Difference between pages "Upcoming events" and "Memory analysis"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Conferences)
 
 
Line 1: Line 1:
<b>PLEASE READ BEFORE YOU EDIT THE LISTS BELOW</b><br>
+
'''Memory Analysis''' is the science of using a [[Memory Imaging|memory image]] to determine information about running programs, the [[operating system]], and the overall state of a computer. Because the analysis is highly dependent on the operating system, it has been divded into the following pages:
Events should be posted in the correct section, and in date order.  An event should NEVER be listed in more than one section (i.e. Ongoing/Continuous events should not be listed in Scheduled Training).  When events begin the same day, events of a longer length should be listed first. New postings of events with the same date(s) as other events should be added after events already in the list. If a provider offers the same event at several locations simultaneously, the listing should have a single (ONE) entry in the list with the date(s) and ALL locations for the event. Please use three-letter month abbreviations (i.e. Sep, NOT Sept. or September), use two digit dates (i.e. Jan 01 NOT Jan 1), and use date ranges rather than listing every date during an event(i.e. Jan 02-05, NOT Jan 02, 03, 04, 05).<br>
+
<i>Some conferences or training opportunities may be <u>limited</u> to <b>Law Enforcement Only</b> or to a specific audience.  Such restrictions should be noted when known.</i>
+
  
This is a BY DATE listing of upcoming conferences and training events relevant to [[digital forensics]].  It is not an all inclusive list, but includes most well-known activities.  Some events may duplicate events on the generic [[conferences]] page, but entries in this list have specific dates and locations for the upcoming event.
+
* [[Windows Memory Analysis]]
 +
* [[Linux Memory Analysis]]
  
This listing is divided into four sections (described as follows):<br>
+
== OS-Independent Analysis ==
<ol><li><b><u>Calls For Papers</u></b> - Calls for papers for either Journals or for Conferences, relevant to Digital Forensics (Name, Closing Date, URL)</li><br>
+
<li><b><u>Conferences</u></b> - Conferences relevant for Digital Forensics (Name, Date, Location, URL)</li><br>
+
<li><b><u>On-Going / Continuous Training</u></b> - Training opportunities that are either always available online/distance learning format (start anytime) or that are offered the same time every month (Name, date-if applicable, URL)</li><br>
+
<li><b><u>[[Scheduled Training Courses]]</u></b> - Training Classes/Courses that are scheduled for specific dates/locations.  This would include online (or distance learning format) courses which begin on specific dates, instead of the "start anytime" courses listed in the previous section. (Name, Date(s), Location(s), URL) (''note: this has been moved to its own page.'')<br></li></ol>
+
  
The Conference and Training List is provided by the American Academy of Forensic Sciences (AAFS) Digital and Multimedia Sciences Section Listserv.
+
At the IEEE Security and Privacy conference in May 2011, Brendan Dolan-Gavitt presented a novel system, [http://www.cc.gatech.edu/~brendan/Virtuoso_Oakland.pdf Virtuoso], that was able to perform operating-system independent memory analysis. Using virtual machine introspection accompanied by a number of formal program analysis techniques, his system was able to monitor the machine-level instructions and behavior of application actions (listing processes, network connections, etc) and then automatically generate Volatility plugins that replicated this analysis.
<i> (Subscribe by sending an email to listserv@lists.mitre.org with message body containing SUBSCRIBE AAFS-DIGITAL-MULTIMEDIA-LIST)</i>
+
Requests for additions, deletions or corrections to this list may be sent by email to David Baker <i>(bakerd AT mitre.org)</i>.
+
  
== Calls For Papers ==
+
== Encryption Keys ==
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
|- style="background:#bfbfbf; font-weight: bold"
+
! Title
+
! width="100"|Due Date
+
! width="200"|Website
+
|-
+
|6th Australian Digital Forensics Conference
+
|Oct 11, 2008
+
|http://scissec.scis.ecu.edu.au/conferences2008/callforpapers.php?cf=2
+
|-
+
|5th Annual IFIP WG 11.9 International Conference on Digital Forensics
+
|Oct 15, 2008
+
|http://www.ifip119.org/Conferences/WG11-9-CFP-2009.pdf
+
|-
+
|ShmooCon 2009
+
|Dec 01, 2008
+
|http://www.shmoocon.org/cfp.html
+
|-
+
|Security Opus
+
|Dec 01, 2008
+
|http://www.securityopus.com/SORpapers.php
+
|-
+
|3rd Edition of Small Scale Digital Device Forensics Journal
+
|Jan 31, 2009
+
|http://www.ssddfj.org/Call.asp
+
|-
+
|4rd International Workshop on Systematic Approaches to Digital Forensic Engineering
+
|Feb 01, 2009
+
|http://conf.ncku.edu.tw/sadfe/sadfe09/
+
|-
+
|Usenix Security 2009
+
|Feb. 4, 2009
+
|http://www.usenix.org/events/sec09/cfp
+
|-
+
|2009 ADFSL Conference on Digital Forensics, Security and Law
+
|Feb 20, 2009
+
|http://www.digitalforensics-conference.org/callforpapers.htm
+
|-
+
|DFRWS 2009
+
|Mar. 16, 2009
+
|http://www.dfrws.org/2009/cfp.shtml
+
|-
+
|ACM CCS 2009
+
|Sometime in April
+
|http://www.sigsac.org/ccs
+
|}
+
  
== Conferences ==
+
Various types of encryption keys can be extracted during memory analysis.
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
* [[AESKeyFinder]] extracts 128-bit and 256-bit [[AES]] keys and [[RSAKeyFinder]] and private and public [[RSA]] keys from a memory dump [http://citp.princeton.edu/memory/code/].
|- style="background:#bfbfbf; font-weight: bold"
+
* [http://jessekornblum.com/tools/volatility/cryptoscan.py cryptoscan.py], which is a [[List of Volatility Plugins|plugin for the Volatility framework]], scans a memory image for [[TrueCrypt]] passphrases
! Title
+
! Date/Location
+
! Website
+
|-
+
|ANZFSS - 19th International Symposium on the Forensic Sciences
+
|Oct 06-09, Melbourne, Australia
+
|http://www.anzfss2008.org.au/
+
|-
+
|13th European Symposium on Research in Computer Security
+
|Oct 06-08, Malaga, Spain
+
|http://www.isac.uma.es/esorics08/
+
|-
+
|Economic and High Tech Crime Summit 2008
+
|Oct 07-08, Memphis, TN
+
|http://summit.nw3c.org/
+
|-
+
|3rd International Conference on Malicious and Unwanted Software
+
|Oct 07-08, Alexandria, VA
+
|http://isiom.wssrl.org/index.php?option=com_docman&task=cat_view&gid=45&Itemid=53
+
|-
+
|First Eurasian Congress of Forensic Sciences
+
|Oct 08-11, Istanbul, Turkey
+
|http://www.adlitip2008.com/indexen.asp
+
|-
+
|3nd International Annual Workshop on Digital Forensics & Incident Analysis
+
|Oct 09, Malaga, Spain
+
|http://www.icsd.aegean.gr/wdfia08/
+
|-
+
|Anti-Phishing Working Group eCrime Researchers Summit
+
|Oct 15-16, Atlanta, GA
+
|http://www.ecrimeresearch.org/
+
|-
+
|2008 HTCIA International Training Conference
+
|Oct 22-28, Atlantic City, NJ
+
|http://www.htcia.org/conference.shtml
+
|-
+
|2008 International Video Evidence Symposium and Training Conference
+
|Oct 22-24, Orlando, FL
+
|http://leva.org/index.php?option=com_content&task=view&id=56&Itemid=98
+
|-
+
|Hack in the Box Security Conference 2008
+
|Oct 27-30, Malaysia
+
|http://conference.hitb.org/hitbsecconf2008kl/
+
|-
+
|Chicago Con 2008f (Ethical Hacking Conference)
+
|Oct 31-01 Nov, Chicago, IL
+
|http://www.chicagocon.com/content/view/103/51/
+
|-
+
|Paraben Forensics Innovation Conference
+
|Nov 09-12, Park City, UT
+
|http://www.pfic2008.com/
+
|-
+
|DeepSec 2008
+
|Nov 11-14, Vienna, Austria
+
|https://deepsec.net/
+
|-
+
|Computer Security Institute Annual Conference 2008
+
|Nov 15-21, Washington, DC
+
|http://www.csiannual.com/conference/
+
|-
+
|6th Australian Digital Forensics Conference
+
|Dec 01-03, Mount Lawley, WA, Australia
+
|http://scissec.scis.ecu.edu.au/conferences2008/index.php?cf=2
+
|-
+
|Digital Forensics Forum Arabia 2008
+
|Dec 15-17, Manama, Bahrain
+
|http://dff-worldwide.com/index.php?page=dff-arabia-2008-conference&hl=en_US
+
|-
+
|e-Forensics 2009
+
|Jan 19-21, Adelaide, Australia
+
|http://www.e-forensics.eu/
+
|-
+
|2009 DoD Cyber Crime Conference
+
|Jan 24-30, St. Louis, MO
+
|http://www.dodcybercrime.com/
+
|-
+
|5th Annual IFIP WG 11.9 International Conference on Digital Forensics
+
|Jan 25-28, Orlando, FL
+
|http://www.ifip119.org/Conferences/
+
|-
+
|ShmooCon 2009
+
|Feb 06-08, Washington, DC
+
|http://www.shmoocon.org/
+
|-
+
|American Academy of Forensic Sciences Annual Meeting
+
|Feb 16-21, Denver, CO
+
|http://www.aafs.org/default.asp?section_id=meetings&page_id=aafs_annual_meeting
+
|-
+
|24th Annual ACM Symposium on Applied Computing - Computer Forensics Track
+
|Mar 08-12, Honolulu, HI
+
|http://www.acm.org/conferences/sac/sac2009
+
|-
+
|ARES 2009 Conference
+
|Mar 16-19, Fukuoka, Japan
+
|http://www.ares-conference.eu/conf/
+
|-
+
|Security Opus
+
|Mar 17-18, San Francisco, CA
+
|http://www.securityopus.com
+
|-
+
|Fourth International Workshop on Systematic Approaches to Digital Forensic Engineering
+
|May 22, Oakland, CA
+
|http://conf.ncku.edu.tw/sadfe/sadfe09/
+
|-
+
|ADFSL 2009 Conference on Digital Forensics, Security and Law
+
|May 20-22, Burlington, VT
+
|http://www.digitalforensics-conference.org
+
|-
+
|2009 Techno Security Conference
+
|May 31-Jun 03, Myrtle Beach, SC
+
|http://www.techsec.com/index.html
+
|-
+
|Mobile Forensics World 2009
+
|Jun 03-06, Chicago, IL
+
|http://www.mobileforensicsworld.com
+
|-
+
|IEEE ICC Communication and Information Systems Security (CISS) Symposium
+
|Jun 14-18, Dresden, Germany
+
|http://www.ieee-icc.org/2009/
+
|-
+
|Digital Forensic Research Workshop
+
|Aug 17-19, Montreal, Quebec, Canada
+
|http://www.dfrws.org
+
|-
+
|Triennial Meeting of the European Academy of Forensic Science
+
|Sep 08-11, Glasgow, Scotland, UK
+
|http://www.eafs2009.com/
+
|-
+
|}
+
  
== On-going / Continuous Training ==
+
== See Also ==  
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
|- style="background:#bfbfbf; font-weight: bold"
+
! Title
+
! Date/Location or Venue
+
! Website
+
|-
+
| ----DISTANCE LEARNING----
+
|-
+
|Basic Computer Examiner Course - Computer Forensic Training Online
+
|Distance Learning Format
+
|http://www.cftco.com
+
|-
+
|Linux Data Forensics Training
+
|Distance Learning Format
+
|http://www.crazytrain.com/training.html
+
|-
+
|SANS On-Demand Training
+
|Distance Learning Format
+
|http://www.sans.org/ondemand/?portal=69456f95660ade45be29c00b0c14aea1
+
|-
+
| ----RECURRING TRAINING----
+
|-
+
|MaresWare Suite Training
+
|First full week every month, Atlanta, GA
+
|http://www.maresware.com/maresware/training/maresware.htm
+
|-
+
|Evidence Recovery for Windows Vista&trade;
+
|First full week every month, Brunswick, GA
+
|http://www.internetcrimes.net
+
|-
+
|Evidence Recovery for Windows Server&reg; 2003 R2
+
|Second full week every month, Brunswick, GA
+
|http://www.internetcrimes.net
+
|-
+
|Evidence Recovery for the Windows XP&trade; operating system
+
|Third full week every month, Brunswick, GA
+
|http://www.internetcrimes.net
+
|-
+
|Computer Forensics Training and CCE&trade; Testing for Litigation Support Professionals
+
|Third weekend of every month (Fri-Mon), Dallas, TX
+
|http://www.md5group.com
+
|-
+
|}
+
  
==[[Scheduled Training Courses]]==
+
* [[Memory Imaging]]
 +
* [[:Tools:Memory Imaging|Memory Imaging Tools]]
 +
* [[:Tools:Memory Analysis|Memory Analysis Tools]]
 +
 
 +
== External Links ==
 +
=== Volatility Labs ===
 +
* [http://volatility-labs.blogspot.ch/2012/09/movp-11-logon-sessions-processes-and.html MoVP 1.1 Logon Sessions, Processes, and Images]
 +
* [http://volatility-labs.blogspot.ch/2012/09/movp-12-window-stations-and-clipboard.html MoVP 1.2 Window Stations and Clipboard Malware]
 +
* [http://volatility-labs.blogspot.ch/2012/09/movp-13-desktops-heaps-and-ransomware.html MoVP 1.3 Desktops, Heaps, and Ransomware]
 +
* [http://volatility-labs.blogspot.ch/2012/09/movp-14-average-coder-rootkit-bash.html MoVP 1.4 Average Coder Rootkit, Bash History, and Elevated Processes]
 +
* [http://volatility-labs.blogspot.ch/2012/09/movp-15-kbeast-rootkit-detecting-hidden.html MoVP 1.5 KBeast Rootkit, Detecting Hidden Modules, and sysfs]
 +
 
 +
[[Category:Memory Analysis]]

Revision as of 07:21, 15 September 2012

Memory Analysis is the science of using a memory image to determine information about running programs, the operating system, and the overall state of a computer. Because the analysis is highly dependent on the operating system, it has been divded into the following pages:

OS-Independent Analysis

At the IEEE Security and Privacy conference in May 2011, Brendan Dolan-Gavitt presented a novel system, Virtuoso, that was able to perform operating-system independent memory analysis. Using virtual machine introspection accompanied by a number of formal program analysis techniques, his system was able to monitor the machine-level instructions and behavior of application actions (listing processes, network connections, etc) and then automatically generate Volatility plugins that replicated this analysis.

Encryption Keys

Various types of encryption keys can be extracted during memory analysis.

See Also

External Links

Volatility Labs