hooked tables, entire executables, malicious code samples, and more. We should be especially thankful to moyix for his work on examining the Windows Registry in memory images. The registry contains a gold mine of forensic information such as password hashes, SSIDs from wireless networks and information about USB devices.
I'm singling out moyix for an important reason. When he first discovered the easily crackable password hashes in my memory images, he contacted me before publishing anything. He gave me a chance to protect myself. I appreciated the heads up, and while I would never ask anybody to withold publication, his pause helped keep me and S— safe.
Interesting side note about SSIDs and how forensic analysis has its limits. Cached SSIDs are stored in the registry hive labeled \WINDOWS\system32\config\software. For example, in the xp-laptop-2005-07-04 memory image it's at offset 0xe1658b60. In that hive, look at the key Microsoft\WZCSVC\Parameters\Interfaces. You'll see some entries that are GUIDs. Looking at the values under those GUIDs reveals some binary data that contains the SSIDs.
In those SSID entries you'll find an entry "Mayorga". A Bing search1 reveals the Mayorga Coffee Factory . Although not direct evidence that I was at the Mayorga, it's definitely circumstantial. As a point of fact, however, I never went to the Mayorga coffee house before July 2005. The SSID could either be a remnant of the machine's owner or a red herring. There's nothing that prevents any access point from being named "Mayorga".
Posting my memory images unquestionably helped other researchers advance the field. The images gave them live data to experiment with and a method for others to verify their results. My heart still skips a beat every time I hear somebody has found a new kind of data in those memory images, but I'm confident the next person to make a major advance will talk to me before publishing anything.
In a similar vein, I urge others to post live data sets for research, but please be careful. Once you post something to the Internet you can never ever ever make it go away. There are probably data in my memory images we can't even conceive of yet, and analysis techniques always improve.
If you haven't already, check out the memory snapshot project (files). Hogfly is posting memory images from systems infected with live malware. While I applaud Hogfly's efforts, I don't think the systems are running with live data. That is, the malware is the only thing running on the system, making it easy to see. In an ideal world I'd like to see memory images from a system with real-world data that has malware on it. That would make for good research and training!
At this point, however, things get more complicated. Nobody should post memory images with data from people who haven't consented. But how much consent is needed? Is data posted publicly on the web free to use? My memory images contained pages from the New York Times, which is probably fine. But what about something posted to LiveJournal or Facebook? Email messages? Mailing list posts? Whatever you do, please be responsible.
1. Yes, a Bing search. A researcher always tries out new things.
|
|
|
| md5deep version 3.4 |
[Jun. 10th, 2009|05:40 pm] |
I've released version 3.4 of md5deep. This is a bug-fix release and addresses two serious problems. First, there was a memory leak while processing directories on Windows. Second, the -n mode, or Unused hashes mode has been fixed. My apologies for the errors. |
|
|
| md5deep version 3.3 |
[Apr. 4th, 2009|09:54 am] |
This morning I posted md5deep version 3.3. This is a bug-fix release intended to address two issues on Microsoft Windows. First, the program can now handle 64-bit timestamps, which previously could have caused a crashed. Second, the program now skips all reparse points (e.g. junction points, symbolic links, etc). There come up often on Windows Vista and Windows 7 and can cause a lot of extra work for the program. The resulting code is not perfect, someday the user should be able to control the recursion process, but it's better this way than before. Enjoy! |
|
|
| Fuzzy Hashing in FTK |
[Mar. 26th, 2009|10:47 pm] |
So apparently I've been asleep at the switch. Fuzzy hashing has been incorporated into AccessData's flagship Forensic Toolkit! Not only have they added the feature but they've also written a great paper describing fuzzy hashing and how it works in FTK.
Now I know what some of you are thinking. How did AccessData include fuzzy hashing, which is licensed under the GPL2, in a proprietary program like FTK? Well, to tell you the truth, in all this excitement I kind of lost track myself. (Wait... wrong speech.)
I think AccessData rewrote fuzzy hashing. The edit distance code, for example, has been replaced with some database calls. I don't know how they're computing the rolling and FNV hashes, but if they took the time to rewrite the edit distance code they probably rewrote the rest too. The edit distance code dates back to 1989 and was last updated in 1993. There's no sense in rewriting something that's been working for fifteen years unless you absolutely must.
Regardless, go forth and be fuzzy! |
|
|
| Suspicious Plugin Broken |
[Mar. 3rd, 2009|10:00 am] |
Several people have written to me asking about the Suspicious plugin I posted a while back. Unfortunately I'm not sure what's going wrong. There is some kind of conflict with the existing plugins, but I haven't been able to figure it out. Sorry! |
|
|
| Fixing the 'suspicious.py' Volatility module |
[Feb. 14th, 2009|11:06 am] |
Several people have asked about the following error when using the suspicious.py plugin for Volatility:
Traceback (most recent call last):
File "volatility", line 219, in
main()
File "volatility", line 201, in main
MemoryRegistry.Init()
File "/Users/jessek/Volatility-1.3_Beta/forensics/registry.py", line 269, in Init
OBJECT_CLASSES = VolatilityObjectRegistry(object2.Object)
File "/Users/jessek/Volatility-1.3_Beta/forensics/registry.py", line 244, in __init__
raise Exception("Object %s has already been defined by %s" % (obj,self.objects[obj]))
Exception: Object _EPROCESS has already been defined by class 'example3._eprocess'="'example3._EPROCESS'">
The error is caused by a collision of the _EPROCESS object in suspicious.py and example3.py. The easiest way to solve the problem is to remove example3.py from the memory_plugins directory. |
|
|
| Using Fuzzy Hashing from C# |
[Jan. 15th, 2009|06:06 pm] |
Recently ssdeep user Jose Cintron wanted to use fuzzy hashing in a C# program. After some significant head scratching he came up with the following code necessary to use at least part of the DLL from his program:
using System.Runtime.InteropServices; // Needed for DllImport
public class ssdeepWrapper
{
// fuzzy.dll should be somewhere in the path or specify exactly
// where to find it.
[DllImport("fuzzy.dll")]
public static extern int fuzzy_hash_filename(string fname,
StringBuilder result);
[DllImport("fuzzy.dll")]
public static extern int fuzzy_compare(string sig1, string sig2);
}Any thoughts? Has anybody else tried using fuzzy hashing from a different language? |
|
|
| BitLocker Paper Accepted |
[Jan. 14th, 2009|10:17 am] |
My paper on Microsoft's BitLocker, Implementing BitLocker Drive Encryption for Forensic Analysis, has been accepted for publication in the journal Digital Investigation. The paper has been significantly revised since I last wrote about it. The online version bears only a passing resemblance to the final version. As such, here's the new abstract: This paper documents the BitLocker Drive Encryption system included with some versions of Microsoft's Windows Vista. In particular it describes the key management system, the algorithms and modes used, and the metadata format. Particular attention is given to methods forensic examiners can use to access protected data. There are some unanswered questions about how the cryptosystem operates, including an undocumented key management decision. This decision could allow, in a particular usage scenario, unauthorized access to a protected volume. You'll have to read the published article to get the whole story! |
|
|
| ssdeep version 2.1 is out |
[Jan. 1st, 2009|09:57 am] |
Happy New Year! Now you can prove 2008 is a lot like 2009 using the latest version of ssdeep, your favorite fuzzy hashing program and API. This is mostly a bug fix release, but you can now use the API to hash a file without having to open it yourself. Enjoy! |
|
|
| Bringing back old entries |
[Dec. 12th, 2008|08:51 am] |
Just an administrative note to say that I'm bringing back my old entries relating to computer forensics. Everything else will remain private. In certain cases old material unrelated to forensics but contained in a generally useful post will be redacted, such as in this post on the Windows Research Kernel |
|
|
| navigation |
| [ |
viewing |
| |
most recent entries |
] |
| [ |
go |
| |
earlier |
] |
| |
|
|
