Volshell Quickie: The Case of the Missing Unicode Characters
by Jamie Levy | Jun 3, 2015 | quickie, volshell, windows
The other day someone reached out to me because they had a case that involved files with Arabic names. Unfortunately the filenames were only question marks when using filescan or handles, so I set out to figure out why. In order to figure out why, I created a...Using mprotect(.., .., PROT_NONE) on Linux
by Jamie Levy | May 15, 2015 | linux, page permissions, volatility
After deciding to revisit some old code of mine (ok, very old), I realized that there was something different about how Linux was allocating pages of data I wanted to hide. At first, I was glad that I couldn’t see the data using yarascan, but...2014 Malware and Memory Forensics Training Schedule Part 2
by Jamie Levy | Oct 31, 2013 | malware, training, volatility, windows
The Volatility Team would like to announce that our first public training on the East Coast for 2014 will take place in New York City on May 5th – 9th, 2014. Instructors: Michael Ligh (@iMHLv2), Andrew Case (@attrc), Jamie Levy (@gleeda) To request a link to the...Sampling RAM Across the (EnCase) Enterprise
by Jamie Levy | Oct 10, 2013 | encase, sampling, volatility, windows
One thing that people may or may not realize is that you can mount memory with EnCase and use Volatility directly against the mounted memory “file”. This can be especially useful for checking your enterprise for infected machines in order to narrow your...
You must be logged in to post a comment.