Volatility Awareness

There is not a day that passes by, that I don’t receive a dozen or more posts on how to protect a resource in the cloud and/or the enterprise. Took some time, but I came to realize that none of the solutions addressed the source of the problem. PEOPLE use tools to protect their resources. PEOPLE use tools to compromise and capture resources of others. Those that compromise have, on average, 250+ days before those being attacked realize that an attack is in progress. PEOPLE that compromise have enormous advantages. PEOPLE that defend make public their understanding of an attack and how they defend. Others on the defense list vulnerabilities and how to defend. Those that attack learn from the publicly available information and they adapt.

Attackers understand that along the flow of an attack, that there are networks, non-volatile stores, and and perhaps most important, computers with processors, volatile and non volatile storage. memory management units, interfaces to I/O devices with direct memory access to memory, etc.

Just as in kinetic war, the attacker understands the need to hide from detection, attack when the time is right, and disappear into the night. To increase the success of a compromise, the attacker takes the time to understand the defender’s platform, the operating system, the hardware, all publicly available information, to maximize the possibility of a success. A deep understanding of those resources is why compromises go undetected for 250+ days. The attacker takes negatives and turns them into positives

For an attack to happen, the virus, malware, etc. at one time or a periodically is in memory. The attacker is smart enough to know not to hang around too long, and not to attack on a fixed schedule, but to adapt. But there is the time that the source of an attack is in memory being executed by a central processing unit.

Enter Volatility.

Volatility, an open-source software (OSS), holds significant value in detecting and investigating cyber attacks. Here’s why:

1. Memory Acquisition:
   • Volatility allows memory acquisition by dumping the contents of a device’s random access memory (RAM). This process can be applied to various memory sources, including hibernation files, crash dumps, pagefiles, and swap files.
   • By analyzing volatile memory, DFIR (Digital Forensics and Incident Response) analysts can extract critical clues about attacker activities.
2. Memory Forensics:
   • Volatility’s unique plug-ins enable analysts to:
     • Identify rogue processes.
     • Analyze process dynamic link libraries (DLLs) and handles.
     • Review network artifacts.
     • Detect evidence of code injection.
   • These plug-ins work for both 32-bit and 64-bit systems.
   • Memory analysis reveals information about running processes, created files, user activities, and the overall state of the device during an incident.
3. Linking Artifacts:
   • During investigations, Volatility helps link artifacts from various sources:
     • Device: Information from memory.
     • Network: Active and closed connections.
     • File system: Files and directories.
     • Registry: Registry keys and values.
   • This linkage aids in understanding the full scope of an attack.
4. Visibility into Runtime State:
   • Volatility’s extraction techniques operate independently of the system being investigated.
   • Analysts gain visibility into the runtime state of the system without altering it.
5. Financial Advantages and Security:
   • Volatility’s open-source nature allows organizations to inspect, modify, and enhance its source code.
   • This transparency brings both financial benefits and improved security.

In summary, Volatility is an essential tool for DFIR analysts, providing insights into volatile memory and aiding in cyber attack investigations. 🛡️🔍¹.

Dated – but it is a source of techniques that should be front and center of any incident response.

“Memory forensics provides cutting edge technology to help investigate digital attacks

Memory forensics is the art of analyzing computer memory (RAM) to solve digital crimes. As a follow-up to the best seller Malware Analyst’s Cookbook, experts in the fields of malware, security, and digital forensics bring you a step-by-step guide to memory forensics―now the most sought after skill in the digital forensics and incident response fields.

Beginning with introductory concepts and moving toward the advanced, The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory is based on a five day training course that the authors have presented to hundreds of students. It is the only book on the market that focuses exclusively on memory forensics and how to deploy such techniques properly. Discover memory forensics techniques:”