k1nd0ne

Memory forensics is a huge help when performing an investigation and during incident response. Collecting memory images and analyzing them at scale is a challenge.

It is crucial to have the capability of examining memory images on storage platforms other than traditional file systems. With the emergence of cloud technologies, new forms of storage known as object storage have emerged. Enabling memory analysis on object storage provides exciting opportunities for innovation and advancement.

In this article, we will go through the journey of making the volatility3 framework compatible with s3 object-storage to perform memory analysis over the network. Also, the reader will discover how this new capability can and will be applied to the VolWeb 2.0 project which is still in developpement.

Disclaimer : All of the information about the volatility3 framework given in this blogpost are from my own understanding of the framework and of the project documentation¹. Feel free to contact me at felix.guyard@forensicxlab.com to correct any mistake made in the explanations.

Video games have become an integral part of our culture, providing entertainment and social opportunities. Unfortunately, criminals have also begun to take advantage of modern video games and their ever-growing capabilities to conduct illegal activities. Organized crime, hate spread, and pedophilia have been documented occurring within games, opening up the potential to a world of cybercrime.

Digital forensics on the Steam application can be especially useful for law enforcement in tracking down and prosecuting these cybercriminals. By investigating video game applications like Steam, digital footprints that can be used to link individuals to games, transactions, and even other players. Once these links are established, they can then used to build a case against the perpetrators. In this article, the reader will learn about some artifacts that can give releavant information left on a disk during a post-mortem analysis.

Note : All of the information about the investigated user displayed in the following findings are redacted.

On May 1st, 2023, vdhoney¹ raised concerns about a flaw he found impacting KeePass 2.X.². Vdhoney claimed to be able to reconstruct the master password from memory. A POC ³ was later released by the researcher not only in dotnet but also in python3⁴.

Today in this blog post we will describe the vulnerability and see how we can create a volatility3 plugin to help forensics investigators to retrieve passwords from memory.

As a digital forensic expert, proving the authenticity and reliability of a forensic image in court is essential. Indeed, the integrity of the data needs to be maintained during the imaging process, preventing any accidental or intentional modification of the data. The Expert Witness Compression Format (EWF) provides a way to store metadata about the image, such as the source device, imaging tool, checksums, signatures, and other relevant information about the acquired media. This imaging format main feature is its compression capability thus reducing the size of the resulting image file. Compression allows for faster analysis of the data and reduces storage requirements. This article is meant to vulgarize the structures behind an EWF Segment. The reader will discover the main algorithms to use in order to be able to read and seek inside such image format. Finally, a proof of concept writen in rust will be shared to the reader.

Malware analysis is very useful when performing a digital investigation. Indeed, identifying how a malware works and determining its behavior is very useful to detect future attacks, other compromised equipment, make critical choices and discover new TTPs. In this blog article, we will dive into the behavioral analysis of the latest QBOT campaign using malicious OneNote documents as an initial vector to compromise a host and deploy stealers. This article will demonstrate a use case of VISION-ProcMon for behavioral analysis.

Note: This blog post is not a complete analysis of the sample but simply demonstrate the capabilities of the tool.

When performing incident response, the adversary often uses legitimate remote access software as an interactive command and control channel. AnyDesk¹ is one of those software being extensively used as a sublayer of persistence by threat actors or access other servers in the environment via RDP². The latter has been often encountered in the wild in the past years as a preferred tool leveraged by known threat actors.

As such, Anydesk should be closely monitored as threat actors could easily alter or delete data after a successful attack; sometimes it is not possible to restore those altered logs. Defending against malicious actions with such remote software can be even more intricate for organizations having approved its legitimate usage. Here we propose to leverage memory forensics to retrieve and analyze artefacts thanks to a custom Volatility plugin that I made available as a free open-source tool for improving digital investigations.

The filesystem is one of the most basic and important concepts in UNIX/Linux. This concept is working around the idea that “everything is a file”, meaning that the hardware, regular files, directories, sockets, kernel data structures, process communications etc are represented as files with their own types. On a filesystem, a file (whatever its type) is assigned with a number called an "inode". An inode is an interface between the blocks on the filesystem and the file.

When a process is running, it is interacting with the hardware, the kernel, the user’s resources etc, therefore opening the required files. Linux is keeping track of the opened files inodes in memory by using the Virtual File System (VFS) and more precisely the directory entry cache (dentry). In this article, I will present how you can extract inode metadata from a modern Linux memory image using the volatility3 framework.

Windows prefetch files are temporary files stored in the %SystemRoot%\System\Prefetch folder. This memory management feature is keeping track of the frequently running applications on a given system. We can extract some data from those files in order to get useful information for a digital forensic investigation. In this blog article, I will explain how we can use memory forensic to extract prefetch files, parse them and create in the end a volatility3 plugin.

This writeup is covering the cyberdefenders.org challenge named "Brave". Today we are going to solve this challenge using the VolWeb memory analysis platform.

Being interested in memory forensic for a while now, I have learned a lot about the volatility3 framework. In this article, we will go through how you can use the framework's libraries to automate your memory analysis tasks and directly exploit the results. I will assume in this article that the reader has a basic understanding of how volatility3 is exploiting memory to extract evidence. If you want to learn more about volatility3, you can check the links in the "References" section.