Overview
The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. The extraction techniques are performed completely independent of the system being investigated but offer unprecedented visibilty into the runtime state of the system. The framework is intended to introduce people to the techniques and complexities associated with extracting digital artifacts from volatile memory samples and provide a platform for further work into this exciting area of research.
The Volatility Framework demonstrates our committment to and belief in the importance of open source digital investigation tools . Volatile Systems is committed to the belief that the technical procedures used to extract digital evidence should be open to peer analysis and review. We also believe this is in the best interest of the digital investigation community, as it helps increase the communal knowledge about systems we are forced to investigate. Similarly, we do not believe the availability of these tools should be restricted and therefore encourage people to modify, extend, and make derivative works, as permitted by the GPL.
Capabilities
The Volatility Framework currently provides the following extraction capabilities for memory samples
* Image date and time
* Running processes
* Open network sockets
* Open network connections
* DLLs loaded for each process
* Open files for each process
* Open registry handles for each process
* A process' addressable memory
* OS kernel modules
* Mapping physical offsets to virtual addresses (strings to process)
* Virtual Address Descriptor information
* Scanning examples: processes, threads, sockets, connections,modules
* Extract executables from memory samples
* Transparently supports a variety of sample formats (ie, Crash dump, Hibernation, DD)
* Automated conversion between formats
Supported Platforms
The Volatility framework should run on any platform where Python is supported. Volatility has been test on the following platforms:
* Linux
* Cygwin
* Windows
* OSX 10.5 (Thanks: sam f. stover)
Download
Volatility-1.3_Beta
Volatility-1.1.2
VISIT:https://www.volatilesystems.com
Thursday, 26 February 2009
Practitioner's Guide to Capturing and Analysis of RAM
Dale Beauchamp - DojoSec January 2009 from Marcus Carey on Vimeo.
Dale Beauchamp, from the Department of Homeland Security (TSA), gave an interesting presentation at DojoSec on January 8th. He presents memory analysis from a practitioners point of view which is extremely useful for the community to hear. In his presentation, he described Volatility as “The best tool for going into memory” and how using Volatility a person could “solve a case in 10 minutes”. Dale also describes a batch script he wrote for running Volatility commands and Gleeda’s vol2html.
Wednesday, 25 February 2009
Borg-like cybots may patrol government networks
The Oak Ridge National Laboratory has created software that uses colonies of borg-like cyberrobots it says will help government agencies detect and fend off attacks on the nation's computer network infrastructure.
The Ubiquitous Network Transient Autonomous Mission Entities (Untame) differs from traditional security software agents in that its cybot "entities" form collectives that are mutually aware of the condition and activities of other bots in their colony (PDF).
When these cybots detect network intruders, they communicate with one another, preventing cybercrooks from creating and using a diversion in one spot within the network to then break through in another.
"The cybots are an inherent part of Untame's software, designed to do cybersecurity," Joe Trien, a team leader from the lab's Computational Sciences and Engineering Division, said in an interview with the Daily Beacon. "Most enterprises have intrusion detection centers set up in key spots, but they don't communicate with each other. But a cybot is intended to work with other cybots, continue their mission, or regenerate when necessary so they can pick up where one left off" (PDF).
The U.S. Department of Energy commissioned the software, in response to criticism from Congress (PDF) over security lapses. It hopes for an "intelligent, self-healing, intrusion detection and prevention system" capable of real-time response and defense, one that can learn to avoid false positives and relieve human operators from sloughing through low-level alerts.
The concept of mobile, autonomous software is not one that commercial software developers have embraced, said Lawrence MacIntyre, who is also working on the project. "When you tell people you've got this software that roams, the first thing they think of is a worm," he said.
Trien says Untame is more analogous to the Borg from "Star Trek," only benign. Plus, it would be bound by mission directives to monitor and protect its assigned cyberinfrastructure--not assimilate humanity.
Saturday, 21 February 2009
Friday, 20 February 2009
Fight against cyber crime: cyber patrols and Internet investigation teams to reinforce the EU strategy.
The Council of ministers of the European Union adopted today the Council's strategy to reinforce the fight against cyber crime. The strategy proposes a series of operational measures, such as cyber patrols, joint investigation teams and remote searches to become part of the fight against cybercrime in the next five years. The strategy also introduces concrete steps for closer cooperation and information exchange between law enforcement authorities and the private sector.
Cyber crime is a growing threat to our societies today. EU member states suffer daily thousands of attacks against their information systems. Viruses facilitating stealing information from personal computers, spam, identity theft, and child pornography are increasingly widespread. According to recent reports, images of sexually abused children available on-line quadrupled in the last five years and half of all internet crime involves the production, distribution and sale of child pornography.
The European Commission has cooperated closely with the French Presidency and the Member States in the elaboration of a series of practical measures to fight cyber crime. The new strategy recommends reinforcing partnership between the police and the private sector by better knowledge-sharing on investigation methods and trends in cyber crime. It also encourages both parties to respond quickly to information requests, resort to remote searches, cyber patrols for online tracking of criminals and joint investigations across borders. The strategy also calls for the setting up of an alert platform in the short term, where reports on crime committed on the Internet, such as posting of illegal content, in EU member states would be pooled for cross-checking by Europol. The Commission earmarked 300,000 euro for Europol to implement the platform.
Vice-President Jacques Barrot highlighted the importance of this strategy by saying "The strategy encourages the much needed operational cooperation and information exchange between the Member States. It gives a shared responsibility to the Commission, the Member States and other stakeholders to introduce the different measures. If the strategy is to make the fight against cyber crime more efficient, all stakeholders have to be fully committed to its implementation. We are ready to support them, also financially, in their efforts."
To find out more about Vice-President Jacques Barrot work please visit his website:
http://ec.europa.eu/commission_barroso/barrot/welcome/default_en.htm
Cyber crime is a growing threat to our societies today. EU member states suffer daily thousands of attacks against their information systems. Viruses facilitating stealing information from personal computers, spam, identity theft, and child pornography are increasingly widespread. According to recent reports, images of sexually abused children available on-line quadrupled in the last five years and half of all internet crime involves the production, distribution and sale of child pornography.
The European Commission has cooperated closely with the French Presidency and the Member States in the elaboration of a series of practical measures to fight cyber crime. The new strategy recommends reinforcing partnership between the police and the private sector by better knowledge-sharing on investigation methods and trends in cyber crime. It also encourages both parties to respond quickly to information requests, resort to remote searches, cyber patrols for online tracking of criminals and joint investigations across borders. The strategy also calls for the setting up of an alert platform in the short term, where reports on crime committed on the Internet, such as posting of illegal content, in EU member states would be pooled for cross-checking by Europol. The Commission earmarked 300,000 euro for Europol to implement the platform.
Vice-President Jacques Barrot highlighted the importance of this strategy by saying "The strategy encourages the much needed operational cooperation and information exchange between the Member States. It gives a shared responsibility to the Commission, the Member States and other stakeholders to introduce the different measures. If the strategy is to make the fight against cyber crime more efficient, all stakeholders have to be fully committed to its implementation. We are ready to support them, also financially, in their efforts."
To find out more about Vice-President Jacques Barrot work please visit his website:
http://ec.europa.eu/commission_barroso/barrot/welcome/default_en.htm
Tuesday, 17 February 2009
Microsoft and Girl Scouts take on online safety
Seattle Tech Report discovered that Microsoft has teamed up with Girl Scouts of the USA to create LMK ("let me know"), an online safety website for girls. There is a version for teenagers, lmk.girlscouts.org (blogs, forums, articles, quizzes, and polls), and one for parents, letmeknow.girlscouts.org (lead by Internet security lawyer Parry Aftab). Subjects that are discussed include cyberbullying, predators, and social networking.
It's a girl-for-girl tech campaign that also gives parents the tools they need to protect their girls. The campaign also includes a monthly e-newsletter distributed to adults that covers the Internet safety topic the all-girl editorial board explored that month. Shannon, a member of the LMK editorial team, said it best: "Being online is a part of every teenage girl's life. Now we have a chance to teach our parents a thing or two about the real issues we face every day."
So how does Microsoft fit in? The software giant offers resources and provides online safety guidance in support of LMK. "Most teens understand the Internet and technology better than their parents," says Erika Takeuchi, product manager for Windows Client Interactive and Digital Creative Development at Microsoft. "These tools will teach parents effective ways to help protect their families from risks such as file-sharing abuse and exposure to potential dangerous content." It's always heartening to see different organizations collaborating together for the common goal of raising awareness about issues.
By Emil Protalinski
Saturday, 14 February 2009
RFID PASScards Easily Cloned
On a recent afternoon, security researcher Chris Paget was able to capture the passport card information of several unsuspecting individuals while driving through San Francisco, using a device he built in his spare time for a total of $250. A video released by Paget shows just how easy it is to clone RFID (Radio Frequency ID) tags with this relatively simple technology.
The tags he captured are part of a new generation of ID cards that come with embedded RFID microchips. These vulnerable IDs include PASScards, new mini-passports the size of a credit card which are designed for non-air travel between the US, Canada, Mexico and the Caribbean. They also include the Enhanced Drivers' Licenses (EDLs) issued by New York, Michigan and Washington states. These cards use the same type of simple RFID tags used in shipping and pallet tracking, which allows them to be read from a distance of tens of feet under normal conditions — and UW researchers demonstrated 50 meters in some situations.
Paget's work confirms a study released by RSA Labs and the University of Washington last year which found that RFID tags in PASScards and EDLs were vulnerable to remote capture using widely available tools. That study pointed out while the vulnerable information is only a unique number — not a name or passport number — there is still a reasonable threat to privacy since the tags can enable location tracking, could eventually be linked to individuals, and could also be cloned into fake IDs, making identity theft easier. (The RFID tags embedded in passport books issued by the US government are somewhat more secure, with a shorter range and some cryptographic protections.)
The same factors that make radio great for broadcasting — radio waves travel through many materials to many receivers — make it inappropriate for sensitive information, including unique ID numbers. A person carrying an unprotected RFID passport card or other ID may be broadcasting personal information or a tracking number to anyone with the right reader.
Commentary by Hugh D'Andrade
The tags he captured are part of a new generation of ID cards that come with embedded RFID microchips. These vulnerable IDs include PASScards, new mini-passports the size of a credit card which are designed for non-air travel between the US, Canada, Mexico and the Caribbean. They also include the Enhanced Drivers' Licenses (EDLs) issued by New York, Michigan and Washington states. These cards use the same type of simple RFID tags used in shipping and pallet tracking, which allows them to be read from a distance of tens of feet under normal conditions — and UW researchers demonstrated 50 meters in some situations.
Paget's work confirms a study released by RSA Labs and the University of Washington last year which found that RFID tags in PASScards and EDLs were vulnerable to remote capture using widely available tools. That study pointed out while the vulnerable information is only a unique number — not a name or passport number — there is still a reasonable threat to privacy since the tags can enable location tracking, could eventually be linked to individuals, and could also be cloned into fake IDs, making identity theft easier. (The RFID tags embedded in passport books issued by the US government are somewhat more secure, with a shorter range and some cryptographic protections.)
The same factors that make radio great for broadcasting — radio waves travel through many materials to many receivers — make it inappropriate for sensitive information, including unique ID numbers. A person carrying an unprotected RFID passport card or other ID may be broadcasting personal information or a tracking number to anyone with the right reader.
Commentary by Hugh D'Andrade
Subscribe to:
Posts (Atom)