FF: Tell us about your background and how you ended up as a Principal Threat Investigator at Volexity?
That is an exciting story to tell, I guess. My background is that I started my career in law enforcement in the Netherlands, where I ended up as a digital forensic investigator working on major crime cases before moving to corporate life. While in law enforcement, I kept studying to improve my forensic skills. I’m naturally competitive and still want to improve my work. After some excellent jobs, such as securing the Dutch passport system and working for a financial organization, I started working as a digital forensic investigator at Hoffmann Investigations, as I missed doing investigations. That is where I learned to become a good digital forensic investigator and a proper detective. This is because you had to manage the entire investigation yourself. So, you were responsible for the digital forensic investigation and interviewing of employees (suspects), budget, etc. At the end of my Hoffmann period, I was the lead investigator of the famous DigiNotar breach in the Netherlands—one of the most interesting cyber cases the Netherlands has ever experienced. That case ended successfully in the Dutch courts.
I connected with George M. Garner Jr. during my Hoffmann time, who unfortunately died in 2017. He made the Forensic Acquisition Utilities tool, which we sometimes use to create forensic disk images over customers’ networks. But George also made another tool called KntList. With his tool, you could inspect a running system to determine if malware or a rootkit was installed. This happened around 2005, and I noticed a digital forensic challenge from the Digital Forensic Research Workshop (DFRWS) where a memory dump was made available if the participants could reconstruct what happened, so I informed George, and he was interested. So, we spent long nights communicating via PGP messages (George preferred that) on our progress, George in Maryland in the US, and me in Utrecht in the Netherlands. I say we, but it was primarily George who was already an expert in Windows Internals due to Kntlist. I learned so much from him during that challenge, for example, what an EPROCESS structure looked like and when a page of memory was still allocated in memory or paged to disk, and I’m still grateful for that.
Fortunately, I found which rootkit was used in the challenge (HackerDefender HxDef), and the reconstruction took off from there. Remember that in 2005, no memory forensic software was available to the public and was specially made for that challenge, and George excelled in it. So, the outcome was that our analysis was one of the winners, and we could establish what happened with our analysis. Usually, a “strings” search would happen during investigations if memory was collected at all. Our submission gained a lot of traction, and shortly after the publication, AAron Walters, now the Chairman of Volexity, launched the Volatility project in 2007. There was just a small group of folks involved in progressing the field of memory forensics, as you could prove what happened with the computer from the moment the memory was acquired based on (recovered) memory structures, process lists, owners, timestamps, and all kinds of relevant artifacts. But Volatility was something else, and it was robust and open source. It was supporting multiple operating systems already.
Since the release of Volatility in 2007, I have been in good contact with AAron, who is much more social than I am and took the annual effort to keep in touch. Fast forward to 2021, where I managed Shell’s Threat and Analytics team and a large group of great analysts across different regions. AAron asked during our annual catch-up if I was interested in joining Volexity. He hit a nerve there as I missed doing the hands-on memory forensics, malware analysis, and investigations, so I said yes. And I’m thrilled that I did, as I’m now doing even more hardcore investigations and a bit of business expansion globally.
FF: For those not familiar with Volexity, can you tell us a bit about what the company does?
Volexity is mission oriented and known for tackling the most technical and challenging aspects of modern digital investigations. It’s led by a respected team of subject matter experts from the commercial, open source, government, and defense industries. Having pioneered the field of memory forensics and built the world’s most widely used memory forensics tool (Volatility), the team continues to build the next generation of digital investigation products. By combining cutting-edge research with advanced threat intelligence capabilities, we are also able to change the way traditional security services are delivered.
Volexity has an equally amazing team of practitioners that delivers MDR, Network Security Monitoring, Incident Response, and Threat Intelligence services to highly targeted organizations around the globe. While there are a lot of organizations claiming to deliver these types of services, there is a reason that Volexity is often in the news for discovering new zero-days and exposing sophisticated intrusion campaigns. Volexity generally gets the call when an organization’s leadership team is looking for concierge-level support directly from a team of experts, who literally wrote the books I used to rely on in my previous work.
FF: Tell us more about Volexity’s two solutions, Volcano and Surge.
One of the first challenges investigators face is having reliable and verifiable data acquisition capabilities, especially when it comes to volatile memory. Unfortunately, investigators often rely on open source tools that have been abandoned, or poorly maintained commercial products. As the original developers of Volatility, the team spent many years helping investigators troubleshoot corrupted memory samples or failed collection attempts. Thus, Volexity built Volexity Surge Collect Pro to provide reliable memory acquisition capabilities across Windows, Linux, and macOS. Since its launch, these capabilities have also been expanded to include file system artifacts and OS runtime state information. Surge has dedicated teams for each operating system to make sure the software is thoroughly tested and maintained. As a result, commercial and government organizations across the globe rely on Surge as a critical capability in their DFIR toolbox. Our enterprise customers also frequently integrate Surge with their existing EDRs, SOARs, or cloud security platforms to expand their digital collection capabilities.
And while many digital investigators understand that memory analysis can play a critical role in digital investigations, they often don’t have the training or the time required to effectively use those tools. After having spent almost two decades training and supporting the global Volatility community, the Volexity Volcano development team leveraged that knowledge to build a comprehensive, cross-platform, next-generation memory analysis solution. Volcano expedites analysis and operationalizes knowledge by automatically augmenting analysis with threat feeds, correlations, and an intuitive user interface. By dramatically reducing the time required for investigations, Volcano is often a critical tool for my globally distributed team to collaborate on proactive threat hunting and incident response investigations. As a recent example, memory analysis was critical in our discovery of two Ivanti Connect (Pulse) Secure zero-days.
FF: Volexity’s mission statement states that “the future of cybersecurity will depend on the industry’s ability to master the data found in volatile memory”. Why do you believe that to be the case?
Volexity believes it is important for digital investigators to leverage all available data while investigating a digital crime scene, especially when dealing with advanced adversaries and threat actors looking to evade EDRs. For years, attackers have exploited the fact that most organizations did not have the capabilities or expertise to analyze volatile memory. Thus, there was a blind spot within their organizations and attackers took advantage of it.
From a digital investigation perspective, memory acts as a data hub that can contextualize and correlate many other types of digital evidence. For example, accessed files get loaded into memory before they are processed, network data gets reassembled in memory, and anything executed by a processor will be loaded into memory. For an investigator trying to reconstruct what happened on a system, memory provides the context to connect the data and contextualize when something happened. It provides artifacts of what happened in the past and a roadmap to what could happen in the future.
Volexity believes that when memory is used effectively, it can help augment and accelerate many different aspects of digital investigations, including incident response, malware analysis, reverse engineering, and proactive threat hunting. Given the growing volume of data, the sophistication of malicious adversaries, and the increased use of encryption technology, memory will continue to play an important role in modern digital investigations.
FF: Tell us more about the challenges posed by evidence tampering malware and how memory forensics can be used in such cases.
This area concerns me greatly as we have adequately seen cases documented, such as the Indian Bhima Koregaon case, which Mark Spencer from Arsenal Consulting investigated. Still, many individuals arrested in that case are in jail, innocent, and for years already. Someone died while in custody. Last year, I wrote about these cases on my blog, www.anchorrednarratives.com, and presented them at INTERPOL and the HTCIA conference. The main difficulty is the maturity of digital forensics globally, the reluctance to use antivirus or EDR technology on acquired data from suspects, and the will or knowledge to explain what it means for the case. If law enforcement globally does not address this adequately, more individuals will fall victim to these (government) hackers that plant evidence on individuals’ computers.
If you follow the current standard forensic guidelines, you would not detect sophisticated evidence planting through malware, as no antivirus or EDR controls are systematically used on seized data. This is another reason to use memory forensics in disputed investigations, as Mark and his team did in the Bhima case. They were perfectly able to reconstruct, based on memory, how attackers planted incriminating evidence on the defendants’ computers. Even the Forensic Institute involved in this case reported that no malware was found. However, I found malware on one of the defendant’s seized media based on a hash that the Forensic Institute reported but did not identify as such. I guess if we do not address this problem in forensic guidelines by INTERPOL or Europol, innocent folks will be put in jail based on planted evidence.
FF: What does a typical day at work involve?
A typical day for me at Volexity is to process and curate intelligence in order to improve our visibility of threat actors and write intelligence reports. I also review alerts that happen in our customer environment and analyze malware samples to make proper Yara signatures. As I’m also part of the incident response team, I’m also frequently involved in the thing I love: making proper forensic reconstructions for our customers’ investigations. What happened, when, and how? As Volexity protects highly targeted organizations, we often obtain never-before-seen malware during our incident response investigations, which gives us a competitive edge in our threat intelligence service. Besides contributing to the Threat and IR teams, I’m expanding my business network globally and giving presentations on the importance of memory forensics and investigations I’m involved in. My days are flying by, focusing a lot on the technical content and less on the meeting culture I experienced in a previous job.
FF: And finally, what do you enjoy in your spare time?
I love making good Texas BBQ, brisket, bavette you name it, and eat it with my family. To stay a bit fit, I kickbox almost three times per week at the first business kickboxing club in the world, called SAKAK, which does not really translate to English well. It’s great to hit someone in the face after a long day of work! 🙂
