Volatility 2.4 at Blackhat Arsenal – Reverse Engineering Rootkits
by Volatility | Aug 27, 2014 | arsenal, blackhat, kernel, rootkits, volatility
This video demonstrates how you can leverage Volatility and memory forensics to detect kernel rootkits, assist with reverse engineering, and use the results for developing additional indicators. The video is narrated by Apple’s text to speech and you can find...Presenting Volatility Foundation Volatility Framework 2.4
by Volatility | Aug 13, 2014 | artofmemoryforensics, blackhat, kernel, linux, macosx, malware, truecrypt, volatility, win8
The release of this new Volatility version coincides with the publication of The Art of Memory Forensics. It adds support for Windows 8, 8.1, 2012, and 2012 R2 memory dumps, Mac OS X Mavericks (up to 10.9.4), and Linux kernels up to 3.16. New plugins include the...ADD: The Next Big Threat To Memory Forensics….Or Not
by Volatility | Feb 3, 2014 | anti-forensics, kernel, malware, rootkits, volatility
Similar to a rootkit, an anti-forensics tool or technique must possess two critical traits in order to be significant: 1. It must do something 2. It must get away with it Satisfying #1 is the easy part. You can hide a process, hide a kernel module, or in the case of...Malware Superlatives: Most Likely to Cry s/Wolf/Crocodile/
by Volatility | Jan 21, 2014 | kernel, malware, superlatives, windows
As a young boy once learned, its bad to cry wolf. Its not necessarily bad to cry crocodile, but the authors of Blazgel decided to do it anyway. Blazgel is a kernel rootkit that hooks various SSDT entries and has some backdoor capabilities. When I first saw it hooking...The Secret to 64-bit Windows 8 and 2012 Raw Memory Dump Forensics
by Volatility | Jan 13, 2014 | forensics, kernel, omfw, training, volatility, win8, windows
Those of you who attended OMFW 2013 received a talk on Windows 8 and Server 2012 memory forensics with Volatility. One of the interesting aspects of this new operating system, which includes 8.1 and 2012 R2, is that the kernel debugger data block...
You must be logged in to post a comment.