I was writing to announce that week 3 of the month of Volatility plugins
is finished, and we now have five more in-depth blog posts covering
Windows
and Linux internals and rootkit detection as well as a bonus plugin that
analyzes Internet Explorer browsing history.<br><div class="gmail_quote"><div class="HOEnZb"><div class="h5"><div class="gmail_quote"><div><div><div class="gmail_quote">
<br>
Post 1: Detecting Malware Hooks in the Windows GUI Subsystem<br>
<br>
This Windows focused post covers detecting malware hooks in the Windows
GUI subsystem, including message hooks and event hooks, and what effects
these hooks can have on a compromised system.<br>
<br>
<a href="http://volatility-labs.blogspot.com/2012/09/movp-31-detecting-malware-hooks-in.html" target="_blank">http://volatility-labs.blogspot.com/2012/09/movp-31-detecting-malware-hooks-in.html</a><br>
<br>
<br>
Post 2: Shellbags in Memory, SetRegTime, and TrueCrypt Volumes<br>
<br>
This Windows focused post covers finding and recovering shellbags from
memory, the forensics importance of shellbags, and analyzes the effects
of anti-forensics on shellbag timestamps. It concludes with covering the
traces left in shellbags by TrueCrypt.<br>
<br>
<a href="http://volatility-labs.blogspot.com/2012/09/movp-32-shellbags-in-memory-setregtime.html" target="_blank">http://volatility-labs.blogspot.com/2012/09/movp-32-shellbags-in-memory-setregtime.html</a><br>
<br>
<br>
Post 3: Analyzing USER Handles and the Win32k.sys Gahti
<br>
<br>
This Windows focused post introduces two new plugins, one named <span style="font-family:Courier New,Courier,monospace">gahti</span> that determines the various different types of USER objects on a system and another named <span style="font-family:Courier New,Courier,monospace">userhandles</span> which traverses the handle table entries and associates them with the owning processes or threads<br>
<br>
<a href="http://volatility-labs.blogspot.com/2012/09/movp-33-analyzing-user-handles-and.html" target="_blank">http://volatility-labs.blogspot.com/2012/09/movp-33-analyzing-user-handles-and.html</a><br>
<br>
<br>
Post 4: Recovering tagCLIPDATA: What's In Your Clipboard?
<br>
<br>
This Windows focused post covers recovery of the Windows clipboard from physical memory.<br>
<br>
<a href="http://volatility-labs.blogspot.com/2012/09/movp-34-recovering-tagclipdata-whats-in.html" target="_blank">http://volatility-labs.blogspot.com/2012/09/movp-34-recovering-tagclipdata-whats-in.html</a><br>
<br>
<br>
Post 5: Analyzing the 2008 DFRWS Challenge with Volatility
<br>
<br>
This Linux focused post analyzes the 2008 memory challenge with
Volatility. It walks through the artifacts produced by the winning team
and shows how to recover the same information with Volatility. It then
shows plugins in Volatility that can recover artifacts not produced by
the winning team.<br>
<br>
<a href="http://volatility-labs.blogspot.com/2012/09/movp-35-analyzing-2008-dfrws-challenge.html" target="_blank">http://volatility-labs.blogspot.com/2012/09/movp-35-analyzing-2008-dfrws-challenge.html</a><br>
<br>
<br>
Bonus Post: HowTo: Scan for Internet Cache/History and URLs<br>
<br>
This Windows focused post covers how to recover Internet Explorer's cache and history from a memory sample.<br>
<br>
<a href="http://volatility-labs.blogspot.com/2012/09/howto-scan-for-internet-cachehistory.html" target="_blank">http://volatility-labs.blogspot.com/2012/09/howto-scan-for-internet-cachehistory.html</a><br>
<br>
If you have any questions or comments on the posts, please leave a comment on the respective post on the Volatility Labs blog or be brave and reply to the list ;)<br><br>Thanks,<br>Andrew<br>
</div><br>
</div></div></div><br>
</div></div></div><br>