Difference between pages "Upcoming events" and "Linux Memory Analysis"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Conferences)
 
 
Line 1: Line 1:
<b>PLEASE READ BEFORE YOU EDIT THE LISTS BELOW</b><br>
+
The output of a [[Tools:Memory_Imaging|memory acquisition tool]] is a memory image which contains the raw physical memory of a systemA wide variety of tools can be used to search for strings or other patterns in a memory image, but to extract higher-level information about the state of the system a memory analysis tool is required.
When events begin the same day, events of a longer length should be listed firstNew postings of events with the same date(s) as other events should be added after events already in the list. Please use three-letter month abbreviations (i.e. Sep, NOT Sept. or September), use two digit dates (i.e. Jan 01 NOT Jan 1), and use date ranges rather than listing every date during an event(i.e. Jan 02-05, NOT Jan 02, 03, 04, 05).<br>
+
<i>Some events may be <u>limited</u> to <b>Law Enforcement Only</b> or to a specific audience.  Such restrictions should be noted when known.</i>
+
  
This is a BY DATE listing of upcoming events relevant to [[digital forensics]].  It is not an all inclusive list, but includes most well-known activities.  Some events may duplicate events on the generic [[conferences]] page, but entries in this list have specific dates and locations for the upcoming event.
+
==Linux Memory Analysis Tools==
  
This listing is divided into three sections (described as follows):<br>
+
Active Open Source Projects:
<ol><li><b><u>[[Upcoming_events#Calls_For_Papers|Calls For Papers]]</u></b> - Calls for papers for either Journals or for Conferences, relevant to Digital Forensics (Name, Closing Date, URL)</li><br>
+
* The [https://www.volatilesystems.com/default/volatility Volatility Framework] is a collection of tools, implemented in Python, for the extraction of digital artifacts from volatile memory (RAM) samples.  See the [http://code.google.com/p/volatility/wiki/LinuxMemoryForensics LinuxMemoryForensics] page on the Volatility wiki.  (Availability/License: GNU GPL)
<li><b><u>[[Upcoming_events#Conferences|Conferences]]</u></b> - Conferences relevant for Digital Forensics (Name, Date, Location, URL)</li><br>
+
* The [http://people.redhat.com/anderson/ Red Hat Crash Utility] is an extensible Linux kernel core dump analysis program.  Although designed as a debugging tool, it also has been utilized for memory forensics.  See, for example, the [http://volatilesystems.blogspot.com/2008/07/linux-memory-analysis-one-of-major.html 2008 DFRWS challenge write-up by AAron Walters].  (Availability/License: GNU GPL)
<li><b><u>[[Training Courses and Providers]]</u></b> - Training </li><br></ol>
+
  
== Calls For Papers ==
+
Commercial Products:
Please help us keep this up-to-date with deadlines for upcoming conferences that would be appropriate for forensic research.
+
* [[Second Look]] provides memory acquisition and analysis tools for Linux incident response and enterprise security.  Its major differentiators versus Volatility are malware detection via integrity verification of the kernel and running processes, ease of use (automatic kernel version detection, a graphical user interface, etc.), and enterprise scalability (including live analysis of remote systems via a memory access agent). (Availability/License: commercial)
  
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
Inactive Open Source and Research Projects:
|- style="background:#bfbfbf; font-weight: bold"
+
* The [http://4tphi.net/fatkit/ Forensic Analysis Toolkit (FATKit)] is a cross-platform, modular, and extensible digital investigation framework for analyzing volatile system memory.  (Publication Date: 2006; Availability/License: not available)
! width="30%|Title
+
* [http://hysteria.sk/~niekt0/foriana/ Foriana] is tool for extraction of information such as the process and modules lists from a RAM image using logical relations between OS structures. (Availability/License: GNU GPL)
! width="15%"|Due Date
+
* [http://code.google.com/p/draugr/ Draugr] is a Linux memory forensics tool written in Python. (Availability/License: GNU GPL)
! width="15%"|Notification Date
+
* [http://code.google.com/p/volatilitux/ Volatilitux] is another Linux memory forensics tool written in Python. (Availability/License: GNU GPL)
! width="40%"|Website
+
* Idetect (Linux) http://forensic.seccure.net/ is an older implementation of Linux memory analysis.
|-
+
|IEEE Symposium on Security and Privacy
+
|Nov 13, 2013
+
|
+
|http://www.ieee-security.org/TC/SP2014/cfp.html
+
|-
+
|DFRWS-Europe 2014
+
|Dec 01, 2013
+
|Mar 01, 2014
+
|http://www.dfrws.org/2014eu/index.shtml
+
|-
+
|8th International Conference on IT Security Incident Management & IT Forensics - IMF2014
+
|Dec 01, 2013
+
|Jan 31, 2014
+
|http://www1.gi-ev.de/fachbereiche/sicherheit/fg/sidar/imf/imf2014/cfp.html
+
|-
+
|44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks
+
|Dec 01, 2013
+
|Feb 25, 2014
+
|http://www.dsn.org/
+
|-
+
|12th International Conference on Applied Cryptography and Network Security
+
|Jan 10, 2014
+
|Mar 14, 2014
+
|http://acns2014.epfl.ch/callpapers.php
+
|-
+
|USENIX Annual Technical Conference
+
|Jan 28, 2014
+
|Apr 07, 2014
+
|https://www.usenix.org/conference/atc14/call-for-papers
+
|-
+
|Audio Engineering Society (AES) Conference on Audio Forensics
+
|Jan 31, 2014
+
|Mar 15, 2014
+
|http://www.aes.org/conferences/54/downloads/54thCallForContributions.pdf
+
|-
+
|DFRWS - USA 2014
+
|Feb 13, 2014
+
|Apr 07, 2014
+
|http://dfrws.org/2014/cfp.shtml
+
|-
+
|}
+
  
See also [http://www.wikicfp.com/cfp/servlet/tool.search?q=forensics WikiCFP 'Forensics']
+
==Linux Memory Analysis Challenges==
  
== Conferences ==
+
* The [[Digital Forensic Research Workshop]] [http://dfrws.org/2008/challenge/index.shtml 2008 Forensics Challenge] focused on the development of Linux memory analysis techniques and the fusion of evidence from memory, hard disk, and network.
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
* [http://communaute.sstic.org/ChallengeSSTIC2010 Challenge SSTIC 2010] (French) dealt with analysis of physical memory from a mobile device running Android.
|- style="background:#bfbfbf; font-weight: bold"
+
* [http://www.honeynet.org/challenges/2011_7_compromised_server Challenge 7 of the Honeynet Project's Forensic Challenge 2011] included forensic analysis of a memory image from a potentially compromised Linux server.
! width="40%"|Title
+
! width="20%"|Date/Location
+
! width="40%"|Website
+
|-
+
|Paraben Forensic Innovations Conference
+
|Nov 13-15<br>Salt Lake City, UT, USA
+
|http://www.pfic-conference.com/
+
|-
+
|2013 International Conference on Information and Communications Security
+
|Nov 20-22<br>Beijing, China
+
|http://icsd.i2r.a-star.edu.sg/icics2013/index.php
+
|-
+
|8th International Workshop on Systematic Approaches to Digital Forensic Engineering (SADFE)
+
|Nov 21-22<br>Hong Kong, China
+
|http://conf.ncku.edu.tw/sadfe/sadfe13/
+
|-
+
|Black Hat-Regional Summit
+
|Nov 26-27<br>Sao Paulo, Brazil
+
|https://www.blackhat.com/sp-13
+
|-
+
| Botconf'13 - First Botnet Fighting Conference
+
| Dec 05-06<br>Nantes, France
+
|https://www.botconf.eu/
+
|-
+
|29th Annual Computer Security Applications Conference (ACSAC)
+
|Dec 09-13<br>New Orleans, LA, USA
+
|http://www.acsac.org
+
|-
+
|IFIP WG 11.9 International Conference on Digital Forensics
+
|Jan 08-10<br>Vienna, Austria
+
|http://www.ifip119.org/Conferences/
+
|-
+
|AAFS 66th Annual Scientific Meeting
+
|Feb 17-22<br>Seattle, WA, USA
+
|http://www.aafs.org/aafs-66th-annual-scientific-meeting
+
|-
+
|21st Network & Distributed System Security Symposium
+
|Feb 23-26<br>San Diego, CA, USA
+
|http://www.internetsociety.org/events/ndss-symposium
+
|-
+
|Fourth ACM Conference on Data and Application Security and Privacy 2014
+
|Mar 03-05<br>San Antonio, TX, USA
+
|http://www1.it.utsa.edu/codaspy/
+
|-
+
|9th International Conference on Cyber Warfare and Security (ICCWS-2014)
+
|Mar 24-25<br>West Lafayette, IN, USA
+
|http://academic-conferences.org/iciw/iciw2014/iciw14-home.htm
+
|-
+
|DFRWS-Europe 2014
+
|May 07-09<br>Amsterdam, Netherlands
+
|http://dfrws.org/2014eu/index.shtml
+
|-
+
|8th International Conference on IT Security Incident Management & IT Forensics
+
|May 12-14<br>Muenster, Germany
+
|http://www1.gi-ev.de/fachbereiche/sicherheit/fg/sidar/imf/imf2014/
+
|-
+
|2014 IEEE Symposium on Security and Privacy
+
|May 16-23<br>Berkley, CA, USA
+
|http://www.ieee.org/conferences_events/conferences/conferencedetails/index.html?Conf_ID=16517
+
|-
+
|Techno-Security and Forensics Conference
+
|Jun 01-04<br>Myrtle Beach, SC, USA
+
|http://www.techsec.com/html/Security%20Conference%202014.html
+
|-
+
|Mobile Forensics World
+
|Jun 01-04<br>Myrtle Beach, SC, USA
+
|http://www.techsec.com/html/MFC-2014-Spring.html
+
|-
+
|12th International Conference on Applied Cryptography and Network Security
+
|Jun 10-13<br>Lausanne, Switzerland
+
|http://acns2014.epfl.ch/
+
|-
+
|54th Conference on Audio Forensics
+
|Jun 12-14<br>London, England
+
|http://www.aes.org/conferences/54/
+
|-
+
|2014 USENIX Annual Technical Conference
+
|Jun 19-20<br>Philadelphia, PA, USA
+
|https://www.usenix.org/conference/atc14
+
|-
+
|44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks
+
|Jun 23-26<br>Atlanta, GA, USA
+
|http://www.dsn.org/
+
|-
+
|Symposium On Usable Privacy and Security (SOUPS) 2014
+
|Jul 09-11<br>Menlo Park, CA, USA
+
|http://cups.cs.cmu.edu/soups/2013/
+
|-
+
|Black Hat USA 2014
+
|Aug 02-07<br>Las Vegas, NV, USA
+
|https://www.blackhat.com
+
|-
+
|DFRWS 2014
+
|Aug 03-06<br>Denver, CO, USA
+
|http://dfrws.org/2014/index.shtml
+
|-
+
|RCFG GMU 2014
+
|Aug 04-08<br>Fairfax, VA, USA
+
|http://www.rcfg.org/gmu/
+
|-
+
|23rd USENIX Security Symposium
+
|Aug 20-22<br>San Diego, CA, USA
+
|https://www.usenix.org/conferences
+
|-
+
|25th Annual Conference & Digital Multimedia Evidence Training Symposium
+
|Oct 06-10<br>Coeur d’Alene, ID, USA
+
|http://www.leva.org/annual-training-conference/
+
|-
+
|}
+
  
==See Also==
+
==Linux Memory Images==
* [[Training Courses and Providers]]
+
 
==References==
+
Aside from those in the challenges referenced above, sample Linux memory images can also be found on the Second Look web site at http://secondlookforensics.com/images.html.
* [http://faculty.cs.tamu.edu/guofei/sec_conf_stat.htm Computer Security Conference Ranking and Statistic]
+
 
* [http://www.kdnuggets.com/meetings/ Meetings and Conferences in Data Mining and Discovery]
+
==Linux Memory Analysis Bibliography==
* http://www.conferencealerts.com/data.htm Data Mining Conferences World-Wide]
+
* [http://forensic.seccure.net/pdf/mburdach_digital_forensics_of_physical_memory.pdf Digital Forensics of the Physical Memory] M. Burdach, March 2005.
 +
* [http://www.usenix.org/events/usenix05/tech/freenix/full_papers/movall/movall.pdf Linux Physical Memory Analysis], Paul Movall, Ward Nelson, Shaun Wetzstein; Usenix, 2005.
 +
* [http://cisr.nps.edu/downloads/theses/06thesis_urrea.pdf An Analysis Of Linux RAM Forensics], J.M. Urrea, Masters Thesis, Naval Postgraduate School, 2006.
 +
* [http://volatilesystems.blogspot.com/2008/07/linux-memory-analysis-one-of-major.html Linux Memory Forensics for DFRWS Challenge 2008 using Volatility, Crash, and PyFlag], by AAron Walters on the Volatile Systems Blog.
 +
* [http://www.dfrws.org/2008/proceedings/p65-case.pdf FACE: Automated digital evidence discovery and correlation], Andrew Case, Andrew Cristina, Lodovico Marziale, Golden G. Richard, Vassil Roussev, DFRWS 2008
 +
* [http://esiea-recherche.eu/~desnos/papers/slidesdraugr.pdf Linux Live Memory Forensics], a presentation by Desnos Anthony describing the implementation of draugr, 2009.
 +
* [http://is.cuni.cz/studium/dipl_st/index.php?doo=detail&did=48540 Forensic RAM Dump Image Analyzer] by Ivor Kollar, describing the implementation of foriana, 2009.
 +
* [http://www.dfrws.org/2010/proceedings/2010-305.pdf Treasure and tragedy in kmem_cache mining for live forensics investigation] by Andrew Case, Lodovico Marziale, Cris Neckar, Golden G. Richard III; Digital Investigation, Volume 7, Supplement 1, The Proceedings of the Tenth Annual DFRWS Conference, August 2010.  [http://www.dfrws.org/2010/proceedings/richard2.pdf (Presentation)]
 +
* [http://secondlookforensics.com/ Second Look Web Page]
 +
* [http://blackhat.com/html/bh-dc-11/bh-dc-11-archives.html#Case De-Anonymizing Live CDs through Physical Memory Analysis] ([https://media.blackhat.com/bh-dc-11/Case/BlackHat_DC_2011_Case_De-Anonymizing_Live_CDs-wp.pdf Whitepaper]) ([https://media.blackhat.com/bh-dc-11/Case/BlackHat_DC_2011_Case_De-Anonymizing%20Live%20CDs-Slides.pdf Slides]) Andrew Case; Blackhat DC 2011.
 +
* [http://dfsforensics.blogspot.com/2011/03/bringing-linux-support-to-volatility.html Bringing Linux Support to Volatility], Andrew Case; Digital Forensics Solutions Blog, 2011.
 +
* [http://blackhat.com/html/bh-us-11/bh-us-11-briefings.html#Case Workshop - Linux Memory Analysis with Volatility] ([http://www.digitalforensicssolutions.com/papers/blackhat-workshop-full-presentation.pdf Slides]) Andrew Case; Blackhat Vegas 2011.
 +
 
 +
Volatility Mailing List Threads on Support for Linux:
 +
* http://lists.volatilesystems.com/pipermail/vol-users/2010-January/thread.html#143
 +
* http://lists.volatilesystems.com/pipermail/vol-dev/2010-September/thread.html#112
 +
 
 +
[[Category:Memory Analysis]]

Latest revision as of 15:42, 13 November 2013

The output of a memory acquisition tool is a memory image which contains the raw physical memory of a system. A wide variety of tools can be used to search for strings or other patterns in a memory image, but to extract higher-level information about the state of the system a memory analysis tool is required.

Linux Memory Analysis Tools

Active Open Source Projects:

Commercial Products:

  • Second Look provides memory acquisition and analysis tools for Linux incident response and enterprise security. Its major differentiators versus Volatility are malware detection via integrity verification of the kernel and running processes, ease of use (automatic kernel version detection, a graphical user interface, etc.), and enterprise scalability (including live analysis of remote systems via a memory access agent). (Availability/License: commercial)

Inactive Open Source and Research Projects:

  • The Forensic Analysis Toolkit (FATKit) is a cross-platform, modular, and extensible digital investigation framework for analyzing volatile system memory. (Publication Date: 2006; Availability/License: not available)
  • Foriana is tool for extraction of information such as the process and modules lists from a RAM image using logical relations between OS structures. (Availability/License: GNU GPL)
  • Draugr is a Linux memory forensics tool written in Python. (Availability/License: GNU GPL)
  • Volatilitux is another Linux memory forensics tool written in Python. (Availability/License: GNU GPL)
  • Idetect (Linux) http://forensic.seccure.net/ is an older implementation of Linux memory analysis.

Linux Memory Analysis Challenges

Linux Memory Images

Aside from those in the challenges referenced above, sample Linux memory images can also be found on the Second Look web site at http://secondlookforensics.com/images.html.

Linux Memory Analysis Bibliography

Volatility Mailing List Threads on Support for Linux: