[Dailydave] Week 3 of the Month of Volatility Plugins posted!

Andrew Case atcuno at gmail.com
Fri Sep 28 13:05:19 EDT 2012


I was writing to announce that week 3 of the month of Volatility plugins is
finished, and we now have five more in-depth blog posts covering Windows
and Linux internals and rootkit detection as well as a bonus plugin that
analyzes Internet Explorer browsing history.

Post 1: Detecting Malware Hooks in the Windows GUI Subsystem

This Windows focused post covers detecting malware hooks in the Windows GUI
subsystem, including message hooks and event hooks, and what effects these
hooks can have on a compromised system.

http://volatility-labs.blogspot.com/2012/09/movp-31-detecting-malware-hooks-in.html


Post 2: Shellbags in Memory, SetRegTime, and TrueCrypt Volumes

This Windows focused post covers finding and recovering shellbags from
memory, the forensics importance of shellbags, and analyzes the effects of
anti-forensics on shellbag timestamps. It concludes with covering the
traces left in shellbags by TrueCrypt.

http://volatility-labs.blogspot.com/2012/09/movp-32-shellbags-in-memory-setregtime.html


Post 3: Analyzing USER Handles and the Win32k.sys Gahti

This Windows focused post introduces two new plugins, one named gahti that
determines the various different types of USER objects on a system and
another named userhandles which traverses the handle table entries and
associates them with the owning processes or threads

http://volatility-labs.blogspot.com/2012/09/movp-33-analyzing-user-handles-and.html


Post 4: Recovering tagCLIPDATA: What's In Your Clipboard?

This Windows focused post covers recovery of the Windows clipboard from
physical memory.

http://volatility-labs.blogspot.com/2012/09/movp-34-recovering-tagclipdata-whats-in.html


Post 5: Analyzing the 2008 DFRWS Challenge with Volatility

This Linux focused post analyzes the 2008 memory challenge with Volatility.
It walks through the artifacts produced by the winning team and shows how
to recover the same information with Volatility. It then shows plugins in
Volatility that can recover artifacts not produced by the winning team.

http://volatility-labs.blogspot.com/2012/09/movp-35-analyzing-2008-dfrws-challenge.html


Bonus Post: HowTo: Scan for Internet Cache/History and URLs

This Windows focused post covers how to recover Internet Explorer's cache
and history from a memory sample.

http://volatility-labs.blogspot.com/2012/09/howto-scan-for-internet-cachehistory.html

If you have any questions or comments on the posts, please leave a comment
on the respective post on the Volatility Labs blog or be brave and reply to
the list ;)

Thanks,
Andrew
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20120928/b34316ed/attachment.html>


More information about the Dailydave mailing list