Jamie, you’re currently working on the Volatility project. Tell us a bit more about the project and its aims.
The Volatility Framework is an open source project that allows people to analyze memory samples from various operating systems and hardware architectures. It’s written in Python, which allows you to take advantage of the abundance of libraries that currently exist for forensic and reverse engineering purposes; this also allows you to run it from any operating system that has Python installed. Volatility allows you to view the memory sample as the operating system sees it (similar to WinDBG), but it also allows you to carve for objects in unallocated memory (that are inaccessible to traditional debuggers). Volatility has an easy to use API, so you can easily extend it to your needs and build custom plugins for new artifacts as well.Currently, the project has 5 core developers, including myself. The others are: Aaron Walters, Michael Auty, Andrew Case and Michael Ligh. We also have a large community of people who contribute plugins, bug fixes, documentation and support. We love to see new people get involved!
Our aims are to continue research in this space and add new functionality as necessary, continue development on this open source project and to continue to make Volatility available, extendable and useable by the community at large.
What would you say are the main challenges in memory forensics? How does Volatility address them?
The main challenges in memory forensics are often related to the fact that memory resident artifacts are frequently and radically changing. Examples include new operating system versions, new adversarial methodologies, and changes in application artifacts.
The architecture of Volatility was designed with modularity in mind. It’s easy to add profiles for new operating systems, address spaces for new types of data, and plugins for different types of artifacts. Also, since each profile, address space, and plugin is a class, you can inherit any of these items and change any of the inherited attributes, as needed, in order to accommodate updates.
Tell us about your plugin contest. How can people get involved?
We have a yearly plugin contest in which the top winners receive cash prizes. We’ve been lucky to have a good turnout each year so far. This year’s contest just closed with several really good entries. We plan to announce the winners at the upcoming Open Source Digital Forensics Conference.
Last year’s winners included:
– Dave Lasalle’s Forensic Suite (14 plugins for recovering firefox and chrome activities, Java IDX files, and other whitelisting and fuzzy hashing capabilities.
– Curtis Carmony’s plugin to extract dm-crypt disk encryption keys from Linux (and potentially Android) memory dumps.
– Adam Bridge’s editbox plugin to recover the text within edit controls of GUI applications on Windows
More information can be found here.
It’s easy to get involved, the project is open source and readily available on github. We also have a lot of documentation on the github wiki. My suggestion would be to review the documentation on how Volatility is used, play around with it, come up with a topic you’d want to solve and study the source code. If you have questions, we are readily available by email or our users' list to answer them.
Volatility also provides malware and memory forensics training. Could you tell us about the courses available, and what students can hope to gain from them?
This is an intense 5 day training course for those who want to understand how memory forensics tools actually work and how to utilize them to get the most out of your investigations. We cover everything from acquisition and using traditional forensics artifacts found in memory ($Mft, Registry keys, files), to advanced malware analysis. Information about the course is available on our website.
Students will gain a deeper understanding of Windows memory internals and will be ready to tackle any type of investigation involving memory. It’s a unique opportunity to learn memory forensics from the people who have spent the last 10 years writing the tools and actively using memory during investigations.
2015 has been an exciting year for the Volatility project, with training now available in three continents. What are your plans for the near future? What can we expect to see over the next year or so?
It has been exciting! We’ve completed trainings in the UK, Amsterdam, Australia and several locations in the US in the last year. Trainings for next year are still in planning, but we plan to travel to Europe and elsewhere again.
We also plan to keep pushing the Volatility project forward even harder now. We have Volatility 3.0 coming out sometime next year, which we’re very excited about. This version is compliant with Python 3.0 and will include several optimizations and new features.
It’s hard to say exactly what lies out on the horizon, but until we have every bit accounted for in RAM, there’s a lot of work left to accomplish!
Do you have any tips for people who are thinking about digital forensics as a future career choice?
Start reading some of the books on Andrew Case’s book list if you haven’t already. They’re a great resource and will help you get a good background in the field.
Also, learn a programming language, if you can. Not only will this be useful to you in the field, but will help focus your analytical thinking which is an important aspect of working in digital forensics.
I also recommend getting involved in open source projects. There are plenty to choose from, including Sleuthkit, Volatility, any of Willi Ballenthin’s tools, RegRipper, etc. Even if you don’t program, these projects need testers, bug reports, documentation, and many other non-programming tasks done as well. Just the interaction with others who share your interest is enough to keep you engaged and wanting to learn more.
What do you think the next developments will be in memory forensics?
The sky’s the limit. I believe that we’ll see more focus on user space applications, as we saw in last year’s plugin contest, as well as focus on making sense of data across multiple machines in a more efficient manner.
Related to the latter, we’ve been working on ways to hunt across machines in order to uncover threat activity. There’s already a shift in being proactive in order to minimize potential damage. The idea has been talked about in several venues, I gave a talk on this at OMFW a while back, and Andrew just gave a couple of talks on this as well (see YouTube and BlackHat).
As targeted attacks are becoming more and more abundant, intelligent hunting will be key in the future of DFIR.
What do you do to relax when you’re not working?
I spend a lot of my free time gardening and hiking out in the woods. It’s absolutely peaceful and beautiful outside amongst the trees. It’s amazing, the creative ideas that can spring into your head when you’re given a chance to restart like that.
Jamie Levy is a core developer at Volatility, an open-source memory analysis project which also provides training on Windows malware and memory forensics.