[Dailydave] Week 1 of the Month of Volatility Plugins is now posted

Andrew Case atcuno at gmail.com
Fri Sep 14 12:07:36 EDT 2012


Hello All,

I was writing to announce that week 1 of the month of Volatility
plugins is finished, and we now have five in-depth blog posts covering
Windows and Linux internals and rootkit detection.

Post 1: Logon Sessions, Processes, and Images

This Windows focused post covers linking processes to their logon
session, detecting hidden processes using session structures, and
determining the loaded the drivers mapped into each session.

http://volatility-labs.blogspot.com/2012/09/movp-11-logon-sessions-processes-and.html

Post 2: Window Stations and Clipboard Malware

This Windows focused post covers enumerating and analyzing window
stations and clipboard monitoring malware.

http://volatility-labs.blogspot.com/2012/09/movp-12-window-stations-and-clipboard.html

Post 3: Desktops, Heaps, and Ransomware

This Windows focused post covers finding rogue desktops used to hide
applications and created by ransomware, linking threads to desktops,
analyzing the desktop heap for memory corruptions, and profiling heap
allocations to locate USER objects.

http://volatility-labs.blogspot.com/2012/09/movp-13-desktops-heaps-and-ransomware.html

Post 4: Average Coder Rootkit, Bash History, and Elevated Processes

This Linux focused post covers analyzing the Average Coder rootkit,
recovering .bash_history from memory, even when faced with
anti-forensics, and finding elevated processes.

http://volatility-labs.blogspot.com/2012/09/movp-14-average-coder-rootkit-bash.html

Post 5: KBeast Rootkit, Detecting Hidden Modules, and sysfs

This Linux focused post covers analyzing the KBeast rootkit, finding
modules unlinked from the module list, and the forensic values of
sysfs.

http://volatility-labs.blogspot.com/2012/09/movp-15-kbeast-rootkit-detecting-hidden.html


If you have any questions or comments on the posts, either leave a
comment on the respective post or be brave and reply to the list ;)

We will continue our daily blog posts, Monday through Friday, for the
next three weeks, so check back often if you have enjoyed these.

Thanks,
Andrew


More information about the Dailydave mailing list