MoVP II – 3.5 – Utilizing the kmem_cache for Android Memory Forensics
by Volatility | Jun 4, 2013 | android, forensics, kernel, linux, malware, movp, volatility
This post will discuss utilizing plugins that leverage the kmem_cache in order to perform deep memory forensics of Android devices. In previous Linux posts, we have briefly mentioned these plugins, but a full walk through has not been done. Also, as we will see, these...MoVP II – 3.4 – Checking the ARM (Android) System Call Table and Exception Vector Table for Signs of Rootkits
by Volatility | Jun 3, 2013 | android, forensics, malware, movp, volatility
In this post we are going to discuss two Volatility plugins that are specific to the ARM platform. Both of these plugins were contributed by Joe Sylve. linux_check_syscall_arm The first, linux_check_syscall_arm, enumerates each entry of the system call table to see if...Automated Volatility Plugin Generation with Dalvik Inspector
by Volatility | May 31, 2013 | android, malware, s, volatility
Last month we covered new capabilities developed by 504ensics Labs that allowed for analysis of Dalvik instances within Volatility. This included a set of plugins as well as a GUI to explore the classes loaded into memory. We are writing an updated post as the GUI now...MoVP II – 3.1 – Linux CheckTTY & KeyboardNotifier Plugins
by Volatility | May 29, 2013 | android, forensics, linux, malware, movp, volatility
In this post we will discuss two new plugins in Volatility 2.3 that were contributed by Joe Sylve @jtsylve of 504ensics. These plugins are used to detect the two kernel-level keylogging techniques presented in “Bridging the Semantic Gap to...MoVP II – 2.5 – New and Improved Windows Plugins
by Volatility | May 28, 2013 | forensics, kernel, malware, movp, volatility, windows
The Volatility 2.3 release will include several new and improved Windows plugins. This post will summarize their purpose, point you to additional information if they’ve been mentioned in previous blog posts, and show example usage scenarios for the...
You must be logged in to post a comment.