After attending a conference for incident response teams, I joined a project aiming to create a forensic framework allowing acquisition and visualization of evidence from various sources: the Exhume toolkit.

The Exhume Toolkit v0.1

In this quest of retrieving data from various base formats, I got involved in the understanding and implementation of a parser for the VMDK format.

The Virtual Machine Disk format has been created by VMware and is used by all kinds of virtual machines from all types of hypervisors. It is also used in exchange formats used to share virtual machines from one hypervisor to another.

Most IT experts, from cybersecurity to system administrators have heard of VMDK files. And I am no exception. But I never really understood what was behind this format. Sure, I did encounter some difficulties to access data from a VMDK file sourced from and ESXi server but I always found tools allowing to convert the file to a better suited format... Including VMDK itself.

At that moment I wondered why converting a VMDK file to another one could help me get access to the data for forensic purposes. And I've found the answer now I did some serious research on the matter.

In digital forensics, tools are only as valuable as the investigator’s ability to understand and explain their output, especially when presenting evidence in court. Beyond simply extracting data, the methodology behind how artifacts are collected and interpreted plays a critical role in admissibility, reliability and credibility.

This blog post series introduces the Thanatology Project, an open-source, cross-platform digital forensics framework currently under development. Built on top of the Exhume ToolKit (a modular set of Rust-based forensic tools), Thanatology combines performance, transparency, and modern design via a Tauri-based desktop interface. Designed for law enforcement and digital forensic professionals, the project emphasizes not only artifact collection and presentation but will also try to provide help for interpretation.

For example, when analyzing EXTFS file systems, Thanatology will try to offers guidance on timestamp meanings and includes complete extraction details suitable for annexing to formal reports.

The blog series will cover:

• An overview of the Thanatology project and its goals.
• A high-level introduction to the Exhume tool suite.
• Deep dives into each Exhume module and its specific forensic use case.
• Updates on the project development.
• Interesting research techniques we found during our journey.

While Thanatology is not intended to replace established tools, it will attempt to offers a modular and modern alternative ideal for cross-verifying findings or integrating into custom workflows. This blogpost series is mainly here to provide the community with updates, technical knowledge and any interesting subjects we found along the way.

Windows executable analysis is a key aspect of Digital Forensics and Reverse Malware Engineering. Identifying the capabilities of a program can help to target potential malicious code and orient the later reverse code analysis phase. In this blogpost, we will dive into the structure of the Windows Portable Executable (PE) and how we can extract the imported functions in the context of memory analysis.

Windows executable analysis is a key aspect of Digital Forensics and Reverse Malware Engineering. Identifying the capabilities of a program can help to target potential malicious code and orient the later reverse code analysis phase. In this blogpost, we will dive into the structure of the Windows Portable Executable (PE) and how we can extract the imported functions in the context of memory analysis.

In the Digital Forensics ecosystem, the field of memory forensics can help uncover artifacts that can’t be found anywhere else. That can include deleted files, network connections, running processes, rootkits, code injection, fileless malware and many more.

Microsoft introduced the hibernation feature in Windows 2000, allowing systems to be powered down while preserving their volatile state. This is achieved by saving RAM contents and processor context to a file called hiberfil.sys before shutting down inside the root folder of the filesystem drive. When the computer is turned on again, the system restores the volatile state from the saved file. Hibernation files are valuable for digital forensic professionals as they store temporary data from RAM to non-volatile storage, eliminating the requirement for specialized tools on the target device.

The Hibernation file structure has evolved in time. In this blog post, we will dive into the structure of the modern Windows hibernation file and propose a new translation layer for the volatility3 framework to create a raw memory image from a hibernation file.

Memory forensics is a huge help when performing an investigation and during incident response. Collecting memory images and analyzing them at scale is a challenge.

It is crucial to have the capability of examining memory images on storage platforms other than traditional file systems. With the emergence of cloud technologies, new forms of storage known as object storage have emerged. Enabling memory analysis on object storage provides exciting opportunities for innovation and advancement.

In this article, we will go through the journey of making the volatility3 framework compatible with s3 object-storage to perform memory analysis over the network. Also, the reader will discover how this new capability can and will be applied to the VolWeb 2.0 project which is still in developpement.

Disclaimer : All of the information about the volatility3 framework given in this blogpost are from my own understanding of the framework and of the project documentation¹. Feel free to contact me at felix.guyard@forensicxlab.com to correct any mistake made in the explanations.

Video games have become an integral part of our culture, providing entertainment and social opportunities. Unfortunately, criminals have also begun to take advantage of modern video games and their ever-growing capabilities to conduct illegal activities. Organized crime, hate spread, and pedophilia have been documented occurring within games, opening up the potential to a world of cybercrime.

Digital forensics on the Steam application can be especially useful for law enforcement in tracking down and prosecuting these cybercriminals. By investigating video game applications like Steam, digital footprints that can be used to link individuals to games, transactions, and even other players. Once these links are established, they can then used to build a case against the perpetrators. In this article, the reader will learn about some artifacts that can give releavant information left on a disk during a post-mortem analysis.

Note : All of the information about the investigated user displayed in the following findings are redacted.

On May 1st, 2023, vdhoney¹ raised concerns about a flaw he found impacting KeePass 2.X.². Vdhoney claimed to be able to reconstruct the master password from memory. A POC ³ was later released by the researcher not only in dotnet but also in python3⁴.

Today in this blog post we will describe the vulnerability and see how we can create a volatility3 plugin to help forensics investigators to retrieve passwords from memory.

As a digital forensic expert, proving the authenticity and reliability of a forensic image in court is essential. Indeed, the integrity of the data needs to be maintained during the imaging process, preventing any accidental or intentional modification of the data. The Expert Witness Compression Format (EWF) provides a way to store metadata about the image, such as the source device, imaging tool, checksums, signatures, and other relevant information about the acquired media. This imaging format main feature is its compression capability thus reducing the size of the resulting image file. Compression allows for faster analysis of the data and reduces storage requirements. This article is meant to vulgarize the structures behind an EWF Segment. The reader will discover the main algorithms to use in order to be able to read and seek inside such image format. Finally, a proof of concept writen in rust will be shared to the reader.

Malware analysis is very useful when performing a digital investigation. Indeed, identifying how a malware works and determining its behavior is very useful to detect future attacks, other compromised equipment, make critical choices and discover new TTPs. In this blog article, we will dive into the behavioral analysis of the latest QBOT campaign using malicious OneNote documents as an initial vector to compromise a host and deploy stealers. This article will demonstrate a use case of VISION-ProcMon for behavioral analysis.

Note: This blog post is not a complete analysis of the sample but simply demonstrate the capabilities of the tool.