Difference between pages "Upcoming events" and "Rekall"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Calls For Papers)
 
m (Linux)
 
Line 1: Line 1:
<b>PLEASE READ BEFORE YOU EDIT THE LISTS BELOW</b><br>
+
{{Infobox_Software |
Events should be posted in the correct section, and in date order.  An event should NEVER be listed in more than one section (i.e. Ongoing/Continuous events should not be listed in Scheduled Training). When events begin the same day, events of a longer length should be listed first. New postings of events with the same date(s) as other events should be added after events already in the list. If a provider offers the same event at several locations simultaneously, the listing should have a single (ONE) entry in the list with the date(s) and ALL locations for the event. Please use three-letter month abbreviations (i.e. Sep, NOT Sept. or September), use two digit dates (i.e. Jan 01 NOT Jan 1), and use date ranges rather than listing every date during an event(i.e. Jan 02-05, NOT Jan 02, 03, 04, 05).<br>
+
  name = Rekall |
<i>Some events may be <u>limited</u> to <b>Law Enforcement Only</b> or to a specific audience. Such restrictions should be noted when known.</i>
+
  maintainer = [[Michael Cohen]] |
 +
  os = {{Cross-platform}} |
 +
  genre = {{Memory analysis}}, {{Memory imaging}} |
 +
  license = {{GPL}} |
 +
  website = [https://code.google.com/p/rekall/ code.google.com/p/rekall/] |
 +
}}
  
This is a BY DATE listing of upcoming events relevant to [[digital forensics]].  It is not an all inclusive list, but includes most well-known activities.  Some events may duplicate events on the generic [[conferences]] page, but entries in this list have specific dates and locations for the upcoming event.
+
Rekall is the stand-alone continuation of the [[Volatility]] Technology Preview (TP) version, aka the scudette branch.
  
This listing is divided into four sections (described as follows):<br>
+
One of Rekalls goals is to provide better integration with [[GRR]] by improved modularity of the framework and having memory acquisition capability.[http://docs.rekall.googlecode.com/git/overview.html#_history]
<ol><li><b><u>Calls For Papers</u></b> - Calls for papers for either Journals or for Conferences, relevant to Digital Forensics (Name, Closing Date, URL)</li><br>
+
<li><b><u>Conferences</u></b> - Conferences relevant for Digital Forensics (Name, Date, Location, URL)</li><br>
+
<li><b><u>On-Going / Continuous Training</u></b> - Training opportunities that are either always available online/distance learning format (start anytime) or that are offered the same time every month (Name, date-if applicable, URL)</li><br>
+
<li><b><u>[[Scheduled Training Courses]]</u></b> - Training Classes/Courses that are scheduled for specific dates/locations.  This would include online (or distance learning format) courses which begin on specific dates, instead of the "start anytime" courses listed in the previous section. (Provider, URL) (''note: this has been moved to its own page.'')<br></li></ol>
+
  
The Conference and Training List is provided by the American Academy of Forensic Sciences (AAFS) Digital and Multimedia Sciences Section Listserv. 
+
== Memory acquisition drivers ==
<i> (Subscribe by sending an email to listserv@lists.mitre.org with message body containing SUBSCRIBE AAFS-DIGITAL-MULTIMEDIA-LIST)</i>
+
Requests for additions, deletions or corrections to this list may be sent by email to David Baker <i>(bakerd AT mitre.org)</i>.
+
  
== Calls For Papers ==
+
The drivers can be found under:
Please help us keep this up-to-date with deadlines for upcoming conferences that would be appropriate for forensic research.
+
<pre>
 +
rekall/tools/linux
 +
rekall/tools/osx
 +
rekall/tools/windows
 +
</pre>
  
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
=== Linux ===
|- style="background:#bfbfbf; font-weight: bold"
+
In rekall RC11 the advanced Linux acquisition tool (LMAP) was added. lmap allows to inject the pmem functionality into existing kernel modules to bypass having to build a pmem kernel module for every different kernel version. See the corresponding DFRWS EU 2014 paper for more information about LMAP.
! width="30%|Title
+
! width="15%"|Due Date
+
! width="15%"|Notification Date
+
! width="40%"|Website
+
|-
+
|ACM Cloud Computing Security Workshop (CCSW)
+
|Jun 19, 2009
+
|Aug 16, 2009
+
|http://crypto.cs.stonybrook.edu/ccsw09/ccsw.2009.cfp.pdf
+
|-
+
|American Academy of Forensic Sciences 2010 Annual Meeting
+
|Aug 01, 2009
+
|Nov, 2009
+
|http://www.aafs.org/default.asp?section_id=meetings&page_id=aafs_annual_meeting
+
|-
+
|IEEE Symposium on Security and Privacy 2010
+
|Nov 2009
+
|
+
|-
+
|ShmooCon 2010
+
|Dec 2009
+
|Jan 2010
+
|http://www.shmoocon.org/cfp.html
+
|-
+
|AusCERT Conference 2010
+
|Dec 2009
+
|Jan 2010
+
|http://conference.auscert.org.au/conf2010/cfp2010.html
+
|-
+
  
|}
+
To build the kernel module for the current kernel version, make sure you have a working build environment and the kernel headers installed. Change into this directory and run make:
 +
<pre>
 +
cd rekall/tools/linux/
 +
make
 +
</pre>
  
== Conferences ==
+
The acquisition driver is named pmem.ko.
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
|- style="background:#bfbfbf; font-weight: bold"
+
! width="40%"|Title
+
! width="20%"|Date/Location
+
! width="40%"|Website
+
|-
+
|AusCERT2009
+
|May 17-22<br>Gold Coast, Australia
+
|http://conference.auscert.org.au/conf2009/
+
|-
+
|Computer Security Institute: Security Exchange
+
|May 17-22<br>Las Vegas, NV
+
|http://www.csisx.com/
+
|-
+
|IEEE Symposium on Security & Privacy
+
|May 17-20<br>Oakland, CA
+
|http://oakland09.cs.virginia.edu/
+
|-
+
|ADFSL 2009 Conference on Digital Forensics, Security and Law
+
|May 20-22<br>Burlington, VT
+
|http://www.digitalforensics-conference.org
+
|-
+
|Fourth International Workshop on Systematic Approaches to Digital Forensic Engineering
+
|May 21<br>Oakland, CA
+
|http://conf.ncku.edu.tw/sadfe/sadfe09/
+
|-
+
|LayerOne 2009 Security Conference
+
|May 23-24<br>Anaheim, CA
+
|http://layerone.info/
+
|-
+
|Mobile Forensics World 2009
+
|May 26-30<br>Chicago, IL
+
|http://www.mobileforensicsworld.com
+
|-
+
|EUSecWest 2009
+
|May 27-28<br>London, U.K.
+
|http://eusecwest.com
+
|-
+
|2009 Techno Security Conference
+
|May 31-Jun 03<br>Myrtle Beach, SC
+
|http://www.techsec.com/html/Techno2009.html
+
|-
+
|USENIX 2009
+
|Jun 14-19<br>San Diego, CA
+
|http://www.usenix.org/events/usenix09/
+
|-
+
|IEEE ICC Communication and Information Systems Security (CISS) Symposium
+
|Jun 14-18<br>Dresden, Germany
+
|http://www.ieee-icc.org/2009/
+
|-
+
|1st International Workshop on Managing Insider Security Threats
+
|Jun 15-19<br>Purdue University, IN
+
|http://isyou.hosting.paran.com/mist09/
+
|-
+
|SANS SANSFIRE 2009
+
|Jun 13-22<br>Baltimore, MD
+
|http://www.sans.org/sansfire09/
+
|-
+
|1st Workshop on Internet Multimedia Search and Mining (IMSM'09)
+
|Jul 03<br>Cancun, Mexico
+
|http://research.microsoft.com/en-us/um/people/xshua/imsm/index.html
+
|-
+
|ACM Northeast Digital Forensics Exchange
+
|Jul 20-21<br>John Jay College of Criminal Justice/CUNY, NY, NY
+
|http://www.nefx.org/
+
|-
+
|Blackhat USA 2009
+
|Jul 25-30<br>Las Vegas, NV
+
|https://www.blackhat.com/
+
|-
+
|DefCon 17
+
|Jul 31-Aug 02<br>Las Vegas, NV
+
|http://www.defcon.org/
+
|-
+
|Usenix Security Sypmosium
+
|Aug 10-14<br>Montreal, Quebec, Canada
+
|http://www.usenix.org/events/sec09/
+
|-
+
|3rd International Workshop on Computational Forensics
+
|Aug 13-14<br>The Hague, The Netherlands
+
|http://iwcf09.arsforensica.org/
+
|-
+
|Digital Forensic Research Workshop
+
|Aug 17-19<br>Montreal, Quebec, Canada
+
|http://www.dfrws.org
+
|-
+
|International Workshop on Leveraging Social Patterns for Security, Privacy and Network Architectures
+
|Aug 29-31<br>Vancouver, British Columbia, Canada
+
|http://sp4spna.media.mit.edu
+
|-
+
|Triennial Meeting of the European Academy of Forensic Science
+
|Sep 08-11<br>Glasgow, Scotland, UK
+
|http://www.eafs2009.com/
+
|-
+
|New Security Paradigms Workshop (NSPW)
+
|Sep 08-11<br>University of Oxford, UK
+
|http://www.nspw.org/current/
+
|-
+
|International Conference on IT Security Incident Management & IT Forensics
+
|Sep 15-17<br>Stuttgart, Germany
+
|http://imf-conference.org/
+
|-
+
|Hacker Halted USA 2009
+
|Sep 20-24<br>Miami, FL
+
|http://www.hackerhalted.com
+
|-
+
|VB2009 - Fighting malware and spam
+
|Sep 23-25<br>Geneva, Switzerland
+
|http://www.virusbtn.com/conference/vb2009/
+
|-
+
|-
+
|Recent Advances in Intrusion Detection (RAID) International Symposium
+
|Sep 23-25<br>Saint-Malo, Brittany, France
+
|http://www.rennes.supelec.fr/RAID2009/index.html
+
|-
+
|International ICST Conference on Digital Forensics & Cyber Crime (ICDF2C)
+
|Sep 30 - October 02<br>Albany, NY
+
|http://www.d-forensics.org/
+
|-
+
|Techno Forensics & Digital Investigations Conference
+
|Oct 26-28<br>Gaithersburg, MD
+
|http://www.techsec.com/html/TechnoForensics2009.html
+
|-
+
|USENIX Large Installation System Administration Conference (LISA)
+
|Nov 01-06<br>Baltimore, MD
+
|http://www.usenix.org/events/lisa09/
+
|-
+
|16th ACM Conference on Computer and Communications Security
+
|Nov 09-13<br>Chicago, IL
+
|http://www.sigsac.org/ccs/CCS2009/index.shtml
+
|-
+
|ACM Cloud Computing Security Workshop
+
|Nov 13<br>Chicago, IL
+
|http://crypto.cs.stonybrook.edu/ccsw09/
+
|-
+
|First IEEE Workshop on Information Forensics and Security
+
|Dec 06-09<br>London, England
+
|http://www.wifs09.org/
+
|-
+
|DoD Cyber Crime Conference
+
|Jan 22-29<br>St. Louis, MO
+
|http://www.dodcybercrime.com/10CC/
+
|-
+
|American Academy of Forensic Sciences Annual Meeting
+
|Feb. 22-27<br>Seattle, WA
+
|http://www.aafs.org/default.asp?section_id=meetings&page_id=aafs_annual_meeting
+
|-
+
|VB2010 Fighting malware and spam
+
|Sep 29 - Oct 01<br>Vancouver, BC, Canada
+
|http://www.virusbtn.com/conference/vb2010/
+
|-
+
|}
+
  
== On-going / Continuous Training ==
+
To load the driver:
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
<pre>
|- style="background:#bfbfbf; font-weight: bold"
+
sudo insmod pmem.ko
! width="40%"|Title
+
</pre>
! width="20%"|Date/Location
+
! width="40%"|Website
+
|-
+
|- style="background:pink;align:left"
+
! DISTANCE LEARNING
+
|-
+
|Basic Computer Examiner Course - Computer Forensic Training Online
+
|Distance Learning Format
+
|http://www.cftco.com
+
|-
+
|Linux Data Forensics Training
+
|Distance Learning Format
+
|http://www.crazytrain.com/training.html
+
|-
+
|SANS On-Demand Training
+
|Distance Learning Format
+
|http://www.sans.org/ondemand/?portal=69456f95660ade45be29c00b0c14aea1
+
|-
+
|Champlain College - CCE Course
+
|Online / Distance Learning Format
+
|http://extra.champlain.edu/cps/wdc/alliances/cce/landing/
+
|-
+
|Las Positas College
+
|Online Computer Forensics Courses
+
|http://www.laspositascollege.edu
+
|-
+
|- style="background:pink;align:left"
+
!RECURRING TRAINING
+
|-
+
|MaresWare Suite Training
+
|First full week every month<br>Atlanta, GA
+
|http://www.maresware.com/maresware/training/maresware.htm
+
|-
+
|Evidence Recovery for Windows Vista&trade;
+
|First full week every month<br>Brunswick, GA
+
|http://www.internetcrimes.net
+
|-
+
|Evidence Recovery for Windows Server&reg; 2003 R2
+
|Second full week every month<br>Brunswick, GA
+
|http://www.internetcrimes.net
+
|-
+
|Evidence Recovery for the Windows XP&trade; operating system
+
|Third full week every month<br>Brunswick, GA
+
|http://www.internetcrimes.net
+
|-
+
|Computer Forensics Training and CCE&trade; Testing for Litigation Support Professionals
+
|Third weekend of every month(Fri-Mon)<br>Dallas, TX
+
|http://www.md5group.com
+
|-
+
|}
+
  
==See Also==
+
To check if the driver is running:
* [[Scheduled Training Courses]]
+
<pre>
==References==
+
sudo lsmod
* [http://faculty.cs.tamu.edu/guofei/sec_conf_stat.htm Computer Security Conference Ranking and Statistic]
+
</pre>
* [http://www.kdnuggets.com/meetings/ Meetings and Conferences in Data Mining and Discovery]
+
 
* http://www.conferencealerts.com/data.htm Data Mining Conferences World-Wide]
+
The driver create a device file named:
 +
<pre>
 +
/dev/pmem
 +
</pre>
 +
 
 +
To unload the driver:
 +
<pre>
 +
sudo rmmod pmem
 +
</pre>
 +
 
 +
To read acquire the memory just read from the device file. e.g.
 +
<pre>
 +
dd if=/dev/pmem of=image.raw
 +
</pre>
 +
 
 +
For more information see:
 +
<pre>
 +
rekall/tools/linux/README
 +
</pre>
 +
 
 +
=== Mac OS X ===
 +
 
 +
For more information see:
 +
<pre>
 +
rekall/tools/osx/OSXPMem/README
 +
</pre>
 +
 
 +
=== Windows ===
 +
Since recent versions of Windows require a signed driver rekall comes with both pre-built (signed binary) and source versions of the driver.
 +
 
 +
Both the i386 and amd64 binary version of the driver can be found in the directory:
 +
<pre>
 +
rekall/tools/windows/winpmem/binaries
 +
</pre>
 +
 
 +
E.g.
 +
<pre>
 +
rekall/tools/winpmem/binaries/amd64/winpmem.sys
 +
</pre>
 +
 
 +
A standalone tool for imaging memory that uses an embedded copy of the pmem driver can be found as winpmem.exe in:
 +
<pre>
 +
rekall/tools/winpmem/executables/Release/
 +
</pre>
 +
 
 +
To load the driver:
 +
<pre>
 +
winpmem.exe -l
 +
</pre>
 +
 
 +
The device filename is (This can not be changed without recompiling):
 +
<pre>
 +
\\.\pmem
 +
</pre>
 +
 
 +
Note that running dd directly on this device file can crash the machine.
 +
Use the winpmem.exe tool instead because it handles protected memory regions.
 +
 
 +
To read and acquire the physical memory and write it to image.raw:
 +
<pre>
 +
winpmem.exe image.raw
 +
</pre>
 +
 
 +
To unload the driver:
 +
<pre>
 +
winpmem.exe -u
 +
</pre>
 +
 
 +
For more information see:
 +
<pre>
 +
rekall/tools/windows/README
 +
</pre>
 +
 
 +
== See Also ==
 +
* [[Memory analysis]]
 +
* [[Memory Imaging]]
 +
* [[Volatility]]
 +
 
 +
== External Links ==
 +
* [https://code.google.com/p/rekall/ Project site]
 +
* [http://docs.rekall.googlecode.com/git/index.html Project documentation]
 +
* [http://rekall-forensic.blogspot.com/ Rekall Memory Forensics blog]
 +
* [http://www.rekall-forensic.com/docs/References/Papers/DFRWS2013.html Anti-forensic resilient memory acquisition]] by [[Johannes Stüttgena]] [[Michael Cohen]], August 2013
 +
* [http://www.rekall-forensic.com/docs/References/Papers/DFRWS2014EU.html Robust Linux memory acquisition with minimal target impact], [[Johannes Stüttgena]] [[Michael Cohen]], May 2014

Revision as of 04:33, 25 June 2014

Rekall
Maintainer: Michael Cohen
OS: Cross-platform
Genre: Memory Analysis,Memory Imaging
License: GPL
Website: code.google.com/p/rekall/

Rekall is the stand-alone continuation of the Volatility Technology Preview (TP) version, aka the scudette branch.

One of Rekalls goals is to provide better integration with GRR by improved modularity of the framework and having memory acquisition capability.[1]

Memory acquisition drivers

The drivers can be found under:

rekall/tools/linux
rekall/tools/osx
rekall/tools/windows

Linux

In rekall RC11 the advanced Linux acquisition tool (LMAP) was added. lmap allows to inject the pmem functionality into existing kernel modules to bypass having to build a pmem kernel module for every different kernel version. See the corresponding DFRWS EU 2014 paper for more information about LMAP.

To build the kernel module for the current kernel version, make sure you have a working build environment and the kernel headers installed. Change into this directory and run make:

cd rekall/tools/linux/
make

The acquisition driver is named pmem.ko.

To load the driver:

sudo insmod pmem.ko

To check if the driver is running:

sudo lsmod

The driver create a device file named:

/dev/pmem

To unload the driver:

sudo rmmod pmem

To read acquire the memory just read from the device file. e.g.

dd if=/dev/pmem of=image.raw

For more information see:

rekall/tools/linux/README

Mac OS X

For more information see:

rekall/tools/osx/OSXPMem/README

Windows

Since recent versions of Windows require a signed driver rekall comes with both pre-built (signed binary) and source versions of the driver.

Both the i386 and amd64 binary version of the driver can be found in the directory:

rekall/tools/windows/winpmem/binaries

E.g.

rekall/tools/winpmem/binaries/amd64/winpmem.sys

A standalone tool for imaging memory that uses an embedded copy of the pmem driver can be found as winpmem.exe in:

rekall/tools/winpmem/executables/Release/

To load the driver:

winpmem.exe -l

The device filename is (This can not be changed without recompiling):

\\.\pmem

Note that running dd directly on this device file can crash the machine. Use the winpmem.exe tool instead because it handles protected memory regions.

To read and acquire the physical memory and write it to image.raw:

winpmem.exe image.raw

To unload the driver:

winpmem.exe -u 

For more information see:

rekall/tools/windows/README

See Also

External Links