The Volatility Framework is an an advanced, completely open collection of tools for memory forensics, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples.
The extraction techniques are performed completely independent of the system being investigated but offer visibility into the runtime state of the system. The framework is intended to introduce people to the techniques and complexities associated with extracting digital artifacts from volatile memory samples and provide a platform for further work into this exciting area of research.
Computer attacks are a constant concern for admins and users of computers. These are attacks that are stealthy enough not to leave any traces on the hard disk of the computer. To detect such attacks, we need to make a forensic analysis of the memory dump of the computer. This analysis is termed memory forensics. Volatility is the open source framework that could help us with memory forensics.
Present day malware are stealthier and remain hidden during dynamic behaviour analysis. In order to detect such types of malware and their behaviour, run time memory inspection can be carried out. Malware, including rootkit, traverses the RAM; hence the Volatility framework helps us to inspect the live memory of any operating system. This can help us to possibly detect some advanced malware, which is very persistent in its behaviour.
This hands-on training teaches the concepts, tools, and techniques to analyze, investigate and hunt malwares by combining two powerful techniques malware analysis and memory forensics.This course will introduce attendees to basics of malware analysis, reverse engineering, Windows internals and memory forensics, it then gradually progresses deep into more advanced concepts of malware analysis & memory forensics.
Volexity is a Washington, D.C.-based cyber security firm with a global reach. It is led by some of the most respected subject matter experts in the commercial, open source, government, and defense industries, who have pioneered the field of memory forensics (i.e., Volatility), written best-selling security books, and developed groundbreaking tools and technology.
Based on years of published academic research into advanced memory analysis and forensics, its unique platform enables cutting edge research to be immediately transitioned into the hands of digital investigators. As a result, research built on top of Volatility has appeared at the top academic conferences, and Volatility has been used on some of the most critical investigations of the past decade. It continues to be supported by one of the largest and most active communities in the forensics industry. Learn more at www.volatilityfoundation.org.
Abstract:Memory forensics is an investigative technique used in malware analysis, reverse engineering, digital forensics and incident response. With adversaries becoming more sophisticated and carrying out advanced attacks targeting critical infrastructures, Data Centers, private and public organizations, detecting, responding to, and investigating such intrusions are critical for information security professionals. Memory Forensics has become a must-have skill for fighting advanced malware, targeted attacks and security breaches. This training touches on the topic of malware, Windows internals, and techniques to perform malware and Rootkit investigations of real world memory samples using open source advanced memory forensics framework (Volatility). The training also teaches how to incorporate memory forensics into malware analysis and sandbox technology.
Bio:Monnappa KA is based out of Bangalore, India. He works with Cisco Systems as Information Security Investigator focusing on threat intelligence and investigation of advanced cyber attacks. His fields of interest include malware analysis, reverse engineering, memory forensics and threat intelligence. He is an active speaker in the Bangalore security community meetings and has presented on various topics which include \"Memory Forensics\", \"Advanced Malware Analysis\", \"Rootkit Analysis\", and \"Sandbox Analysis\". He has authored various articles related to \"Malware Analysis\" and \"Memory Forensics\" in the Hakin9 and eForensics magazines.
Abstract:The increase in the number of cybersecurity incidents in which internet of things (IoT) devices are involved has called for an improvement in the field of computer forensics, which needs to provide techniques in order to perform complete and efficient investigations in this new environment. With the aim of doing so, new devices and systems are being studied in order to offer guidelines for investigators on how to examine them. This papers follows this approach and presents a forensic analysis of the non-volatile memory of Windows 10 IoT Core. It details how the investigation should be performed and highlights the relevant information that can be extracted from storage. In addition, a tool for the automation of the retrieval of the pieces of evidence detected is provided.Keywords: cybersecurity; forensics; IoT; Windows 10 IoT Core
Volatility is an open source advanced memory forensics framework. The primary tool within the framework is the Volatility Python script that utilizes a large number of plugins to perform the analysis of memory images. As a result, Volatility is able to be run on any operating system that supports Python. In addition, Volatility can be utilized against memory image files from most of the commonly distributed operating systems including Windows for Windows XP to Windows Server 2016, macOS, and finally common Linux distributions.
In summary, PowerShell logging, Sysmon, an EDR solution such as Cisco AMP for Endpoints, and a memory forensics capability are vital processes to efficient incident response. This multi-layered approach allows for detection and response, but more importantly if one capability fails (i.e. event logs are overwritten, due to size, cleared by an attacker, etc.) you have another mechanism to detect (i.e. PowerShell logging, EDR solution, Memory Forensic analysis) a common PowerShell attack.
Volatility is a very powerful memory forensics tool. It is used to extract information from memory images (memory dumps) of Windows, macOS, and Linux systems. There is also a huge community writing third-party plugins for volatility. You definitely want to include memory acquisition and analysis in your investigations, and volatility should be in your forensic toolkit.
Today we show how to use Volatility 3 from installation to basic commands. When analyzing memory, basic tasks include listing processes, checking network connections, extracting files, and conducting a basic Windows Registry analysis. We cover each of these tasks. After you understand the Volatility 3 command structure and extract some basic information, advanced memory analysis just builds on those concepts.
Memory analysis - with the help of volatility 3 - is becoming easier. It is an excellent source of action-related evidence. If you are not already routinely including memory acquisitions in your investigations, I strongly recommend you do. The amount of information available that will never be written to disk is well worth the extra effort.
Malware analysis and memory forensics are powerful analysis and investigative techniques used in reverse engineering, digital forensics and incident response. Adversaries are becoming more sophisticated and carrying out advanced malware attacks on critical infrastructures, Data Centers, private and public organizations. This makes detecting, responding and investigating such intrusions increasingly critical for information security professionals. Malware analysis and memory forensics have become a must-have skill for fighting advanced malwares, targeted attacks and security breaches.
This course will introduce attendees to basics of malware analysis,reverse engineering, Windows internals and memory forensics. It will then gradually progress deeper into more advanced concepts of memory forensics.
He has conducted training sessions on malware analysis, reverse engineering, and memory forensics at Black Hat, BruCON, HITB, FIRST (Forum of Incident Response and Security Teams), SEC-T, OPCDE, and 4SICS-SCADA/ICS cybersecurity summit. He has presented at various security conferences, including Black Hat, FIRST, SEC-T, 4SICS-SCADA/ICS summit, DSCI, National Cyber Defence Summit, and Cysinfo meetings on various topics related to memory forensics, malware analysis, reverse engineering, and rootkit analysis. He has also authored various articles in eForensics and Hakin9 magazines. You can find some of his contributions to the community in his YouTube channel ( ), and you can read his blog posts at
The Volatility framework is an open-source memory forensics tool that is maintained by the Volatility Foundation. The Volatility Foundation is an NGO that also conducts workshops and contests to educate participants on cutting-edge research on memory analysis.
Memory forensics allows an investigator to get a full picture of what is occurring on-device at the time that a memory sample is captured and is frequently used to detect and analyze malware. Malicious attacks have evolved from living on disk to having persistence mechanisms in the volatile memory (RAM) of a device and the information that is captured in memory samples contains crucial information for full forensic analysis by cybersecurity professionals. Recently, Apple unveiled computers containing a custom designed system on a chip (SoC) called the M1 that is based on ARM architecture. Our research focused on the differences in the Volatility memory analysis framework between Apple's new M1 SoC and its previous Intel-based CPUs due to the new architecture. We extracted memory samples from a MacBook Air equipped with a M1 SoC and a Intel-based Mac virtual machine. Using those samples, we ran all the Volatility plugins available for Mac against each memory sample, taking note of any differences or errors that occurred because of the shift in architecture. This is foundational memory forensics work on the M1 ARM platform that will allow future research and improvements to be made on Volatility for M1. 153554b96e