Scribd
Upload
35 views

OSDFCon 2019 Volatility 3 Public Beta

The document summarizes the Volatility 3 public beta release of the Volatility memory forensics framework. Key points include: - Volatility 3 has been completely rewritten in Python 3 for improved performance, usability, and to support modern systems. - New features include automatic operating system and profile detection, unified output, and native support for 32-bit processes on 64-bit kernels. - The framework is designed to simplify integration and automation of memory analysis tasks like processing multiple samples simultaneously. - Future development will focus on continued feature parity with Volatility 2 and adding new automated capabilities for analyzing operating systems, applications, and hooks.

Uploaded by

koledo7259
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
35 views

OSDFCon 2019 Volatility 3 Public Beta

The document summarizes the Volatility 3 public beta release of the Volatility memory forensics framework. Key points include: - Volatility 3 has been completely rewritten in Python 3 for improved performance, usability, and to support modern systems. - New features include automatic operating system and profile detection, unified output, and native support for 32-bit processes on 64-bit kernels. - The framework is designed to simplify integration and automation of memory analysis tasks like processing multiple samples simultaneously. - Future development will focus on continued feature parity with Volatility 2 and adding new automated capabilities for analyzing operating systems, applications, and hooks.

Uploaded by

koledo7259
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 23

Public Beta: Insider’s Preview

Mike Auty, Andrew Case | 16 October 2019 | #OSDFCon


© 2019 The Volatility Foundation
December 2011 Volatility Technology Preview (Internal Project)

Looking Back October 2012 OMFW: Volatility 3.0 on Roadmap (Technology Preview)
November 2013 “Volatility Past & Present” (Volatility 3.0: Python 3/Pagefile/Performance)
December 2013 Volatility Technology Preview à Rekall
November 2014 “Restructuring Memory” (Unified output) à 2.5
Volatility 3 October 2019 Volatility 3.0 Public Beta

2006 2007 2008 2009 2011 2012 2013 2014 2015 2016 2019

December, 2016 Volatility 2.6 (Windows 10 / Server 2016)


Volatility 2.x October 2015 Volatility 2.5 (Unified Output / Community)
September 2014 Volatility Foundation created
August 2014 Volatility 2.4 (Art of Memory Forensics)
October 2013 Volatility 2.3.1 (Mac OSX and Android ARM)
August 2013 Volatility Plugin Contest
May 2013 Month of Volatility Plugins II
October 2012 Volatility 2.2 (Linux Support)
September 2012 Month of Volatility Plugins I
August 2012 Volatility 2.1 (Malware and 64-bits)
August 2011 Volatility 2.0 (Beyond XP)
January 2009 Malfind 1.0
August 2008 Volatility 1.3 (DFRWS Contest, OMFW, and Plugins)
August 2007 Volatility 1.1.1 (Scanning and VAD)
February 2007 VolaTools (Black Hat - Initial Public Release)
February 2006 FATKit (Digital Investigation Journal)

Volatility 3 Public Beta: The Insider’s Preview © 2019 The Volatility Foundation 16 October 2019 | #OSDFCon | 2
Memory Forensics: 2006 vs. 2019

SAMPLE SAMPLE VOLATILITY


SIZE QUANTITY ANALYSIS TASKS

THEN NOW THEN NOW THEN NOW


<= 4GB >= 16GB 1 5+ <= 10 >= 50
>= 128GB common

Volatility 3 Public Beta: The Insider’s Preview © 2019 The Volatility Foundation 16 October 2019 | #OSDFCon | 3
Operating System Release Cycles in 2019 [3, 4]

Volatility 3 Public Beta: The Insider’s Preview © 2019 The Volatility Foundation 16 October 2019 | #OSDFCon | 4
The History of Vol3

• Many novel ideas attempted and refined before being put into
the stable code base

• The goal: Meet the needs of the next decade of memory


analysis

Volatility 3 Public Beta: The Insider’s Preview © 2019 The Volatility Foundation 16 October 2019 | #OSDFCon | 5
What is New in Volatility 3?

• All of it

• Every line of code

• Entire framework (backend, plugins, etc.) was


completely rewritten and redesigned

Volatility 3 Public Beta: The Insider’s Preview © 2019 The Volatility Foundation 16 October 2019 | #OSDFCon | 6
What is New in Volatility 3? Cont.
• Written in Python 3

• Major performance boost!


– Natively supports multi-processing and memory caches

• Much simpler integration into other libraries and user


interfaces

Volatility 3 Public Beta: The Insider’s Preview © 2019 The Volatility Foundation 16 October 2019 | #OSDFCon | 7
What is New in Volatility 3? Cont.
• No more --profile for any OS!
– Automatic detection of profiles
– Extraction of known-good data from debug info vs hardcoded

• 32bit apps on 64bit kernels natively supported


– Proper Wow64 analysis!

• Automated evaluation of in-memory code

Volatility 3 Public Beta: The Insider’s Preview © 2019 The Volatility Foundation 16 October 2019 | #OSDFCon | 8
What is New for Developers?
• Extensive API documentation

• Plugins can directly call other plugins

• Plugins are versioned

• Much easier to use custom data structures and symbols

Volatility 3 Public Beta: The Insider’s Preview © 2019 The Volatility Foundation 16 October 2019 | #OSDFCon | 9
Volatility 2 Volatility 3 Plugin

Plugin Context

Process A Process B Memory Compression


Process (Intel32e) (Intel32e) (Intel32e)
(AMD64PagedMemory)

d(x) d(x)
LimeAddressSpace
(Physical Address Space)
SwapLayer LimeLayer CompressionStoreLayer
(Physical Address Space)

FileAddressSpace
FileLayer FileLayer

Volatility 3 Public Beta: The Insider’s Preview © 2019 The Volatility Foundation 16 October 2019 | #OSDFCon | 10
Volatility 3 Public Beta: The Insider’s Preview © 2019 The Volatility Foundation 16 October 2019 | #OSDFCon | 11
Volatility 3 Public Beta: The Insider’s Preview © 2019 The Volatility Foundation 16 October 2019 | #OSDFCon | 12
Volatility 3 Public Beta: The Insider’s Preview © 2019 The Volatility Foundation 16 October 2019 | #OSDFCon | 13
Supporting Modern and Advanced Analytics
• Automating (where possible) operating system and
application support

• Automating analysis decisions beyond simply presenting


data structures and raw disassembly listings

• Automating analysis of multiple samples at once

Volatility 3 Public Beta: The Insider’s Preview © 2019 The Volatility Foundation 16 October 2019 | #OSDFCon | 14
Automated Kernel Module Analysis – NDIS & Netfilter [5, 6]

Volatility 3 Public Beta: The Insider’s Preview © 2019 The Volatility Foundation 16 October 2019 | #OSDFCon | 15
Automated Version Analysis – TrueCrypt vs VeraCrypt [7, 8]

Volatility 3 Public Beta: The Insider’s Preview © 2019 The Volatility Foundation 16 October 2019 | #OSDFCon | 16
Automatic Symbol Inclusion

Volatility 3 Public Beta: The Insider’s Preview © 2019 The Volatility Foundation 16 October 2019 | #OSDFCon | 17
Automated Emulation of In-Memory Hooks [9]

Volatility 3 Public Beta: The Insider’s Preview © 2019 The Volatility Foundation 16 October 2019 | #OSDFCon | 18
Automatically Analyzing Multiple Samples
Volatility 2 Volatility 3
1. Run kdbgscan (or imageinfo) 1. Run plugin
2. <wait>
3. Set --profile
4. Run plugin

Volatility 3 Public Beta: The Insider’s Preview © 2019 The Volatility Foundation 16 October 2019 | #OSDFCon | 19
Volatility 3.0 Licensing - Volatility Software License 1.0
• The Volatility Foundation will no longer release code under the GPL
• Short, simple, plain language copyleft license
• No philosophical agendas or drama!
• Volatility Software License 1.0
• Grants all rights of copyright (“Freedom Zero”)
• Requires changes to the software are shared
• Covers content and data
• Legal Advisor: Heather Meeker
• License Inspiration
• API Copyleft License (Kyle E. Mitchell)
• Nmap Public Source License

Volatility 3 Public Beta: The Insider’s Preview © 2019 The Volatility Foundation 16 October 2019 | #OSDFCon | 20
Looking Forward
August 2020 Volatility 3.0 Official Release
Volatility 3
August 2021 – future Volatility
Feature parity/new
& unique capabilities development & support ONLY for 3.x

2020 2021
Plugin & operating system updates

Volatility 2.x August 2021 2.x: Development & support for 2.x Ends

Volatility 3 Public Beta: The Insider’s Preview © 2019 The Volatility Foundation 16 October 2019 | #OSDFCon | 21
Start Using It and Get Involved!
• https://www.github.com/volatilityfoundation/volatility3

• https://volatility3.rtfd.io/

• https://www.volatilityfoundation.org/slack

• https://lists.volatilityfoundation.org/pipermail/vol-users/

Volatility 3 Public Beta: The Insider’s Preview © 2019 The Volatility Foundation 16 October 2019 | #OSDFCon | 22
References
[1] https://www.blackhat.com/presentations/bh-dc-07/Walters/Paper/bh-dc-07-Walters-WP.pdf
[2] https://www.volatilityfoundation.org/20
[3] https://docs.microsoft.com/en-us/windows/deployment/update/waas-quick-start
[4] https://www.kernelnewbies.org
[5] https://artemonsecurity.com/snake_whitepaper.pdf
[6] https://github.com/f0rb1dd3n/Reptile/
[7] https://volatility-labs.blogspot.com/2014/01/truecrypt-master-key-extraction-and.html
[8] https://www.veracrypt.fr/en/Downloads.html
[9] http://dfrws.org/conferences/dfrws-usa-2019/sessions/hooktracer-system-automated-and-accessible-api-hooks-
analysis

Volatility 3 Public Beta: The Insider’s Preview © 2019 The Volatility Foundation 16 October 2019 | #OSDFCon | 23

You might also like