Results from the 11th Annual Volatility Plugin Contest are in! We received 9 submissions that included 27 plugins, 3 translation layers, and 2 supporting utilities; and submissions came in from 7 different countries, including some from each of last year’s winners!
Contest submissions included a range of features and functionality:
- Capabilities to extract password artifacts, detect advanced rootkits, and enumerate memory resident file system artifacts
- New and updated translation layers
- Plugins to aide with malware detection and analysis
We would like to thank all participants for their hard work on their submissions and contributions to Volatility community! Independent open-source projects and communities only remain viable because of contributors who are willing to sacrifice their time and resources. Please show your appreciation for the contestants’ contributions by following them on GitHub and social media, providing feedback on their ideas, and helping to improve their code with testing, documentation, or contributing patches.
Coming This Fall: Training on Volatility 3 + A One-Day Summit
Before we announce the winners, we have some other exciting announcements to share!
Malware & Memory Forensics Training on Volatility 3
Location: Washington DC
Dates: October 22–25, 2024
Given the increasing interest and development efforts around Volatility 3, we are excited to announce that this fall the Volatility Development team will be hosting the first offering of our Malware & Memory Forensics Training course that is focused exclusively on Volatility 3. This is a great opportunity to learn directly from the core development team about the new capabilities in Volatility 3 and what motivated the recent design changes.
From The Source: Learn Directly from the World’s Leading Digital Investigators
Location: Washington DC
Date: October 21, 2024
In celebration of the 10-year anniversary of The Art of Memory Forensics, we are also excited to announce that the Volatility Foundation will be hosting a one-day summit in conjunction with the training course. This will be a unique opportunity to connect in-person with an international cadre of pioneering researchers and practitioners who work on the most advanced digital investigations. In the spirit of the original OMFW (Open Memory Forensics Workshop), this summit is intended to be an intimate setting to encourage participation and collaboration and, thus, will be an invite-only event. The first round of invites will go to those who have contributed to the Volatility community! Students who sign up for the in-person training course will also receive a complimentary pass to this event.
If you would like to join the waitlist for From The Source or Malware & Memory Forensics Training on Volatility 3, please contact us.
ACKNOWLEDGEMENTS
We would like to thank Volexity for being a sustaining sponsor of the Volatility Foundation and, in particular, for contributing to this year’s contest. We would also like to thank the core Volatility developers and the previous winners of the contest who helped review and deliberate the submissions.
And now, it’s time to announce the winners of the 11th Annual Volatility Plugin Contest!
Placements and Prizes for the 2023 Volatility Plugin Contest
1st place and $3000 USD cash or One Free Seat at Malware and Memory Forensics Training by the Volatility Team goes to:
Valentin Obst: BPF Memory Forensics with Volatility 3
2nd place and $2000 USD cash goes to:
Abyss Watcher: Symbol Collection and Linux Rootkit Detection Plugins
3rd place (tie) and $1000 USD cash goes to:
Asaf Eitani: eBPF Programs Plugin
Felix Guyard: Modern Windows Hibernation File Analysis, Alternate Data Stream Scanning Plugin, Keepass Plugin, Windows Import Address Table Plugin, Remote analysis on cloud object-storage
Summary of All Submissions
Below is a detailed summary of all submissions, ordered alphabetically by first name. If you have feedback for the participants, we’re sure they’d love to hear your thoughts! As previously mentioned, these developers deserve praise for their amazing work. We look forward to seeing future work by these authors!
Abyss Watcher: check_ftrace Plugin
Function Tracer, ftrace, is a framework intended to help developers determine what is happening within the kernel. It is typically used for debugging and performance analysis. It has also been abused by rootkits to hide artifacts on a system. This plugin allows investigators to detect these hooks and provide further context for investigation.
Related References:
https://github.com/Abyss-W4tcher
Abyss Watcher: check_unlinked_modules Plugin
Removing objects from linked lists has been a common technique leveraged by rootkits to hide resources from sysadmin tools on the live machine. By leveraging a “regex mask”, this plugin scans memory for unlinked modules. The documentation also describes how this technique could be expanded to other structures found in the symbol table.
Related References:
https://github.com/Abyss-W4tcher
Abyss Watcher: check_tracepoints Plugin
Within the Linux kernel, a tracepoint provides a hooking mechanism to call a function that can be provided at runtime. They are typically used for tracing and performance analysis, but they can and have been abused by rootkits in the wild. This plugin enumerates the tracepoint arrays and looks for tracepoints with a probe attached. This plugin allows investigators to find tracepoint control flow changes that may have been added to the system.
Related References:
https://github.com/Abyss-W4tcher
Asaf Eitani: eBPF Programs Plugin
This submission provides the ability to detect and perform automated code analysis of eBPF programs, including eBPF rootkits, loaded into kernel memory. This analysis is used to detect when suspicious functions are referenced inside of any eBPF program. These functions were chosen based on the capabilities they give eBPF programs to manipulate code and data. Unlike previous eBPF-based work that only listed suspicious components, this submission represents the first effort to perform automated static analysis of alerted-to programs.
Related References:
https://twitter.com/ultra_lutra1
https://www.linkedin.com/in/asaf-eitani
https://github.com/AsafEitani/ebpf_programs_plugin/tree/main
Aviel Zohar and Or Chechik: PackerList
This plugin helps investigators look for indications of packed processes. Software packing is a technique attackers leverage to obfuscate code and make it more difficult to analyze, since the original code is often compressed or encrypted. Instead of extracting suspect executables and post-processing, this plugin enables investigators to inspect the associated section table permissions and PTE permissions of memory-resident processes and DLLs for indications of packing.
Related References:
https://twitter.com/AvielZohar
https://attack.mitre.org/techniques/T1406/002/
https://github.com/memoryforensics1/Volatility.PE-Shellcode
Aviel Zohar and Or Chechik: MasqueradeProcess
Masquerading is a technique where an attacker attempts to make their malicious executable or tooling appear legitimate in order to evade detection. For example, the attacker may try to change the name of the process to make it appear like a normal part of the operating system. This plugin compares the OriginalFileName found in FileVersionInformation with the name of the running process, and it highlights any mismatches. For example, malware authors may compile a program named myrootkit.exe but rename it to svchost.exe before distributing. Likewise, threat actors may copy a legitimate cmd.exe to %TEMP%\windowsupdate.exe. This plugin will detect both of these anomalies.
Related References:
https://twitter.com/AvielZohar
https://attack.mitre.org/techniques/T1036/
https://github.com/memoryforensics1/Volatility.PE-Shellcode
Aviel Zohar and Or Chechik: DirectSyscalls
This submission is a plugin that looks for attempts to avoid EDR hooks by implementing the system call stub in shellcode memory. It is a technique that is leveraged by malware and many popular penetration testing frameworks. The plugin scans for syscall instructions in locations of memory where they should not be present, and then attempts to validate and disassemble any matches.
Related References:
https://twitter.com/AvielZohar
https://github.com/memoryforensics1/Volatility.PE-Shellcode
Aviel Zohar and Or Chechik: ApiHash
Shellcodes frequently use an API hash technique to resolve function addresses without using function strings. This technique is often used for obfuscation or to reduce the shellcode size. This plugin scans for API hashes used as arguments to functions in memory regions that wouldn’t typically have executable code. It then attempts to resolve the hashes leveraging a publicly available hash database. This technique can also help the investigator gain insights into the code’s runtime behaviors.
Related References:
https://twitter.com/AvielZohar
https://github.com/mandiant/flare-ida/tree/master/shellcode_hashes
https://github.com/memoryforensics1/Volatility.PE-Shellcode
Felix Guyard: Alternate Data Stream Scanning Plugin
Extracting information from the Master File Table (MFT) is extremely valuable when performing an investigation of a system running NTFS. MFT entries contain critical information about all files and directories, including alternate data streams (ADS). ADSs provide details about where a file was downloaded from and they can be exploited to hide malicious payloads. The ADS plugin scans for MFT entries looking for alternate data streams that may be cached in memory. The output of the plugin shows a hexdump or disassembled view of the file. Information in an ADS can often provide valuable information about an attacker’s activities on a system.
Related References:
https://www.forensicxlab.com/posts/volads/
Felix Guyard: Keepass Plugin
The KeePass plugin allows investigators to reconstruct the master password from memory by leveraging a recently disclosed design flaw, CVE-2023-32784. The plugin builds on publicly released proofs-of-concept and demonstrates how this capability can be easily implemented within the Volatility 3 framework. The plugin allows an investigator to recover the plaintext password from a memory sample. The ability to extract passwords from volatile memory is a powerful capability that allows investigators to access new evidence and potentially re-open investigations by leveraging previously collected memory samples.
Related References:
https://github.com/forensicxlab/volatility3_plugins/blob/main/keepass.py
https://www.forensicxlab.com/posts/keepass/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32784
https://github.com/vdohney/keepass-password-dumper
https://sourceforge.net/p/keepass/discussion/329220/thread/f3438e6283/
Felix Guyard: Modern Windows Hibernation File Analysis
Over the years, hibernation files have been a valuable data source for extracting memory forensics artifacts. Investigators have used hibernation support as a means of performing memory collection, and they have leveraged historical hibernation files found on disk to find information about what was previously happening on a system. The structure of hibernation files has continued to evolve over time. This contest submission expands Volatility 3 to support modern variations. In addition to implementing a new hibernation translation layer and two decompression algorithms (Microsoft Xpress LZ77 and Microsoft Xpress LZ77+Huffman), it provides plugins for extracting header information about the file and converting the file to a raw memory sample. If an investigator finds that hibernation files are available, these files can provide a wealth of information that may not be accessible anywhere else on the system.
Related References:
https://www.forensicxlab.com/posts/hibernation/
https://github.com/forensicxlab/volatility3/tree/feature/hibernation-layer
Felix Guyard: Windows Import Address Table Plugin
The Import Address Table (IAT) plugin reconstructs the IAT from process-executable images in Windows memory samples. Parsing the IAT provides useful data on a program’s dependencies and API functions that it uses at runtime, providing valuable insights into capabilities such as if malware plans to use encryption, download files from a URL, or inject code into other processes.
Related References:
https://www.forensicxlab.com/posts/voliat/
https://github.com/forensicxlab/volatility3/tree/feature/IAT
Felix Guyard: Remote Analysis on Cloud Object-Storage
The cloud storage layer for Volatility3 makes it possible to analyze memory samples directly in Amazon S3 buckets, private S3-compatible devices (e.g., Minio), and Google Cloud Storage without downloading them locally. This capability enhances scalability when dealing with large memory samples. It also improves collaboration, remote investigations, and memory forensics at scale.
Related References:
https://www.forensicxlab.com/posts/vols3/
https://github.com/forensicxlab/volatility3/tree/feature/bucket-s3
Hyeon Deok Jeong (DFV): hiddenprocess Plugin
This plugin brings hidden-process detection to Volatility 3. Like psxview, processes are enumerated in various ways and then cross-referenced to spot anomalies. In the example and documentation, the author leveraged the Cronos rootkit on a Windows 11 22H2 system to show how a hidden Metasploit reverse-shell process was revealed. The plugin also exposes an optional feature to classify hidden processes as high, medium, or low privilege.
Related References:
https://www.facebook.com/hyeondeok97
https://github.com/resposo/volatility-3-contest-2023
https://github.com/resposo/volatility-3-contest-2023/blob/main/contest_submission.md
Nitzan Adut: EDRity
The goal of the EDRity submission is to allow Volatility 3 to run against a live system and, thus, offer basic endpoint detection and response (EDR) capabilities. This is accomplished by extending Volatility 3 to run against winpmem and creating a new plugin, EDRity. Expanding on the detections in malfind, the plugin extracts suspicious VAD regions and submits them to VirusTotal for analysis. The author has a lot of future plans to deal with offline situations and extracting shell code.
Related References:
https://www.virustotal.com/gui/home/upload
Rifqi Ramadhan: notepad Plugin
A person under investigation may store important information (e.g., passwords or other incriminating or even exculpatory data) within a running instance of notepad on their system. This plugin extracts strings from the memory segments associated with the notepad process. Although strings could be extracted from the entire memory sample, that presents a “needle in the haystack” problem which wastes valuable investigative time. This plugin offers a much quicker, automated approach to finding the necessary data.
Related References:
https://twitter.com/SpitFire1798018
https://medium.com/@rifqiaramadhan
https://github.com/spitfirerxf
Rifqi Ramadhan: kusertime Plugin
One of the most important aspects of a digital investigation is building a timeline of activity. This plugin can help provide context to the investigator by calculating the current system time at the time of acquisition, as well as the uptime.
Related References:
https://twitter.com/SpitFire1798018
https://medium.com/@rifqiaramadhan
https://github.com/spitfirerxf
Rifqi Ramadhan: evtxlog Plugin
During an investigation, event logs can provide useful information about what is currently happening and what has previously happened on a system. This plugin searches for mapped event logs and automatically extracts them for analysis, which is a huge time saver and a very convenient method for quickly accessing these valuable files.
Related References:
https://twitter.com/SpitFire1798018
https://medium.com/@rifqiaramadhan
https://github.com/spitfirerxf
Rifqi Ramadhan: sticky Plugin
On Windows systems, users may leverage Sticky Notes to quickly save important information and share across devices. This plugin parses and extracts memory-resident sticky note content. This plugin provides an interesting perspective into a forensic resource that has not traditionally been leveraged by many investigators, but has the potential to be very valuable.
Related References:
https://twitter.com/SpitFire1798018
https://medium.com/@rifqiaramadhan
https://github.com/spitfirerxf
Thomas Clarke: saNSRL Utility
This standalone utility compares files extracted from memory samples using the Volatility 3 dumpfiles plugin to those found in a Known File Filter (KFF) hash database. The tool is passed a directory of files and a KFF database and subsequently returns a disposition for each file if matches or not. This tool has several practical use cases, including detecting malicious files, comparing a system to a known good image (aka golden build), and many others.
Related References:
https://sourceforge.net/projects/autopsy/files/NSRL/
Thomas Clarke: saNSFW Utility
This standalone utility analyzes images extracted from memory with the Volatility 3 dumpfiles plugin using deep neural network Caffe models to determine if they are Not Suitable for Work (NSFW). The tool is passed a directory of images and outputs a confidence measure related to NSFW. Outside of the intended use cases, this plugin has the potential to assist in child exploitation cases by pointing law enforcement investigators to explicit images.
Related References:
https://github.com/yahoo/open_nsfw
Thomas Clarke: dumpfilesNSRL Plugin
This Volatility plugin extracts memory-resident files and compares them to those found within a Known File Filter (KFF) database. Thus, it combines the capabilities found in dumpfiles with the saNSRL utility.
Related References:
https://sourceforge.net/projects/autopsy/files/NSRL/
Valentin Obst: bpf_graph Plugin
Linux malware has been increasingly leveraging eBPF. Thus, visibility into the Linux eBPF subsystem is becoming an important part of digital investigations. This plugin helps visualize the state of the BPF subsystem as a graph. The graph is made up of four different types of nodes: programs, maps, links, and processes. The edges represent three types of relationships between nodes: file descriptor, link, and map. The goal of the plugin is to make the extracted artifacts more accessible to investigators by combining them into a single picture and providing a high-level overview.
Valentin submitted various other plugins in his “eBPF suite” which are presented below.
Related References:
https://github.com/vobst/BPFVol3/blob/main/src/plugins/bpf_graph.py
https://github.com/vobst/BPFVol3/blob/main/docs/bpf_graph.md
https://lolcads.github.io/posts/2023/12/bpf_memory_forensics_with_volatility3/
Valentin Obst: bpf_listlinks Plugin
Plugin in eBPF suite: This plugin displays the list of all BPF links in the memory sample. It simulates the functionality of the link subcommand of bpftool. For each BPF link, it displays the offset, id, type, id of the attached program, and information about the associated attachment point.
Related References:
https://github.com/vobst/BPFVol3/blob/main/src/plugins/bpf_listlinks.py
https://github.com/vobst/BPFVol3/blob/main/docs/bpf_listlinks.md
https://github.com/libbpf/bpftool/blob/main/docs/bpftool-link.rst
https://lolcads.github.io/posts/2023/12/bpf_memory_forensics_with_volatility3/
Valentin Obst: bpf_listmaps Plugin
Plugin in eBPF suite: This plugin enumerates the list of BPF maps that are currently loaded into the kernel. It simulates the functionality of the map subcommand of bpftool.
Related References:
https://github.com/vobst/BPFVol3/blob/main/src/plugins/bpf_listmaps.py
https://github.com/vobst/BPFVol3/blob/main/docs/bpf_listmaps.md
https://github.com/libbpf/bpftool
https://github.com/libbpf/bpftool/blob/main/docs/bpftool-map.rst
https://lolcads.github.io/posts/2023/12/bpf_memory_forensics_with_volatility3/
Valentin Obst: bpf_listprocs Plugin
Plugin in eBPF suite: This plugin displays a list of processes that hold BPF objects via a file descriptor.
Related References:
https://github.com/vobst/BPFVol3/blob/main/src/plugins/bpf_listprocs.py
https://github.com/vobst/BPFVol3/blob/main/docs/bpf_listprocs.md
https://lolcads.github.io/posts/2023/12/bpf_memory_forensics_with_volatility3/
Valentin Obst: bpf_listprogs Plugin
Plugin in eBPF suite: This plugin displays a list of the BPF programs that are currently loaded into the kernel. It simulates the functionality of the prog subcommand of bpftool.
Related References:
https://github.com/vobst/BPFVol3/blob/main/src/plugins/bpf_listprogs.py
https://github.com/vobst/BPFVol3/blob/main/docs/bpf_listprogs.md
https://github.com/libbpf/bpftool/blob/main/docs/bpftool-prog.rst
https://lolcads.github.io/posts/2023/12/bpf_memory_forensics_with_volatility3/
Valentin Obst: bpf_lsm Plugin
Plugin in eBPF suite: This plugin attempts to enumerate each LSM hook with attached BPF programs. It also highlights those hooks with hidden BPF programs attached. The plugin outputs the name of the hook, the number of programs attached, and a list of IDs of the attached programs.
Related References:
https://github.com/vobst/BPFVol3/blob/main/src/plugins/bpf_lsm.py
https://github.com/vobst/BPFVol3/blob/main/docs/bpf_lsm.md
https://lolcads.github.io/posts/2023/12/bpf_memory_forensics_with_volatility3/
Valentin Obst: bpf_netdev Plugin
Plugin in eBPF suite: This plugin lists traffic control BPF programs attached to network interfaces. These programs are often used to exfiltrate information from a compromised machine. For each interface, it displays the name of the interface, MAC address, and a list of IDs for BPF programs processing outgoing and incoming packets.
Related References:
https://github.com/vobst/BPFVol3/blob/main/src/plugins/bpf_netdev.py
https://github.com/vobst/BPFVol3/blob/main/docs/bpf_netdev.md
https://lolcads.github.io/posts/2023/12/bpf_memory_forensics_with_volatility3/
Here are some additional resources for previous contests and community-driven plugins:
- Volatility Foundation Contest Page: https://volatilityfoundation.org/contest
- Volatility 3 Community GitHub Repository: https://github.com/volatilityfoundation/community3