Forensic Memory Analysis of Android's Dalvik Virtual Machine
Download as pptx, pdf12 likes4,696 views
This document summarizes a presentation on analyzing the memory of the Dalvik virtual machine used in Android. It discusses acquiring Android phone memory, locating key data structures in Dalvik like loaded classes and instance fields, and analyzing specific Android applications to recover data like call histories, text messages, browser sessions, and wireless network information. The goal is to extract runtime information and data from Android apps through memory forensics.
1 of 47
Downloaded 264 times
![What is Dalvik?Dalvik is the software VM for all Android applicationsNearly identical to the Java Virtual Machine (JVM) [1]Open source, written in C / Java4](https://image.slidesharecdn.com/android-110615212515-phpapp02/85/Forensic-Memory-Analysis-of-Android-s-Dalvik-Virtual-Machine-4-320.jpg)
![Memory Forensics IntroductionMemory forensics is vital to orderly recovery of runtime informationUnstructured methods (strings, grep, etc) are brittle and only recover superficial infoStructured methods allow for recovery of data structures, variables, and code from memoryPrevious work at operating system level led to recovery of processes, open files, network connections, etc [4,5]6](https://image.slidesharecdn.com/android-110615212515-phpapp02/85/Forensic-Memory-Analysis-of-Android-s-Dalvik-Virtual-Machine-6-320.jpg)
![Memory Analysis ProcessFirst, need to acquire memory Acquisition depends on environment [6]Next, requires locating information in memory and interpreting it correctlyAlso requires re-implementing functionality offlineThen it needs to be displayed in a useful way to the investigator7](https://image.slidesharecdn.com/android-110615212515-phpapp02/85/Forensic-Memory-Analysis-of-Android-s-Dalvik-Virtual-Machine-7-320.jpg)
![Acquiring Memory – Approach 2Memory can be acquired on a per-process basisEnsures that all pages of the process will be acquiredEasiest to perform with memfetch[8]After a few small changes, was statically compiled for ARMNo unmapped pages will be recovered thoughHeap and GC don’t munmap immediately11](https://image.slidesharecdn.com/android-110615212515-phpapp02/85/Forensic-Memory-Analysis-of-Android-s-Dalvik-Virtual-Machine-11-320.jpg)
![Analyzing C vs JavaMost previous forensics research has had the “luxury” of analyzing CNearly 1:1 mapping of code/data to in-memory layoutDeclaration of a C “string”char buffer[] = “Hello World”;Memory Layout (xxd)4865 6c6c 6f20 576f 726c 6400 Hello World.12](https://image.slidesharecdn.com/android-110615212515-phpapp02/85/Forensic-Memory-Analysis-of-Android-s-Dalvik-Virtual-Machine-12-320.jpg)
![Records offsets of global variables3) Example structure definition'ClassObject': [ 0xa0, { Class name and size 'obj': [0x0, ['Object']], member name, offset, and type16](https://image.slidesharecdn.com/android-110615212515-phpapp02/85/Forensic-Memory-Analysis-of-Android-s-Dalvik-Virtual-Machine-17-320.jpg)
![Methods in Memory vs on DiskDalvik makes a number of runtime optimizations [1]Example: When class members are accessed (iget, iput) the field table index is replaced with the direct byte offsetWould likely need to undo some of the optimizations to get complete baksmali output 25](https://image.slidesharecdn.com/android-110615212515-phpapp02/85/Forensic-Memory-Analysis-of-Android-s-Dalvik-Virtual-Machine-26-320.jpg)
![Finding Data StructuresCan save substantial time by using adb’slogcat(next slide)Shows the classes and often methods involved in handling UI eventsOtherwise, need to examine source codeSome applications are open sourceOthers can be “decompiled” with baksmali [9]28](https://image.slidesharecdn.com/android-110615212515-phpapp02/85/Forensic-Memory-Analysis-of-Android-s-Dalvik-Virtual-Machine-29-320.jpg)
![ImplementationRecovery code written as Volatility [7] pluginsMost popular memory analysis frameworkHas support for all Windows versions since XP and 2.6 Intel LinuxNow also supports ARM Linux/AndroidMakes rapid development of memory analysis capabilities simpleAlso can be used for analyzing other binary formats41](https://image.slidesharecdn.com/android-110615212515-phpapp02/85/Forensic-Memory-Analysis-of-Android-s-Dalvik-Virtual-Machine-42-320.jpg)
![Future Avenues of ResearchNumerous applications with potentially interesting informationToo much to manually dig through Need automationBaksmali/Volatility/logcat integration?Automated determination of interesting evidence across the whole systemCombing work done in [2] and [3]44](https://image.slidesharecdn.com/android-110615212515-phpapp02/85/Forensic-Memory-Analysis-of-Android-s-Dalvik-Virtual-Machine-45-320.jpg)
![References - 1[1] http://bit.ly/dalvikvsjava[2] Brendan Dolan-Gavitt, et al, “Virtuoso: Narrowing the Semantic Gap in Virtual Machine Introspection”, IEEE Security and Privacy, 2011[3] TaintDroid, http://www.appanalysis.org/[4] http://bit.ly/windowsmemory [5] http://bit.ly/linuxmem [6] http://bit.ly/memimaging[7] http://code.google.com/p/volatility/[8] http://lcamtuf.coredump.cx/soft/memfetch.tgz46](https://image.slidesharecdn.com/android-110615212515-phpapp02/85/Forensic-Memory-Analysis-of-Android-s-Dalvik-Virtual-Machine-47-320.jpg)
Ad
Recommended
Android Mind Reading: Android Live Memory Analysis with LiME and Volatility
Android Mind Reading: Android Live Memory Analysis with LiME and VolatilityJoe Sylve This document discusses acquiring and analyzing volatile memory from Android devices. It provides an overview of traditional Linux memory forensics and the challenges with analyzing Android memory. It introduces the tools LiME and Volatility for acquiring memory from a running Android device and then analyzing that memory image. It demonstrates how to use these tools to extract useful forensic artifacts like processes, network connections, and files.
Memory Analysis of the Dalvik (Android) Virtual Machine
Memory Analysis of the Dalvik (Android) Virtual MachineAndrew Case The document summarizes research on analyzing the memory of the Dalvik virtual machine used in Android. It describes acquiring memory from Android devices, locating key data structures in memory like loaded classes and their fields, and analyzing specific Android applications to recover data like call histories, text messages, and location information. The goal is to develop forensics capabilities for investigating Android devices through memory analysis.
Live Memory Forensics on Android devices
Live Memory Forensics on Android devicesNikos Gkogkos The document discusses live memory forensics for Android devices, detailing phases like data acquisition, analysis, and presentation, while emphasizing the importance of volatile data analysis. It explains the tools and methodologies for analyzing processes, memory structures, and artifacts to detect potentially malicious activities, including malware behavior and rootkit identification. Additionally, the document describes the use of the Volatility framework and custom plugins for extracting sensitive data from Android applications, highlighting the challenges and techniques in digital forensics within a mobile context.
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...Andrew Case My presentation from RSA 2013 on using memory forensics to defeat advanced malware, encryption, and skilled attackers
Windows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCaseTakahiro Haruyama The document discusses performing memory forensic analysis on Windows systems using EnCase, including acquiring memory images using tools like WinEn and MoonSols Windows Memory Toolkit, and analyzing the images using EnScripts to extract information on processes, modules, and open files through techniques like traversing kernel data structures and searching for object fingerprints. Hands-on examples are provided to demonstrate acquiring memory from a system and analyzing it using EnScripts to identify processes and differences before and after terminating a process.
Linux Memory Analysis with Volatility
Linux Memory Analysis with VolatilityAndrew Case This document summarizes Linux memory analysis capabilities in the Volatility framework. It discusses general plugins that recover process, network, and system information from Linux memory images. It also describes techniques for detecting rootkits by leveraging kmem_cache structures and recovering hidden processes. Additionally, it covers analyzing live CDs by recovering the in-memory filesystem and analyzing Android memory images at both the kernel and Dalvik virtual machine levels.
Mac Memory Analysis with Volatility
Mac Memory Analysis with VolatilityAndrew Case The document discusses the development of memory analysis tools for Mac systems using Volatility, highlighting the lack of robust tools for deep memory analysis prior to this project. It covers various aspects of memory forensic techniques, including memory acquisition, process recovery, and rootkit detection on Mac OS, as well as the architectural differences in Mac's memory management. The presentation culminates with the conclusion that Volatility now supports comprehensive Mac analysis and invites further developments.
Next Generation Memory Forensics
Next Generation Memory ForensicsAndrew Case This document provides an overview of the Volatility memory forensics framework. It discusses the Volatility Foundation, which supports development of the open-source Volatility tool. It highlights new features in Volatility 2.4, including improved support for Windows, Linux, MacOS, and analyzing application artifacts from programs like Chrome, Firefox, and Notepad. It outlines the Volatility roadmap and concludes by discussing the 2014 Volatility Plugin Contest winners, whose new plugins will enhance Volatility's capabilities.
Hunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory ForensicsAndrew Case The document outlines a talk on using memory forensics with the Volatility framework to detect and analyze rootkits on macOS systems. It emphasizes the importance of memory forensics in capturing volatile data that is often not written to disk, discusses various analysis plugins and capabilities for macOS versions, and provides examples of how to extract information from memory dumps. The session aims to raise awareness of the ways advanced malware operates in memory and how to efficiently discover these threats.
Malware analysis using volatility
Malware analysis using volatilityYashashree Gund Volatility is an open source memory forensics tool that analyzes RAM dumps to detect malware. It supports Windows, Linux, Mac and Android and uses plugins to parse memory images and extract useful information. Some key things Volatility can do include detecting injected code, unpacked files, hooks, and kernel driver modifications left by malware in memory. It allows analyzing ransomware locked systems, unpacking encrypted files, and dumping executable content of running processes for further reverse engineering.
Dfrws eu 2014 rekall workshop
Dfrws eu 2014 rekall workshopTamas K Lengyel The document provides an overview of memory forensics and the Rekall memory analysis tool. It discusses why memory forensics is useful, describes how Rekall supports multiple operating systems through profiles, and covers memory imaging, virtual memory concepts, and analyzing live memory. Rekall's interfaces like the command line, console, notebook, and web console are also introduced.
Memory forensics
Memory forensicsSunil Kumar This document discusses computer memory forensics. It explains that memory forensics involves acquiring volatile memory contents from RAM and preserving them for later forensic analysis. The document outlines the different types of forensic analysis that can be performed on memory contents, including storage, file system, application, and network analysis. It also discusses the challenges of memory forensics, such as anti-forensic techniques used by malware to hide processes, drivers, and other artifacts in memory.
(120513) #fitalk an introduction to linux memory forensics
(120513) #fitalk an introduction to linux memory forensicsINSIGHT FORENSIC This document discusses Linux memory forensics and provides an overview of tools and techniques for acquiring and analyzing memory. It begins by covering live forensics commands and then discusses memory forensics in more depth. Several open source tools for dumping physical memory are described, including fmem and LiME, as well as tools for analyzing memory images like Foriana and Volatilitux. Commercial memory analysis solutions are also briefly mentioned.
Workshop - Linux Memory Analysis with Volatility
Workshop - Linux Memory Analysis with VolatilityAndrew Case This document outlines a workshop focused on Linux memory analysis using the Volatility framework, led by Andrew Case. Participants will learn to recover vital runtime information, investigate live CDs, and detect kernel rootkits through practical demonstrations and examples. The workshop emphasizes the importance of memory analysis in digital forensics, particularly in scenarios where traditional disk imaging is unfeasible.
Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Andrew Case The document discusses memory forensics, particularly through the use of the Volatility Framework to analyze volatile memory in order to recover digital artifacts and evidence from compromised systems. It highlights the capabilities of malware, specifically Careto, which operates in memory to hide processes and exfiltrate data while avoiding detection, and details methodologies for identifying anomalies related to this type of malware. The document presents examples of command outputs from memory analysis that illustrate the extraction of processes, network connections, and malware components.
One-Byte Modification for Breaking Memory Forensic Analysis
One-Byte Modification for Breaking Memory Forensic AnalysisTakahiro Haruyama The document proposes a one-byte modification method to potentially abort memory forensic analysis tools without impacting the running system or hiding specific objects. It identifies three sensitive operations in memory analysis: 1) virtual address translation in kernel space, 2) guessing the OS version and architecture, and 3) getting kernel objects like processes. For each operation, it outlines how top tools like Volatility and Memoryze perform the operation and identifies specific "abort factors", or one-byte values that could be modified to abort the analysis without direct detection. Modifying these factors could stop analysis tools from functioning properly without blue screening the system or hiding specific objects.
I Know You Want Me - Unplugging PlugX
I Know You Want Me - Unplugging PlugXTakahiro Haruyama The document analyzes and classifies 123 PlugX malware samples into 7 groups based on their configurations and relationships to known targeted attacks. The largest group is "Starter" with 24 samples, followed by "*Sys" with 20 samples. Various techniques are used to associate samples, including matching registry values, domains, IP addresses, debug strings, and network ranges. Many samples in the "*Sys" and "WS" groups are found to share the same owner, domains, or network.
Winnti Polymorphism
Winnti PolymorphismTakahiro Haruyama The document explores the Winnti malware, associated with a Chinese threat actor since 2009, detailing its components, execution flow, and evolving tactics for cybercrime and espionage. The presentation emphasizes recent findings including its polymorphic nature and targets, which now extend beyond the gaming and pharmaceutical industries to sectors like chemicals and telecommunications. The analysis includes methods for extracting target information and highlights the challenges in identifying its campaign targets, while also referencing notable cases and past research on the subject.
Jaime Peñalba - Kernel exploitation. ¿El octavo arte? [rooted2019]
Jaime Peñalba - Kernel exploitation. ¿El octavo arte? [rooted2019]RootedCON The document discusses kernel exploitation. It begins with an introduction to basic kernel concepts like virtual memory and mitigations like SMAP, SMEP, and KPTI. It then covers topics like basic kernel exploitation through NULL pointer dereferences, dynamic memory management techniques like kmem caches and allocators, and real world exploitation using use-after-free vulnerabilities and doubly linked lists. The presentation uses examples to illustrate concepts at a high level since each topic could be its own full talk.
REMnux tutorial-2: Extraction and decoding of Artifacts
REMnux tutorial-2: Extraction and decoding of ArtifactsRhydham Joshi This document is a tutorial on using Remnux, a Linux toolkit designed for the reverse-engineering and analysis of malware. It covers the extraction and decoding of artifacts, various deobfuscation tools, and forensic investigation practices, including imaging drives and file carving software. The content is aimed at enhancing skills in malware analysis and forensic investigations through practical examples and tool usage.
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory AccessIgor Korkin The document presents a method called memorymonrwx for detecting kernel-mode rootkits by controlling memory access in real-time. The authors, Igor Korkin and Satoshi Tanda, discuss various malware types and their ability to evade existing security measures, emphasizing the need for proactive monitoring. The proposed system leverages Intel VT-x with extended page tables to intercept and manage memory accesses, aiming to enhance digital security and protect against malware and unauthorized actions.
Volatile IOCs for Fast Incident Response
Volatile IOCs for Fast Incident ResponseTakahiro Haruyama The document discusses generating volatile indicators of compromise (IOCs) from memory forensics to aid in fast malware triage. It analyzes common malware like ZeuS, SpyEye, PoisonIvy, and ZeroAccess to identify useful IOCs like code injection signs, imported functions, obfuscated strings, and protocol-related strings. Generated IOCs are defined using the OpenIOC framework. While effective, OpenIOC has limitations and room for improvement through automation, open sourcing, and integrating with other specifications.
44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell
44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell44CON This document discusses using PowerShell for digital forensics and incident response. It provides an overview of traditional forensic techniques like imaging and collection scripts. It then introduces PowerForensics, a PowerShell-based forensic toolkit that aims to provide a centralized, forensically sound, and operationally fast approach to live response. The document demonstrates PowerForensics by walking through the investigation of a mock incident where an internal system was compromised. It concludes by discussing future areas of development for PowerForensics and forensic tools more broadly.
44CON London 2015: NTFS Analysis with PowerForensics
44CON London 2015: NTFS Analysis with PowerForensicsJared Atkinson The document provides a comprehensive overview of NTFS analysis using PowerShell, detailing the functionalities of various cmdlets for forensic investigation. It emphasizes the importance of being forensically sound while collecting data, and illustrates the capabilities of the PowerForensics toolkit for examining disk structures and file systems. Key topics include raw access to physical drives, handling master boot records, analyzing the Master File Table, and utilizing alternate data streams for security purposes.
Applying Memory Forensics to Rootkit Detection
Applying Memory Forensics to Rootkit DetectionIgor Korkin The document discusses the application of memory forensics in detecting rootkits, focusing on techniques for malware analysis and the challenges faced in terms of detecting hidden processes and drivers. It introduces the Mashka tool, which utilizes specific algorithms and byte-to-byte search methodologies to improve the detection of rootkits compared to existing tools. The text also highlights various memory dump approaches and the potential vulnerabilities associated with them, as well as different detection strategies for processes and drivers.
REMnux Tutorial-3: Investigation of Malicious PDF & Doc documents
REMnux Tutorial-3: Investigation of Malicious PDF & Doc documentsRhydham Joshi The document is a comprehensive tutorial on analyzing malicious PDF and Microsoft Office documents, detailing various tools and techniques used in forensic investigations. It covers PDF analysis with tools like peepdf, origami framework, and pdf-parser, as well as Microsoft Office document analysis using officemalscanner. Additionally, it discusses shellcode extraction and analysis methods, emphasizing the importance of identifying malicious code within documents.
Remnux tutorial-1 Statically Analyse Portable Executable(PE) Files
Remnux tutorial-1 Statically Analyse Portable Executable(PE) FilesRhydham Joshi The document provides a comprehensive tutorial on using Remnux, a Linux toolkit for reverse-engineering and analyzing portable executables (PE) for malware detection. It covers various tools and techniques including entropy analysis, unpacking tools like UPX and Density Scout, and anomaly detection tools such as Pescanner and Exescan, emphasizing their roles in identifying and analyzing malicious software. Additionally, it discusses the principles of static analysis and provides links to related resources and tools.
Forensics of a Windows System
Forensics of a Windows SystemConferencias FIST The document discusses computer forensics in the context of investigating a Windows system. It outlines the process of gathering volatile data like memory contents and network connections using tools run from a trusted CD. Non-volatile data like the filesystem is acquired by imaging the entire disk. Timeline analysis uses data from files, registry keys and logs to determine when files and events occurred. The goal is to methodically identify and preserve digital evidence while following forensic standards.
Lect1.pptx
Lect1.pptxmuhammadRamzan816406 The document discusses algorithms and data structures. It begins by introducing common data structures like arrays, stacks, queues, trees, and hash tables. It then explains that data structures allow for organizing data in a way that can be efficiently processed and accessed. The document concludes by stating that the choice of data structure depends on effectively representing real-world relationships while allowing simple processing of the data.
DotNet Introduction
DotNet IntroductionWei Sun The document discusses various topics related to .NET Framework and C#. It provides definitions of concepts like framework, CLR, and comparisons between C# and other languages. It also includes code examples in C# and Java for calculating directory size recursively. Quizzes are included to test understanding.
More Related Content
What's hot (20)
Hunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory ForensicsAndrew Case The document outlines a talk on using memory forensics with the Volatility framework to detect and analyze rootkits on macOS systems. It emphasizes the importance of memory forensics in capturing volatile data that is often not written to disk, discusses various analysis plugins and capabilities for macOS versions, and provides examples of how to extract information from memory dumps. The session aims to raise awareness of the ways advanced malware operates in memory and how to efficiently discover these threats.
Malware analysis using volatility
Malware analysis using volatilityYashashree Gund Volatility is an open source memory forensics tool that analyzes RAM dumps to detect malware. It supports Windows, Linux, Mac and Android and uses plugins to parse memory images and extract useful information. Some key things Volatility can do include detecting injected code, unpacked files, hooks, and kernel driver modifications left by malware in memory. It allows analyzing ransomware locked systems, unpacking encrypted files, and dumping executable content of running processes for further reverse engineering.
Dfrws eu 2014 rekall workshop
Dfrws eu 2014 rekall workshopTamas K Lengyel The document provides an overview of memory forensics and the Rekall memory analysis tool. It discusses why memory forensics is useful, describes how Rekall supports multiple operating systems through profiles, and covers memory imaging, virtual memory concepts, and analyzing live memory. Rekall's interfaces like the command line, console, notebook, and web console are also introduced.
Memory forensics
Memory forensicsSunil Kumar This document discusses computer memory forensics. It explains that memory forensics involves acquiring volatile memory contents from RAM and preserving them for later forensic analysis. The document outlines the different types of forensic analysis that can be performed on memory contents, including storage, file system, application, and network analysis. It also discusses the challenges of memory forensics, such as anti-forensic techniques used by malware to hide processes, drivers, and other artifacts in memory.
(120513) #fitalk an introduction to linux memory forensics
(120513) #fitalk an introduction to linux memory forensicsINSIGHT FORENSIC This document discusses Linux memory forensics and provides an overview of tools and techniques for acquiring and analyzing memory. It begins by covering live forensics commands and then discusses memory forensics in more depth. Several open source tools for dumping physical memory are described, including fmem and LiME, as well as tools for analyzing memory images like Foriana and Volatilitux. Commercial memory analysis solutions are also briefly mentioned.
Workshop - Linux Memory Analysis with Volatility
Workshop - Linux Memory Analysis with VolatilityAndrew Case This document outlines a workshop focused on Linux memory analysis using the Volatility framework, led by Andrew Case. Participants will learn to recover vital runtime information, investigate live CDs, and detect kernel rootkits through practical demonstrations and examples. The workshop emphasizes the importance of memory analysis in digital forensics, particularly in scenarios where traditional disk imaging is unfeasible.
Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Andrew Case The document discusses memory forensics, particularly through the use of the Volatility Framework to analyze volatile memory in order to recover digital artifacts and evidence from compromised systems. It highlights the capabilities of malware, specifically Careto, which operates in memory to hide processes and exfiltrate data while avoiding detection, and details methodologies for identifying anomalies related to this type of malware. The document presents examples of command outputs from memory analysis that illustrate the extraction of processes, network connections, and malware components.
One-Byte Modification for Breaking Memory Forensic Analysis
One-Byte Modification for Breaking Memory Forensic AnalysisTakahiro Haruyama The document proposes a one-byte modification method to potentially abort memory forensic analysis tools without impacting the running system or hiding specific objects. It identifies three sensitive operations in memory analysis: 1) virtual address translation in kernel space, 2) guessing the OS version and architecture, and 3) getting kernel objects like processes. For each operation, it outlines how top tools like Volatility and Memoryze perform the operation and identifies specific "abort factors", or one-byte values that could be modified to abort the analysis without direct detection. Modifying these factors could stop analysis tools from functioning properly without blue screening the system or hiding specific objects.
I Know You Want Me - Unplugging PlugX
I Know You Want Me - Unplugging PlugXTakahiro Haruyama The document analyzes and classifies 123 PlugX malware samples into 7 groups based on their configurations and relationships to known targeted attacks. The largest group is "Starter" with 24 samples, followed by "*Sys" with 20 samples. Various techniques are used to associate samples, including matching registry values, domains, IP addresses, debug strings, and network ranges. Many samples in the "*Sys" and "WS" groups are found to share the same owner, domains, or network.
Winnti Polymorphism
Winnti PolymorphismTakahiro Haruyama The document explores the Winnti malware, associated with a Chinese threat actor since 2009, detailing its components, execution flow, and evolving tactics for cybercrime and espionage. The presentation emphasizes recent findings including its polymorphic nature and targets, which now extend beyond the gaming and pharmaceutical industries to sectors like chemicals and telecommunications. The analysis includes methods for extracting target information and highlights the challenges in identifying its campaign targets, while also referencing notable cases and past research on the subject.
Jaime Peñalba - Kernel exploitation. ¿El octavo arte? [rooted2019]
Jaime Peñalba - Kernel exploitation. ¿El octavo arte? [rooted2019]RootedCON The document discusses kernel exploitation. It begins with an introduction to basic kernel concepts like virtual memory and mitigations like SMAP, SMEP, and KPTI. It then covers topics like basic kernel exploitation through NULL pointer dereferences, dynamic memory management techniques like kmem caches and allocators, and real world exploitation using use-after-free vulnerabilities and doubly linked lists. The presentation uses examples to illustrate concepts at a high level since each topic could be its own full talk.
REMnux tutorial-2: Extraction and decoding of Artifacts
REMnux tutorial-2: Extraction and decoding of ArtifactsRhydham Joshi This document is a tutorial on using Remnux, a Linux toolkit designed for the reverse-engineering and analysis of malware. It covers the extraction and decoding of artifacts, various deobfuscation tools, and forensic investigation practices, including imaging drives and file carving software. The content is aimed at enhancing skills in malware analysis and forensic investigations through practical examples and tool usage.
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory AccessIgor Korkin The document presents a method called memorymonrwx for detecting kernel-mode rootkits by controlling memory access in real-time. The authors, Igor Korkin and Satoshi Tanda, discuss various malware types and their ability to evade existing security measures, emphasizing the need for proactive monitoring. The proposed system leverages Intel VT-x with extended page tables to intercept and manage memory accesses, aiming to enhance digital security and protect against malware and unauthorized actions.
Volatile IOCs for Fast Incident Response
Volatile IOCs for Fast Incident ResponseTakahiro Haruyama The document discusses generating volatile indicators of compromise (IOCs) from memory forensics to aid in fast malware triage. It analyzes common malware like ZeuS, SpyEye, PoisonIvy, and ZeroAccess to identify useful IOCs like code injection signs, imported functions, obfuscated strings, and protocol-related strings. Generated IOCs are defined using the OpenIOC framework. While effective, OpenIOC has limitations and room for improvement through automation, open sourcing, and integrating with other specifications.
44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell
44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell44CON This document discusses using PowerShell for digital forensics and incident response. It provides an overview of traditional forensic techniques like imaging and collection scripts. It then introduces PowerForensics, a PowerShell-based forensic toolkit that aims to provide a centralized, forensically sound, and operationally fast approach to live response. The document demonstrates PowerForensics by walking through the investigation of a mock incident where an internal system was compromised. It concludes by discussing future areas of development for PowerForensics and forensic tools more broadly.
44CON London 2015: NTFS Analysis with PowerForensics
44CON London 2015: NTFS Analysis with PowerForensicsJared Atkinson The document provides a comprehensive overview of NTFS analysis using PowerShell, detailing the functionalities of various cmdlets for forensic investigation. It emphasizes the importance of being forensically sound while collecting data, and illustrates the capabilities of the PowerForensics toolkit for examining disk structures and file systems. Key topics include raw access to physical drives, handling master boot records, analyzing the Master File Table, and utilizing alternate data streams for security purposes.
Applying Memory Forensics to Rootkit Detection
Applying Memory Forensics to Rootkit DetectionIgor Korkin The document discusses the application of memory forensics in detecting rootkits, focusing on techniques for malware analysis and the challenges faced in terms of detecting hidden processes and drivers. It introduces the Mashka tool, which utilizes specific algorithms and byte-to-byte search methodologies to improve the detection of rootkits compared to existing tools. The text also highlights various memory dump approaches and the potential vulnerabilities associated with them, as well as different detection strategies for processes and drivers.
REMnux Tutorial-3: Investigation of Malicious PDF & Doc documents
REMnux Tutorial-3: Investigation of Malicious PDF & Doc documentsRhydham Joshi The document is a comprehensive tutorial on analyzing malicious PDF and Microsoft Office documents, detailing various tools and techniques used in forensic investigations. It covers PDF analysis with tools like peepdf, origami framework, and pdf-parser, as well as Microsoft Office document analysis using officemalscanner. Additionally, it discusses shellcode extraction and analysis methods, emphasizing the importance of identifying malicious code within documents.
Remnux tutorial-1 Statically Analyse Portable Executable(PE) Files
Remnux tutorial-1 Statically Analyse Portable Executable(PE) FilesRhydham Joshi The document provides a comprehensive tutorial on using Remnux, a Linux toolkit for reverse-engineering and analyzing portable executables (PE) for malware detection. It covers various tools and techniques including entropy analysis, unpacking tools like UPX and Density Scout, and anomaly detection tools such as Pescanner and Exescan, emphasizing their roles in identifying and analyzing malicious software. Additionally, it discusses the principles of static analysis and provides links to related resources and tools.
Forensics of a Windows System
Forensics of a Windows SystemConferencias FIST The document discusses computer forensics in the context of investigating a Windows system. It outlines the process of gathering volatile data like memory contents and network connections using tools run from a trusted CD. Non-volatile data like the filesystem is acquired by imaging the entire disk. Timeline analysis uses data from files, registry keys and logs to determine when files and events occurred. The goal is to methodically identify and preserve digital evidence while following forensic standards.
Similar to Forensic Memory Analysis of Android's Dalvik Virtual Machine (20)
Lect1.pptx
Lect1.pptxmuhammadRamzan816406 The document discusses algorithms and data structures. It begins by introducing common data structures like arrays, stacks, queues, trees, and hash tables. It then explains that data structures allow for organizing data in a way that can be efficiently processed and accessed. The document concludes by stating that the choice of data structure depends on effectively representing real-world relationships while allowing simple processing of the data.
DotNet Introduction
DotNet IntroductionWei Sun The document discusses various topics related to .NET Framework and C#. It provides definitions of concepts like framework, CLR, and comparisons between C# and other languages. It also includes code examples in C# and Java for calculating directory size recursively. Quizzes are included to test understanding.
Daniel Krasner - High Performance Text Processing with Rosetta
Daniel Krasner - High Performance Text Processing with Rosetta PyData The document discusses efficient text processing techniques using Python, focusing on memory management and processing speed improvements. It explores challenges in document handling, such as diverse formats and large data sets, and offers solutions including streaming data and using appropriate data structures. The presentation also touches on machine learning applications, semantic modeling, and parallel computing for text analysis.
Interview Question of Aspdotnet
Interview Question of AspdotnetMohitKumar1985 The CLR is the runtime that converts MSIL code to native machine code. It provides services like memory management, security, and exception handling. A CLR host loads the CLR into a process and creates application domains to execute user code. The CTS defines a common type system that facilitates cross-language integration and type safety. The CLS specifies rules for language integration so code written in different .NET languages can interoperate.
Dotnetintroduce 100324201546-phpapp02
Dotnetintroduce 100324201546-phpapp02Wei Sun The document discusses various topics related to .NET and C# programming including the .NET framework, garbage collection, functional programming with F#, dynamic languages like IronPython and IronRuby, and best practices for .NET development. It provides examples of code in C#, F# and IronPython and asks several quiz questions to test understanding.
Debugging With Id
Debugging With Idguest215c4e - Immunity Debugger is a tool for security researchers and exploit developers that provides improved interfaces, Python integration, and automated binary analysis capabilities compared to other debuggers.
- It helps with challenges like heap exploitation on modern OSes, which requires understanding heap algorithms, controlling memory layout through leaks, and discovering data types in memory.
- The debugger includes specialized scripts and hooks to aid tasks like heap analysis, fingerprinting allocation patterns, fuzzing heaps, and injecting hooks to speed up analysis.
Exploiting Multicore CPUs Now: Scalability and Reliability for Off-the-shelf ...
Exploiting Multicore CPUs Now: Scalability and Reliability for Off-the-shelf ...Emery Berger The document discusses exploiting multicore CPUs for improved scalability and reliability in software, focusing on advanced memory management techniques such as the Hoard allocator and the Flux programming language. It highlights the challenges of multithreading, like data races and deadlock, and presents solutions for building high-performance, concurrent applications efficiently without extensive rewriting of code. Additionally, it explores Diehard, a probabilistic memory safety approach to mitigate memory errors in unsafe programming languages like C and C++.
Java Hates Linux. Deal With It.
Java Hates Linux. Deal With It.Greg Banks The document discusses the challenges of using Java on Linux, particularly around garbage collection (GC) and resource management. It highlights the performance issues that arise due to GC pauses, especially in production environments, and provides various methods to mitigate these problems, including disabling swap and managing file descriptors. Additionally, it addresses DNS lookup complexities in Java and potential workarounds for caching behaviors that can affect performance.
Software Profiling: Understanding Java Performance and how to profile in Java
Software Profiling: Understanding Java Performance and how to profile in JavaIsuru Perera The document provides a comprehensive overview of software profiling in Java, explaining its purpose, tools, and techniques for performance measurement and optimization. It covers key metrics like response time and throughput, emphasizing the importance of garbage collection and memory management in Java applications. Additionally, the document details profiling tools, particularly Java VisualVM and Java Flight Recorder, and their methodologies for analyzing application performance.
T3_Embedded programing_07072022T3_Embedded programing_07072022.pptx
T3_Embedded programing_07072022T3_Embedded programing_07072022.pptxHuyTrn352093 T3_Embedded programing_07072022.pptx
20100309 03 - Vulnerability analysis (McCabe)
20100309 03 - Vulnerability analysis (McCabe)LeClubQualiteLogicielle Vulnerability analysis involves discovering parts of a program's input that can be exploited by malicious users to drive the program into an insecure state. Potential vulnerabilities exist in locations with known weaknesses that are dependent on or influenced by user input and can be reached during program execution. Vulnerability analysis aims to identify exploitable vulnerabilities by examining the paths in a program's control flow graph that connect points where untrusted data can enter and vulnerable functions can be reached.
Bangladesh Bank Assistant Maintenance Engineer Question Solution.
Bangladesh Bank Assistant Maintenance Engineer Question Solution.Engr. Md. Jamal Uddin Rayhan The document provides a comprehensive question bank on various topics in information technology and banking systems from 2004 to 2023, including distributed database management systems, application frameworks, computer architecture, and the importance of IT in banking. It covers testing procedures for ATMs, differences between kernel types, risk management in cybersecurity, multiplexing connections, and calculations related to synchronous machines. Additionally, it discusses the impact of information technology on banking in Bangladesh, including recent advancements and challenges faced in the sector.
Test Bank for Linux+ and LPIC-1 Guide to Linux Certification, 5th Edition Jas...
Test Bank for Linux+ and LPIC-1 Guide to Linux Certification, 5th Edition Jas...kuervoingvar25 Test Bank for Linux+ and LPIC-1 Guide to Linux Certification, 5th Edition Jason Eckert
Test Bank for Linux+ and LPIC-1 Guide to Linux Certification, 5th Edition Jason Eckert
Test Bank for Linux+ and LPIC-1 Guide to Linux Certification, 5th Edition Jason Eckert
DDS Advanced Tutorial - OMG June 2013 Berlin Meeting
DDS Advanced Tutorial - OMG June 2013 Berlin MeetingJaime Martin Losa The document provides an advanced tutorial on Data Distribution Service (DDS) for developing data-centric real-time systems, detailing its architecture, common use cases, and best practices. It highlights how DDS facilitates seamless communication across distributed applications through standard protocols and robust middleware infrastructure, emphasizing its applicability in various sectors including industry 4.0 and military operations. Key features of DDS discussed include scalability, QoS management, automatic discovery, and support for diverse platforms and programming languages.
iPhone development from a Java perspective (Jazoon '09)
iPhone development from a Java perspective (Jazoon '09)Netcetera The document discusses mobile development for the iPhone, focusing on the transition from Java to Objective-C in the context of iOS development tools and environments. It highlights experiences from developing the Wemlin iPhone app, including insights on Xcode, programming languages, build systems, and memory management. Key differences between Java and Objective-C are also mentioned, along with the overall growth of the iOS platform in recent years.
International Journal of Engineering Research and Development (IJERD)
International Journal of Engineering Research and Development (IJERD)IJERD Editor The document discusses the integration of Information Extraction (IE) and Knowledge Discovery in Databases (KDD) through a system called Discotex, which aims to extract structured data from unstructured text sources. It details the methodologies for rule induction and the evaluation metrics used to measure the performance of the system, including precision, recall, and F-measure. The paper concludes that Discotex can enhance text mining efforts and suggests avenues for future research in various domains.
Bugs Ex Ante by Kristaps Dzonsons
Bugs Ex Ante by Kristaps Dzonsonseurobsdcon The document discusses the challenges and solutions related to developing secure software, emphasizing the need for defensive coding and the use of audited libraries. It reviews historical security models and the evolution of security measures in systems like Multics and Unix, highlighting common vulnerabilities and protective strategies. The document concludes with insights on the complexities of sandboxing applications and the inherent risks of relying on untrusted code.
Linux Assignment 3
Linux Assignment 3Diane Allen Behavior driven development (BDD) is an agile software development process that encourages collaboration between developers, QA and non-technical or business participants in a software project. It helps align team goals to deliver value to business stakeholders. BDD has advantages like improving communication, early validation of requirements, and automated acceptance tests. However, it also requires extra effort for writing feature files and scenarios. BDD may not be suitable for all projects depending on their nature and requirements. Overall, when implemented effectively, BDD can help deliver working software that meets business needs.
Introduction to databae eChapter 1-.pptx
Introduction to databae eChapter 1-.pptxMAHERMOHAMED27 The document provides an introduction to data structures and algorithms, emphasizing the importance of understanding the organization of data in programming. It distinguishes between abstract data types (ADTs) and data structures, explaining their roles in algorithm implementation and the classification of data structures into primitive and non-primitive types. Additionally, it discusses algorithm analysis, efficiency measurement, and asymptotic notations to evaluate performance in terms of time and space complexity.
Shorten Device Boot Time for Automotive IVI and Navigation Systems
Shorten Device Boot Time for Automotive IVI and Navigation SystemsNational Cheng Kung University The document presents a practical approach to reducing boot time for automotive IVI and navigation systems using a combination of ARM hibernation and Linux user-space checkpointing. It details strategies, experimental results, and the collaborative efforts of various institutions, while emphasizing the significance of boot time in automotive applications. Additionally, it discusses traditional and innovative methods for optimizing boot processes, along with various tools and techniques for analyzing and improving boot time in Android and Linux environments.
Ad
More from Source Conference (20)
Million Browser Botnet
Million Browser BotnetSource Conference The document discusses various browser-based cyber threats, including cross-site scripting, CSRF, and browser interrogation techniques, emphasizing their impact on web security. It highlights how these techniques can be exploited for malicious purposes, such as intranet hacking and password cracking, with potential applications in advertising networks. The author, Matt Johansen, stresses the ease of executing these attacks and the importance of improving web security measures.
iBanking - a botnet on Android
iBanking - a botnet on AndroidSource Conference The document provides an overview of the ibanking botnet on Android, detailing its capabilities such as stealing device information and intercepting communications. It discusses the evolution of ibanking, highlighting various versions and significant incidents related to its source code and functionality. Additionally, it reflects on security vulnerabilities and social engineering tactics that can lead to infection with this malware.
I want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUICSource Conference The document discusses the SPDY and QUIC protocols which aim to improve upon HTTP. SPDY focuses on multiplexing, prioritization, header compression, and server push/hints. QUIC aims to eliminate head-of-line blocking, support 0RTT connections, recover lost packets, and survive network changes. Both protocols aim to improve web performance but also face security challenges around things like certificate revocation and content inspection. The future may see both protocols widely adopted in web clients, servers, and network infrastructure.
From DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and BobsSource Conference The document discusses a methodology for analyzing and classifying malicious files, particularly Windows apps, by leveraging algorithms from bioinformatics. It explains how DNA sequencing concepts, such as codons and SNPs, are analogous to disassembling code in malware detection. Additionally, it details clustering techniques and speed optimization strategies for analyzing large datasets of files to identify potential threats efficiently.
Extracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus DerivativesSource Conference The document discusses extracting forensic information from Zeus and its derivatives. It outlines goals like determining what data was stolen, where it was sent, and who the attackers were. It then describes how to achieve these goals by extracting information like command and control addresses, stolen data, and configuration files from variants like Zeus 2.0.8.9, IceIX, Citadel, Gameover, and KINS through analyzing their encryption routines, configuration retrieval methods, and automated analysis.
How to Like Social Media Network Security
How to Like Social Media Network SecuritySource Conference The document discusses the nature of social media, defining it as platforms for content creation and sharing among users. It also highlights the potential risks associated with social media, including scams and security breaches, and emphasizes the importance of security awareness and proactive measures for organizations. Tips for handling security incidents and managing online presence are provided.
Wfuzz para Penetration Testers
Wfuzz para Penetration TestersSource Conference WFUZZ is a web application brute forcing and fuzzing tool that allows penetration testers to perform complex brute force attacks on various parts of web applications like parameters, authentication, forms, directories, files, and headers. It has features like multiple injection points, advanced payload management, multi-threading, encodings, result filtering, and proxy support. New features include HEAD method scanning, fuzzing HTTP methods, following redirects, a plugin framework, and result filtering. It uses a modular architecture with payloads, encoders, iterators, plugins, and printers to perform brute force tests quickly and efficiently.
Security Goodness with Ruby on Rails
Security Goodness with Ruby on RailsSource Conference This document provides an overview and introduction to Ruby on Rails. It begins with an agenda and introduction to the speaker. It then provides a brief introduction to Rails, including what industries use it, examples of popular websites built with Rails, and an explanation of its model-view-controller architecture and RESTful design philosophy. The document continues with sections on auditing Rails applications, identifying common vulnerabilities like mass assignment and cross-site scripting, and recommendations for removing vulnerabilities.
Securty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSource Conference This document discusses security testing for RESTful applications. It begins with an introduction to RESTful web services and how they differ from SOAP web services in using HTTP methods to indicate actions and embedding parameters in requests. It notes challenges in testing RESTful applications including that documentation may not reveal the full attack surface and requests can be dynamically generated. It recommends using documentation, proxies, and fuzzing to determine parameters and potential vulnerabilities. The document concludes by discussing how automated pen testing works by crawling to determine the attack surface through both links and emulated JavaScript to find dynamic requests.
Esteganografia
EsteganografiaSource Conference Este documento proporciona una introducción a la esteganografía, que es la técnica de ocultar información dentro de otro contenido como imágenes, documentos u otros archivos. Explica que la esteganografía se ha utilizado desde la antigua Grecia y Roma, y que a lo largo de la historia se han empleado diferentes métodos como tablas de cera, tatuajes, tinta invisible y filigranas en papel. También describe brevemente algunas técnicas más recientes como los micropuntos y los métodos digitales basados en bits
Men in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the BrowserSource Conference The document discusses techniques for detecting "man in the browser" (MitB) attacks, where malware running in a user's browser is able to intercept and modify traffic between the browser and web applications. It describes shape-based tests that examine requests for unusual changes typical of malware, and content-based tests where the server embeds a random value in content and the browser verifies it was not altered to detect tampering by malware. The overall goal is to identify infected client sessions to protect businesses from the risks posed by consumers being attacked.
Advanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done ItSource Conference The document appears to be a presentation by Iftach Ian Amit from November 2011 about advanced data exfiltration techniques. It includes sections on using emails, web links and phishing to extract data, as well as utilizing social engineering techniques to manipulate targets. Automating parts of the process with tools like SET is also mentioned. The presentation suggests using both aggressive and ingratiating social behaviors when interacting with targets. It diagrams extracting data by routing it through third parties and the internet.
Adapting To The Age Of Anonymous
Adapting To The Age Of AnonymousSource Conference Joshua Corman gave a presentation about adapting to Anonymous in the age of chaotic actors. He began by providing background on himself and his research interests. He then discussed understanding Anonymous by deconstructing it and looking at its rise, different sects, and levels of involvement. Corman addressed adapting to Anonymous by looking at escalation risks and the need for improved security strategies. He concluded by discussing the possibility of building a better version of Anonymous that is focused on positive goals.
Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Source Conference The document discusses agile and secure software development. It provides an overview of traditional waterfall and agile project methods. Agile practices like working in short cycles, customer collaboration, and responding to change are highlighted. The roles of project managers, quality assurance teams, and security practices within agile development are also examined. Finally, the document questions whether agile and secure development can be mutually exclusive.
Advanced (persistent) binary planting
Advanced (persistent) binary plantingSource Conference This document discusses binary planting techniques such as DLL hijacking. It provides examples of binary planting issues found in Real Player and Opera on Windows XP, where they load unexpected DLLs and EXEs during execution. It warns that downloading files can leave computers vulnerable if installers load DLLs from the Downloads folder, allowing for "persistent mines" to be planted months later when applications are launched. It provides guidelines for researchers and developers to prevent binary planting issues in their own software.
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to CloudSource Conference This document discusses legal and technical strategies for addressing data security risks when controls shift to the cloud. It outlines various legislative and regulatory targets relating to data breaches, both malicious and benign. It provides guidance on security, data transfer, disposition of data upon termination, and access to data when using cloud services.
Who should the security team hire next?
Who should the security team hire next?Source Conference The document discusses sources of data on security breaches and where to find qualified security personnel. It analyzes breach data trends from vendors, incident response firms, and mandatory disclosure databases. The analysis finds that while common problems still exist, attacks are becoming more advanced, and good security experts can be found in a variety of companies and roles, not just large firms or traditional security jobs. Hiring should focus on technical skills rather than titles or certifications.
The Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime LawSource Conference The document summarizes recent developments in computer crime law, specifically regarding interpretations of the federal Computer Fraud and Abuse Act. It discusses how courts have broadly interpreted what constitutes unauthorized access, including violating an employer's computer use policies. It also notes problems with prosecutors trying to double-count penalties for unauthorized access by charging it as a felony in furtherance of another crime when it is essentially the same conduct. The future could see legislative changes enhancing penalties for computer crimes.
JSF Security
JSF SecuritySource Conference This document discusses several techniques for validating user input and preventing cross-site scripting (XSS) attacks in JavaServer Faces (JSF) applications. It covers built-in JSF validators, custom validators, output encoding tags, and using OWASP ESAPI to properly encode output. The document also discusses using an AccessController for authorization and injecting anti-CSRF tokens to defend against cross-site request forgery attacks.
How To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security SpendSource Conference This document provides guidance on how to determine the right amount to spend on security. It recommends first formalizing mandatory, discretionary, and risk-based security spending. Prioritize assets and risks using a structured process involving business owners. Consider likelihood and impact ranges to evaluate risks. Prioritize risks based on business value and cost. Define security services and align spending with maturity targets. Start with quick wins and metrics to gain support for an ongoing process.
Ad
Recently uploaded (20)
Edge-banding-machines-edgeteq-s-200-en-.pdf
Edge-banding-machines-edgeteq-s-200-en-.pdfAmirStern2 מכונת קנטים המתאימה לנגריות קטנות או גדולות (כמכונת גיבוי).
מדביקה קנטים מגליל או פסים, עד עובי קנט – 3 מ"מ ועובי חומר עד 40 מ"מ. בקר ממוחשב המתריע על תקלות, ומנועים מאסיביים תעשייתיים כמו במכונות הגדולות.
June Patch Tuesday
June Patch TuesdayIvanti Ivanti’s Patch Tuesday breakdown goes beyond patching your applications and brings you the intelligence and guidance needed to prioritize where to focus your attention first. Catch early analysis on our Ivanti blog, then join industry expert Chris Goettl for the Patch Tuesday Webinar Event. There we’ll do a deep dive into each of the bulletins and give guidance on the risks associated with the newly-identified vulnerabilities.
“From Enterprise to Makers: Driving Vision AI Innovation at the Extreme Edge,...
“From Enterprise to Makers: Driving Vision AI Innovation at the Extreme Edge,...Edge AI and Vision Alliance For the full video of this presentation, please visit: https://www.edge-ai-vision.com/2025/06/from-enterprise-to-makers-driving-vision-ai-innovation-at-the-extreme-edge-a-presentation-from-sony-semiconductor-solutions/
Amir Servi, Edge Deep Learning Product Manager at Sony Semiconductor Solutions, presents the “From Enterprise to Makers: Driving Vision AI Innovation at the Extreme Edge” tutorial at the May 2025 Embedded Vision Summit.
Sony’s unique integrated sensor-processor technology is enabling ultra-efficient intelligence directly at the image source, transforming vision AI for enterprises and developers alike. In this presentation, Servi showcases how the AITRIOS platform simplifies vision AI for enterprises with tools for large-scale deployments and model management.
Servi also highlights his company’s collaboration with Ultralytics and Raspberry Pi, which brings YOLO models to the developer community, empowering grassroots innovation. Whether you’re scaling vision AI for industry or experimenting with cutting-edge tools, this presentation will demonstrate how Sony is accelerating high-performance, energy-efficient vision AI for all.
Mastering AI Workflows with FME - Peak of Data & AI 2025
Mastering AI Workflows with FME - Peak of Data & AI 2025Safe Software Harness the full potential of AI with FME: From creating high-quality training data to optimizing models and utilizing results, FME supports every step of your AI workflow. Seamlessly integrate a wide range of models, including those for data enhancement, forecasting, image and object recognition, and large language models. Customize AI models to meet your exact needs with FME’s powerful tools for training, optimization, and seamless integration
TrustArc Webinar - 2025 Global Privacy Survey
TrustArc Webinar - 2025 Global Privacy SurveyTrustArc How does your privacy program compare to your peers? What challenges are privacy teams tackling and prioritizing in 2025?
In the sixth annual Global Privacy Benchmarks Survey, we asked global privacy professionals and business executives to share their perspectives on privacy inside and outside their organizations. The annual report provides a 360-degree view of various industries' priorities, attitudes, and trends. See how organizational priorities and strategic approaches to data security and privacy are evolving around the globe.
This webinar features an expert panel discussion and data-driven insights to help you navigate the shifting privacy landscape. Whether you are a privacy officer, legal professional, compliance specialist, or security expert, this session will provide actionable takeaways to strengthen your privacy strategy.
This webinar will review:
- The emerging trends in data protection, compliance, and risk
- The top challenges for privacy leaders, practitioners, and organizations in 2025
- The impact of evolving regulations and the crossroads with new technology, like AI
Predictions for the future of privacy in 2025 and beyond
Bridging the divide: A conversation on tariffs today in the book industry - T...
Bridging the divide: A conversation on tariffs today in the book industry - T...BookNet Canada A collaboration-focused conversation on the recently imposed US and Canadian tariffs where speakers shared insights into the current legislative landscape, ongoing advocacy efforts, and recommended next steps. This event was presented in partnership with the Book Industry Study Group.
Link to accompanying resource: https://bnctechforum.ca/sessions/bridging-the-divide-a-conversation-on-tariffs-today-in-the-book-industry/
Presented by BookNet Canada and the Book Industry Study Group on May 29, 2025 with support from the Department of Canadian Heritage.
FIDO Seminar: Evolving Landscape of Post-Quantum Cryptography.pptx
FIDO Seminar: Evolving Landscape of Post-Quantum Cryptography.pptxFIDO Alliance FIDO Seminar: Evolving Landscape of Post-Quantum Cryptography
Crypto Super 500 - 14th Report - June2025.pdf
Crypto Super 500 - 14th Report - June2025.pdfStephen Perrenod This OrionX's 14th semi-annual report on the state of the cryptocurrency mining market. The report focuses on Proof-of-Work cryptocurrencies since those use substantial supercomputer power to mint new coins and encode transactions on their blockchains. Only two make the cut this time, Bitcoin with $18 billion of annual economic value produced and Dogecoin with $1 billion. Bitcoin has now reached the Zettascale with typical hash rates of 0.9 Zettahashes per second. Bitcoin is powered by the world's largest decentralized supercomputer in a continuous winner take all lottery incentive network.
FIDO Seminar: New Data: Passkey Adoption in the Workforce.pptx
FIDO Seminar: New Data: Passkey Adoption in the Workforce.pptxFIDO Alliance FIDO Seminar: New Data: Passkey Adoption in the Workforce
Viral>Wondershare Filmora 14.5.18.12900 Crack Free Download
Viral>Wondershare Filmora 14.5.18.12900 Crack Free DownloadPuppy jhon ➡ 🌍📱👉COPY & PASTE LINK👉👉👉 ➤ ➤➤ https://drfiles.net/
Wondershare Filmora Crack is a user-friendly video editing software designed for both beginners and experienced users.
Creating Inclusive Digital Learning with AI: A Smarter, Fairer Future
Creating Inclusive Digital Learning with AI: A Smarter, Fairer FutureImpelsys Inc. Have you ever struggled to read a tiny label on a medicine box or tried to navigate a confusing website? Now imagine if every learning experience felt that way—every single day.
For millions of people living with disabilities, poorly designed content isn’t just frustrating. It’s a barrier to growth. Inclusive learning is about fixing that. And today, AI is helping us build digital learning that’s smarter, kinder, and accessible to everyone.
Accessible learning increases engagement, retention, performance, and inclusivity for everyone. Inclusive design is simply better design.
High Availability On-Premises FME Flow.pdf
High Availability On-Premises FME Flow.pdfSafe Software FME Flow is a highly robust tool for transforming data both automatically and by user-initiated workflows. At the Finnish telecommunications company Elisa, FME Flow serves processes and internal stakeholders that require 24/7 availability from underlying systems, while imposing limitations on the use of cloud based systems. In response to these business requirements, Elisa has implemented a high-availability on-premises setup of FME Flow, where all components of the system have been duplicated or clustered. The goal of the presentation is to provide insights into the architecture behind the high-availability functionality. The presentation will show in basic technical terms how the different parts of the system work together. Basic level understanding of IT technologies is required to understand the technical portion of the presentation, namely understanding the purpose of the following components: load balancer, FME Flow host nodes, FME Flow worker nodes, network file storage drives, databases, and external authentication services. The presentation will also outline our lessons learned from the high-availability project, both benefits and challenges to consider.
Providing an OGC API Processes REST Interface for FME Flow
Providing an OGC API Processes REST Interface for FME FlowSafe Software This presentation will showcase an adapter for FME Flow that provides REST endpoints for FME Workspaces following the OGC API Processes specification. The implementation delivers robust, user-friendly API endpoints, including standardized methods for parameter provision. Additionally, it enhances security and user management by supporting OAuth2 authentication. Join us to discover how these advancements can elevate your enterprise integration workflows and ensure seamless, secure interactions with FME Flow.
Enabling BIM / GIS integrations with Other Systems with FME
Enabling BIM / GIS integrations with Other Systems with FMESafe Software Jacobs has successfully utilized FME to tackle the complexities of integrating diverse data sources in a confidential $1 billion campus improvement project. The project aimed to create a comprehensive digital twin by merging Building Information Modeling (BIM) data, Construction Operations Building Information Exchange (COBie) data, and various other data sources into a unified Geographic Information System (GIS) platform. The challenge lay in the disparate nature of these data sources, which were siloed and incompatible with each other, hindering efficient data management and decision-making processes.
To address this, Jacobs leveraged FME to automate the extraction, transformation, and loading (ETL) of data between ArcGIS Indoors and IBM Maximo. This process ensured accurate transfer of maintainable asset and work order data, creating a comprehensive 2D and 3D representation of the campus for Facility Management. FME's server capabilities enabled real-time updates and synchronization between ArcGIS Indoors and Maximo, facilitating automatic updates of asset information and work orders. Additionally, Survey123 forms allowed field personnel to capture and submit data directly from their mobile devices, triggering FME workflows via webhooks for real-time data updates. This seamless integration has significantly enhanced data management, improved decision-making processes, and ensured data consistency across the project lifecycle.
“Key Requirements to Successfully Implement Generative AI in Edge Devices—Opt...
“Key Requirements to Successfully Implement Generative AI in Edge Devices—Opt...Edge AI and Vision Alliance For the full video of this presentation, please visit: https://www.edge-ai-vision.com/2025/06/key-requirements-to-successfully-implement-generative-ai-in-edge-devices-optimized-mapping-to-the-enhanced-npx6-neural-processing-unit-ip-a-presentation-from-synopsys/
Gordon Cooper, Principal Product Manager at Synopsys, presents the “Key Requirements to Successfully Implement Generative AI in Edge Devices—Optimized Mapping to the Enhanced NPX6 Neural Processing Unit IP” tutorial at the May 2025 Embedded Vision Summit.
In this talk, Cooper discusses emerging trends in generative AI for edge devices and the key role of transformer-based neural networks. He reviews the distinct attributes of transformers, their advantages over conventional convolutional neural networks and how they enable generative AI.
Cooper then covers key requirements that must be met for neural processing units (NPU) to support transformers and generative AI in edge device applications. He uses transformer-based generative AI examples to illustrate the efficient mapping of these workloads onto the enhanced Synopsys ARC NPX NPU IP family.
ENERGY CONSUMPTION CALCULATION IN ENERGY-EFFICIENT AIR CONDITIONER.pdf
ENERGY CONSUMPTION CALCULATION IN ENERGY-EFFICIENT AIR CONDITIONER.pdfMuhammad Rizwan Akram DC Inverter Air Conditioners are revolutionizing the cooling industry by delivering affordable,
energy-efficient, and environmentally sustainable climate control solutions. Unlike conventional
fixed-speed air conditioners, DC inverter systems operate with variable-speed compressors that
modulate cooling output based on demand, significantly reducing energy consumption and
extending the lifespan of the appliance.
These systems are critical in reducing electricity usage, lowering greenhouse gas emissions, and
promoting eco-friendly technologies in residential and commercial sectors. With advancements in
compressor control, refrigerant efficiency, and smart energy management, DC inverter air conditioners
have become a benchmark in sustainable climate control solutions
Can We Use Rust to Develop Extensions for PostgreSQL? (POSETTE: An Event for ...
Can We Use Rust to Develop Extensions for PostgreSQL? (POSETTE: An Event for ...NTT DATA Technology & Innovation Can We Use Rust to Develop Extensions for PostgreSQL?
(POSETTE: An Event for Postgres 2025)
June 11, 2025
Shinya Kato
NTT DATA Japan Corporation
“From Enterprise to Makers: Driving Vision AI Innovation at the Extreme Edge,...
“From Enterprise to Makers: Driving Vision AI Innovation at the Extreme Edge,...Edge AI and Vision Alliance
“Key Requirements to Successfully Implement Generative AI in Edge Devices—Opt...
“Key Requirements to Successfully Implement Generative AI in Edge Devices—Opt...Edge AI and Vision Alliance
Can We Use Rust to Develop Extensions for PostgreSQL? (POSETTE: An Event for ...
Can We Use Rust to Develop Extensions for PostgreSQL? (POSETTE: An Event for ...NTT DATA Technology & Innovation
Forensic Memory Analysis of Android's Dalvik Virtual Machine
- 1. Memory Analysis of the Dalvik (Android) Virtual MachineAndrew CaseDigital Forensics Solutions
- 2. Who Am I?Security Analyst at Digital Forensics SolutionsAlso perform wide ranging forensics investigationsVolatility DeveloperFormer Blackhat and DFRWS speaker2
- 3. AgendaWhat is Dalvik / why do we care?Brief overview of memory forensicsExtracting allocated and historical data from DalvikinstancesTarget specific Android applications3
- 4. What is Dalvik?Dalvik is the software VM for all Android applicationsNearly identical to the Java Virtual Machine (JVM) [1]Open source, written in C / Java4
- 5. Why do we care?Android-based phones leading in US mobile marketWhich makes for many phones to investigateMemory forensics capabilities against Android applications have numerous uses/implicationsEntire forensics community (LEO, .gov, private firms) already urging development of such capabilities5
- 6. Memory Forensics IntroductionMemory forensics is vital to orderly recovery of runtime informationUnstructured methods (strings, grep, etc) are brittle and only recover superficial infoStructured methods allow for recovery of data structures, variables, and code from memoryPrevious work at operating system level led to recovery of processes, open files, network connections, etc [4,5]6
- 7. Memory Analysis ProcessFirst, need to acquire memory Acquisition depends on environment [6]Next, requires locating information in memory and interpreting it correctlyAlso requires re-implementing functionality offlineThen it needs to be displayed in a useful way to the investigator7
- 9. Acquiring Memory – Approach 1The normal method is to acquire a complete capture of physical RAMWorks well when analyzing kernel data structures as their pages are not swapped outAllows for recovery of allocated and historical processes, open files, network connections, and so on9
- 10. Approach 1 on AndroidWithout /dev/mem support, need a LKM to read memoryNo current module works for Android (ARM)We developed our own (mostly by @jtsylve)Benefits of full capture:Can target any process (including its mappings)Can recover information from unmapped pages in processes10
- 11. Acquiring Memory – Approach 2Memory can be acquired on a per-process basisEnsures that all pages of the process will be acquiredEasiest to perform with memfetch[8]After a few small changes, was statically compiled for ARMNo unmapped pages will be recovered thoughHeap and GC don’t munmap immediately11
- 12. Analyzing C vs JavaMost previous forensics research has had the “luxury” of analyzing CNearly 1:1 mapping of code/data to in-memory layoutDeclaration of a C “string”char buffer[] = “Hello World”;Memory Layout (xxd)4865 6c6c 6f20 576f 726c 6400 Hello World.12
- 13. A Dalvik String in MemoryFirst, need the address of the “StringObject”Next, need the offsets of the “java/lang/String” value and byte offset membersStringObject + value offset leads us to an “ArrayObject”ArrayObject + byte offset leads to an UTF-16 array of characters… finally we have the string (in Unicode)13
- 14. Now for the memory analysis…The real goal of the research was to be able to locate arbitrary class instances and fields in memoryOther goals included replicating commonly used features of the Android debugging framework14
- 15. Locating Data StructuresThe base of Dalvik loads as a shared library (libdvm.so)Contains global variables that we use to locate classes and other informationAlso contains the C structures needed to parse and gather evidence we need15
- 16. Gathering libdvm’s StructuresGrab the shared library from the phone (adb) 2) Use Volatility’s dwarfparse.py:Builds a profile of C structures along with members, types, and byte offsets
- 17. Records offsets of global variables3) Example structure definition'ClassObject': [ 0xa0, { Class name and size 'obj': [0x0, ['Object']], member name, offset, and type16
- 18. Volatility Plugin SampleAccessing structures is as simple as knowing the type and offset intval = obj.Object(“int”, offset=intOffset, ..)Volatility code to access ‘descriptor’ of an ‘Object’: o = obj.Object("Object", offset=objectAddress, ..) c = obj.Object("ClassObject", offset=o.clazz, …)desc = linux_common.get_string(c.descriptor)17
- 19. gDvmgDvm is a global structure of type DvmGlobalsHolds info about a specific Dalvik instanceUsed to locate a number of structures needed for analysis18
- 20. Locating Loaded ClassesgDvm.loadedClasses is a hash table of ClassObjectsfor each loaded classHash table is stored as an arrayAnalysis code walks the backing array and handles active entriesInactive entries are NULL or have a pointer value of 0xcbcacccd19
- 21. Information Per ClassType and (often) name of the source code fileInformation on backing DexFileDexFilestores everything Dalvik cares about for a binaryData FieldsStaticInstanceMethodsName and TypeLocation of Instructions20
- 22. Static FieldsStored once per class (not instance)Pre-initialized if knownStored in an array with element type StaticFieldLeads directly to the value of the specific field21
- 23. Instance FieldsPer instance of a ClassFields are stored in an array of element type InstFieldOffset of each field stored in byteOffsetmemberRelative offset from ClassObjectstructure22
- 24. Listing Instance MembersSource file: ComposeMessageActivity.java Class: Lcom/android/mms/ui/ComposeMessageActivity;Instance Fields: name: m_receiversignature: Landroid/content/BroadcastReceiver; name: m_filtersignature: Landroid/content/IntentFilter; name: mAppContextsignature: Landroid/content/Context; name: mAvailableDirPathsignature: Ljava/lang/String; 23
- 25. Analyzing MethodsWe can enumerate all methods (direct, virtual) and retrieve names and instructionsNot really applicable to this talkCan be extremely useful for malware analysis thoughIf .apk is no longer on disk or if code was changed at runtime24
- 26. Methods in Memory vs on DiskDalvik makes a number of runtime optimizations [1]Example: When class members are accessed (iget, iput) the field table index is replaced with the direct byte offsetWould likely need to undo some of the optimizations to get complete baksmali output 25
- 28. Recovery ApproachBest approach seems to be locating data structures of UI screensUI screens represented by uniform (single type) lists of displayed informationData for many views are pre-loaded27
- 29. Finding Data StructuresCan save substantial time by using adb’slogcat(next slide)Shows the classes and often methods involved in handling UI eventsOtherwise, need to examine source codeSome applications are open sourceOthers can be “decompiled” with baksmali [9]28
- 30. logcat exampleThe following is a snippet of output when clicking on the text message view:D/ConversationList(12520): onResume StartD/ComposeMessageActivity(12520): onConatctInfoChangeD/RecipientList(12520): mFilterHandler not nullD/RecipientList(12520): get recipient: 0D/RecipientList(12520): r.name: John SmithD/RecipientList(12520): r.filter() return resultD/RecipientList(12520): indexOf(r)0D/RecipientList(12520): prepare set, index/name: 0/John Smith29
- 31. Phone Call HistoryCall history view controlled through a DialerContactCard$OnCardClickListenerEach contact stored as a DialerContactCardContains the name, number, convo length, and photo of contact30
- 32. Per Contact Call HistoryCan (sometimes) retrieve call history per-contactRequires the user to actually view a contact’s history before being populated31
- 33. Text MessagesRecovery through ComposeMessageActivity & TextMessageViewComplete conversations can be recovered Not pre-populated32
- 34. VoicemailAudio file is open()’edNot mapped contiguously into the process address spaceNo method to recover deleted voicemails..33
- 35. Browser (Opera Mini)Opera Mini is the most used mobile browserCan recover some session informationThe history file is always mapped in memory (including information from current session)HTTP requests and page information is (possibly) recoverableCan recover <title> informationStored in Opera Binary Markup LanguageNot publicly documented? 34
- 36. Recovering Wireless InformationScreenshot on the right shows results of a scan for wireless networksRecovery of this view provides the SSID, MAC address, and enc type for routers foundRecovery of “Connected” routers show which were associated with35
- 37. Other Wireless InformationPotentially interesting information:Wireless keysConnection statsThese are not controlled by DalvikKeys only initially entered through Dalvik, but then savedStored by the usual Linux applicationswpa_supplicant, dhcpd, in-kernel stats36
- 38. Location RecoveryAssociating location & time not always importantBut makes for better slides *hint*Interesting for a number of reasonsForensics & Privacy concernsNot part of a “standard” forensics investigation37
- 39. Google MapsDid not do source code analysisMost phones won’t be using Google Maps while being seizedWanted to find ways to get historical data cleanlyFound two promising searchesmTime=TIME,mLatitude=LAT,mLongitude=LONpoint: LAT,LON … lastFix: TIMETIME is the last location, extra work needed to verify38
- 40. “Popular” Weather ApplicationThe weather application uses your location to give you relevant informationhttp://vendor.site.com/widget/search.asp? lat=LAT&lon=LON&nocache=TIME39
- 41. More GPS FunAll of the following applications do not clear GPS data from memory, and all send their lat/lon using GET with HTTPUrban SpoonWeather ChannelWeatherBugYelpGrouponMovies40
- 42. ImplementationRecovery code written as Volatility [7] pluginsMost popular memory analysis frameworkHas support for all Windows versions since XP and 2.6 Intel LinuxNow also supports ARM Linux/AndroidMakes rapid development of memory analysis capabilities simpleAlso can be used for analyzing other binary formats41
- 43. TestingTested against a HTC EVO 4GNo phone-specific features used in analysisOnly a few HTC-specific packages were analyzedVisually tested against other Dalvik versionsNo drastic changes in core Dalvik functionality 42
- 44. Research ApplicationsMemory forensics (obviously)Testing of privacy assurancesMalware analysisCan enumerate and recover methods and their instructions43
- 45. Future Avenues of ResearchNumerous applications with potentially interesting informationToo much to manually dig through Need automationBaksmali/Volatility/logcat integration?Automated determination of interesting evidence across the whole systemCombing work done in [2] and [3]44
- 47. References - 1[1] http://bit.ly/dalvikvsjava[2] Brendan Dolan-Gavitt, et al, “Virtuoso: Narrowing the Semantic Gap in Virtual Machine Introspection”, IEEE Security and Privacy, 2011[3] TaintDroid, http://www.appanalysis.org/[4] http://bit.ly/windowsmemory [5] http://bit.ly/linuxmem [6] http://bit.ly/memimaging[7] http://code.google.com/p/volatility/[8] http://lcamtuf.coredump.cx/soft/memfetch.tgz46
- 48. References - 2[9] baksmali - http://code.google.com/p/smali/47