Difference between pages "Upcoming events" and "Memory analysis"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
(Volatility Labs)
 
Line 1: Line 1:
<b>PLEASE READ BEFORE YOU EDIT THE LISTS BELOW</b><br>
+
'''Memory Analysis''' is the science of using a [[Memory Imaging|memory image]] to determine information about running programs, the [[operating system]], and the overall state of a computer. Because the analysis is highly dependent on the operating system, it has been divded into the following pages:
Events should be posted in the correct section, and in date order.  An event should NEVER be listed in more than one section (i.e. Ongoing/Continuous events should not be listed in Scheduled Training).  When events begin the same day, events of a longer length should be listed first. New postings of events with the same date(s) as other events should be added after events already in the list. If a provider offers the same event at several locations simultaneously, the listing should have a single (ONE) entry in the list with the date(s) and ALL locations for the event. Please use three-letter month abbreviations (i.e. Sep, NOT Sept. or September), use two digit dates (i.e. Jan 01 NOT Jan 1), and use date ranges rather than listing every date during an event(i.e. Jan 02-05, NOT Jan 02, 03, 04, 05).<br>
+
<i>Some conferences or training opportunities may be <u>limited</u> to <b>Law Enforcement Only</b> or to a specific audience.  Such restrictions should be noted when known.</i>
+
  
This is a BY DATE listing of upcoming conferences and training events relevant to [[digital forensics]].  It is not an all inclusive list, but includes most well-known activities.  Some events may duplicate events on the generic [[conferences]] page, but entries in this list have specific dates and locations for the upcoming event.
+
* [[Windows Memory Analysis]]
 +
* [[Linux Memory Analysis]]
  
This listing is divided into four sections (described as follows):<br>
+
== OS-Independent Analysis ==
<ol><li><b><u>Calls For Papers</u></b> - Calls for papers for either Journals or for Conferences, relevant to Digital Forensics (Name, Closing Date, URL)</li><br>
+
<li><b><u>Conferences</u></b> - Conferences relevant for Digital Forensics (Name, Date, Location, URL)</li><br>
+
<li><b><u>On-Going / Continuous Training</u></b> - Training opportunities that are either always available online/distance learning format or that are offered the same time every month (Name, date-if applicable, URL)</li><br>
+
<li><b><u>[[Scheduled Training Courses]]</u></b> - Training Classes/Courses that are scheduled for specific dates/locations.  This would include online (or distance learning format) courses which begin on specific dates, instead of the "start anytime" courses listed in the previous section. (Name, Date(s), Location(s), URL) (''note: this has been moved to its own page.'')<br></li></ol>
+
  
The Conference and Training List is provided by the American Academy of Forensic Sciences (AAFS) Digital and Multi-media Listserv.
+
At the IEEE Security and Privacy conference in May 2011, Brendan Dolan-Gavitt presented a novel system, [http://www.cc.gatech.edu/~brendan/Virtuoso_Oakland.pdf Virtuoso], that was able to perform operating-system independent memory analysis. Using virtual machine introspection accompanied by a number of formal program analysis techniques, his system was able to monitor the machine-level instructions and behavior of application actions (listing processes, network connections, etc) and then automatically generate Volatility plugins that replicated this analysis.
<i> (Subscribe by sending an email to listserv@lists.mitre.org with message body containing SUBSCRIBE AAFS-DIGITAL-MULTIMEDIA-LIST)</i>
+
Requests for additions, deletions or corrections to this list may be sent by email to David Baker <i>(bakerd AT mitre.org)</i>.
+
  
== Calls For Papers ==
+
== Encryption Keys ==
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
|- style="background:#bfbfbf; font-weight: bold"
+
! Title
+
! Due Date
+
! Website
+
|-
+
|HTCIA/ASIS High Technology Crime Conference
+
|Dec 31, 2007
+
|http://htciatraining.org/papers.asp
+
|-
+
|International Association of Forensic Science Annual Meeting
+
|Jan 01, 2008
+
|http://www.iafs2008.com/abstracts/intro.asp
+
|-
+
|Black Hat D.C. 2008 Briefings
+
|Jan 04, 2008
+
|https://cfp.blackhat.com/
+
|-
+
|Usenix Annual Technical Conference
+
|Jan 07, 2008 (11:59PM PST)
+
|http://www.usenix.com/events/usenix08/cfp/
+
|-
+
|6th International Conference on Applied Cryptography and Network Security
+
|Jan 14, 2008 (11:59PM EST)
+
|http://acns2008.cs.columbia.edu/cfp.html
+
|-
+
|ADFSL 2008 Conference on Digital Forensics, Security and Law
+
|Jan 15, 2008 (11:59PM EST)
+
|http://www.digitalforensics-conference.org/callforpapers.htm
+
|-
+
|17th USENIX Security Symposium
+
|Jan 30, 2008 (11:59 PM PST)
+
|http://www.usenix.org/sec08/cfp/
+
|-
+
|JDFSL - Special Issue on Security Issues in Online Communities
+
|Jan 31, 2008
+
|http://www.jdfsl.org/cfp-special-issue.htm
+
|-
+
|Black Hat Europe 2008 Briefings
+
|Feb 01, 2008
+
|https://cfp.blackhat.com/
+
|-
+
|IEEE/SADFE-2008
+
|Feb 01, 2008
+
|http://conf.ncku.edu.tw/sadfe/sadfe08/cfp.html
+
|-
+
|Black Hat USA 2008 Briefings
+
|OPEN ON Feb 01, 2008
+
|https://cfp.blackhat.com/
+
|-
+
|Techno-Security 2008
+
|May 04, 2008
+
|http://www.techsec.com/html/TechnoPapers.html
+
|-
+
|Digital Forensic Research Workshop (DFRWS) 2008
+
|Mar 17, 2008
+
|http://www.dfrws.org/2008/cfp.shtml
+
|-
+
|Black Hat Japan 2008 Briefings
+
|OPEN ON May 01, 2008
+
|https://cfp.blackhat.com/
+
|-
+
|}
+
  
== Conferences ==
+
Various types of encryption keys can be extracted during memory analysis.
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
* [[AESKeyFinder]] extracts 128-bit and 256-bit [[AES]] keys and [[RSAKeyFinder]] and private and public [[RSA]] keys from a memory dump [http://citp.princeton.edu/memory/code/].
|- style="background:#bfbfbf; font-weight: bold"
+
* [http://jessekornblum.com/tools/volatility/cryptoscan.py cryptoscan.py], which is a [[List of Volatility Plugins|plugin for the Volatility framework]], scans a memory image for [[TrueCrypt]] passphrases
! Title
+
! Date/Location
+
! Website
+
|-
+
|SANS Security 2008
+
|Jan 11-19, New Orleans, LA
+
|http://www.sans.org/security08/
+
|-
+
|DoD Cyber Crime Conference 2008
+
|Jan 13-18, St. Louis, MO
+
|http://www.dodcybercrime.com/
+
|-
+
|e-Forensics 2008
+
|Jan 21-23, Adelaide, SA, Australia
+
|http://www.e-forensics.eu
+
|-
+
|4th Annual IFIP WG 11.9 International Conference on Digital Forensics
+
|Jan 27-30, Kyoto, Japan
+
|http://www.ifip119-kyoto.org/doku.php
+
|-
+
|ShmooCon
+
|Feb 15-17, Washington, DC
+
|http://www.shmoocon.org/
+
|-
+
|AAFS Annual Meeting 2008
+
|Feb 18-23, Washington, DC
+
|http://aafs.org/default.asp?section_id=meetings&page_id=aafs_annual_meeting
+
|-
+
|Blackhat DC 2008 Briefings & Training
+
|Feb 18-21, Washington, DC
+
|http://www.blackhat.com/html/bh-link/briefings.html
+
|-
+
|International Workshop on Digital Forensics (WSDF’08) in Conjunction with ARES 2008
+
|Mar 04–07, Polytechnic University of Catalonia, Barcelona, Spain
+
|http://www.ares-conference.eu/conf/index.php?option=com_content&task=view&id=45
+
|-
+
|CanSecWest Security Conference 2008
+
|Mar 19-21, Vanouver, BC, Canada
+
|http://cansecwest.com/
+
|-
+
|Blackhat Europe 2008 Briefings & Training
+
|Mar 25-28, Amsterdam, Netherlands
+
|http://www.blackhat.com/html/bh-link/briefings.html
+
|-
+
|ADFSL 2008 Conference on Digital Forensics, Security and Law
+
|Apr 23-25, Oklahoma City, OK
+
|http://www.digitalforensics-conference.org
+
|-
+
|Microsoft Law Enforcement Tech Conference 2008
+
|Apr 28-30, Redmond, Washington
+
|-
+
|HTCIA/ASIS High Technology Crime Conference
+
|May 06-08, San Francisco, CA
+
|http://htciatraining.org/general_info.asp
+
|-
+
|EuSecWest Security Conference 2008
+
|May 21-22, London, England
+
|http://eusecwest.com/
+
|-
+
|Techno-Security 2008
+
|Jun 01-04, Myrtle Beach, SC
+
|http://www.techsec.com/html/Techno2008.html
+
|-
+
|6th International Conference on Applied Cryptography and Network Security
+
|Jun 03-06, Columbia University, New York City, NY
+
|http://acns2008.cs.columbia.edu/
+
|-
+
|Usenix Annual Technical Conference
+
|Jun 22-27, Boston, MA
+
|http://www.usenix.com/events/usenix08/
+
|-
+
|International Association of Forensic Sciences Annual Meeting
+
|Jul 21-26, New Orleans, LA
+
|http://www.iafs2008.com/
+
|-
+
|17th USENIX Security Symposium
+
|Jul 28-Aug 01, San Jose, CA
+
|http://www.usenix.org/events/sec08/
+
|-
+
|Blackhat USA 2008 Briefings & Training
+
|Aug 02-07, Las Vegas, NV
+
|http://www.blackhat.com/html/bh-link/briefings.html
+
|-
+
|Defcon 16
+
|Aug 08-10, Las Vegas, NV
+
|http://www.defcon.org
+
|-
+
|Digital Forensic Research Workshop
+
|Aug 11-13, Baltimore, MD
+
|http://www.dfrws.org
+
|-
+
|}
+
  
== On-going / Continuous Training ==
+
== See Also ==  
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
 
|- style="background:#bfbfbf; font-weight: bold"
+
* [[Memory Imaging]]
! Title
+
* [[:Tools:Memory Imaging|Memory Imaging Tools]]
! Date/Location or Venue
+
* [[:Tools:Memory Analysis|Memory Analysis Tools]]
! Website
+
 
|-
+
== External Links ==
|Basic Computer Examiner Course - Computer Forensic Training Online
+
* [http://belkasoft.com/download/info/Live_RAM_Analysis_in_Digital_Forensics.pdf Discovering ephemeral evidence with Live RAM analysis] by Oleg Afonin and Yuri Gubanov, 2013
|Distance Learning Format
+
* [http://cryptome.org/0003/RAMisKey.pdf RAM is Key - Extracting Disk Encryption Keys From Volatile Memory], by [[Brian Kaplan]], May 2007
|http://www.cftco.com
+
* [https://docs.google.com/presentation/d/1KsZGF6cQ-N8ngABFGCZf8pTQQ5CZ19VoAHq5cO5ZPdE/edit Memory Forensics With Volatility (Technology Preview)], by [[Michael Cohen]], October 2012
|-
+
* [http://www.dfrws.org/2013/proceedings/DFRWS2013-11.pdf An Evaluation Platform for Forensic Memory Acquisition Software] by Stefan Voemel and Johannes Stuettgen, DFRWS 2013
|Linux Data Forensics Training
+
 
|Distance Learning Format
+
=== Computer architecture ===
|http://www.crazytrain.com/training.html
+
* [http://en.wikipedia.org/wiki/64-bit_computing Wikipedia: 64-bit computing]
|-
+
* [http://www.unix.org/version2/whatsnew/lp64_wp.html 64-Bit Programming Models: Why LP64?], The Open Group, 1997
|SANS On-Demand Training
+
 
|Distance Learning Format
+
=== [http://volatility-labs.blogspot.com/ Volatility Labs] ===
|http://www.sans.org/ondemand/?portal=69456f95660ade45be29c00b0c14aea1
+
* [http://volatility-labs.blogspot.com/2012/09/movp-11-logon-sessions-processes-and.html MoVP 1.1 Logon Sessions, Processes, and Images]
|-
+
* [http://volatility-labs.blogspot.com/2012/09/movp-12-window-stations-and-clipboard.html MoVP 1.2 Window Stations and Clipboard Malware]
|MaresWare Suite Training
+
* [http://volatility-labs.blogspot.com/2012/09/movp-13-desktops-heaps-and-ransomware.html MoVP 1.3 Desktops, Heaps, and Ransomware]
|First full week every month, Atlanta, GA
+
* [http://volatility-labs.blogspot.com/2012/09/movp-14-average-coder-rootkit-bash.html MoVP 1.4 Average Coder Rootkit, Bash History, and Elevated Processes]
|http://www.maresware.com/maresware/training/maresware.htm
+
* [http://volatility-labs.blogspot.com/2012/09/movp-15-kbeast-rootkit-detecting-hidden.html MoVP 1.5 KBeast Rootkit, Detecting Hidden Modules, and sysfs]
|-
+
* [http://volatility-labs.blogspot.com/2012/09/movp-21-atoms-new-mutex-classes-and-dll.html MoVP 2.1 Atoms (The New Mutex), Classes and DLL Injection]
|Evidence Recovery for Windows Vista&trade;
+
* [http://volatility-labs.blogspot.com/2012/09/movp-22-malware-in-your-windows.html MoVP 2.2 Malware In Your Windows]
|First full week every month, Brunswick, GA
+
* [http://volatility-labs.blogspot.com/2012/09/movp-23-event-logs-and-service-sids.html MoVP 2.3 Event Logs and Service SIDs]
|http://www.internetcrimes.net
+
* [http://volatility-labs.blogspot.com/2012/09/movp-24-analyzing-jynx-rootkit-and.html MoVP 2.4 Analyzing the Jynx rootkit and LD_PRELOAD]
|-
+
* [http://volatility-labs.blogspot.com/2012/09/movp-25-investigating-in-memory-network.html MoVP 2.5: Investigating In-Memory Network Data with Volatility]
|Evidence Recovery for Windows Server&reg; 2003 R2
+
* [http://volatility-labs.blogspot.com/2012/09/movp-31-detecting-malware-hooks-in.html MoVP 3.1 Detecting Malware Hooks in the Windows GUI Subsystem]
|Second full week every month, Brunswick, GA
+
* [http://volatility-labs.blogspot.com/2012/09/howto-scan-for-internet-cachehistory.html HowTo: Scan for Internet Cache/History and URLs]
|http://www.internetcrimes.net
+
* [http://volatility-labs.blogspot.com/2012/09/movp-32-shellbags-in-memory-setregtime.html MoVP 3.2 Shellbags in Memory, SetRegTime, and TrueCrypt Volumes]
|-
+
* [http://volatility-labs.blogspot.com/2012/09/movp-33-analyzing-user-handles-and.html MoVP 3.3 Analyzing USER Handles and the Win32k.sys Gahti]
|Evidence Recovery for the Windows XP&trade; operating system
+
* [http://volatility-labs.blogspot.com/2012/09/movp-34-recovering-tagclipdata-whats-in.html MoVP 3.4: Recovering tagCLIPDATA: What's In Your Clipboard?]
|Third full week every month, Brunswick, GA
+
* [http://volatility-labs.blogspot.com/2012/09/movp-35-analyzing-2008-dfrws-challenge.html MoVP 3.5: Analyzing the 2008 DFRWS Challenge with Volatility]
|http://www.internetcrimes.net
+
* [http://volatility-labs.blogspot.com/2012/10/movp-41-detecting-malware-with-gdi.html MoVP 4.1 Detecting Malware with GDI Timers and Callbacks]
|-
+
* [http://volatility-labs.blogspot.com/2012/10/movp-43-taking-screenshots-from-memory.html MoVP 4.2 Taking Screenshots from Memory Dumps]
|Computer Forensics Training and CCE&trade; Testing for Litigation Support Professionals
+
* [http://volatility-labs.blogspot.com/2012/10/movp-43-recovering-master-boot-records.html MoVP 4.3 Recovering Master Boot Records (MBRs) from Memory]
|Third weekend of every month (Fri-Mon), Dallas, TX
+
* [http://volatility-labs.blogspot.com/2012/10/movp-44-cache-rules-everything-around.html MoVP 4.4 Cache Rules Everything Around Me(mory)]
|http://www.md5group.com
+
* [http://volatility-labs.blogspot.com/2012/10/omfw-2012-malware-in-windows-gui.html OMFW 2012: Malware In the Windows GUI Subsystem]
|-
+
* [http://volatility-labs.blogspot.com/2012/10/omfw-2012-reconstructing-mbr-and-mft.html OMFW 2012: Reconstructing the MBR and MFT from Memory]
|}
+
* [http://volatility-labs.blogspot.com/2012/10/phalanx-2-revealed-using-volatility-to.html Phalanx 2 Revealed: Using Volatility to Analyze an Advanced Linux Rootkit]
==[[Scheduled Training Courses]]==
+
* [http://volatility-labs.blogspot.com/2012/10/solving-grrcon-network-forensics.html Solving the GrrCon Network Forensics Challenge with Volatility]
|-
+
* [http://volatility-labs.blogspot.com/2012/10/omfw-2012-analyzing-linux-kernel.html OMFW 2012: Analyzing Linux Kernel Rootkits with Volatility]
|Computer Forensics Training and CCE&trade; Testing for Litigation Support Professionals
+
* [http://volatility-labs.blogspot.com/2012/10/omfw-2012-datalore-android-memory.html OMFW 2012: Datalore: Android Memory Analysis]
|January 17, 18, 19, 20  (Fri, Sat, Sun, Mon), Dallas, TX
+
* [http://volatility-labs.blogspot.com/2012/10/movp-for-volatility-22-and-omfw-2012.html MoVP for Volatility 2.2 and OMFW 2012 Wrap-Up]
All equipment and software supplied in our lab environment.
+
* [http://volatility-labs.blogspot.com/2012/10/reverse-engineering-poison-ivys.html Reverse Engineering Poison Ivy's Injected Code Fragments]
|http://www.md5group.com
+
* [http://volatility-labs.blogspot.com/2012/10/omfw-2012-analysis-of-process-token.html OMFW 2012: The Analysis of Process Token Privileges]
|-
+
* [http://volatility-labs.blogspot.com/2012/10/omfw-2012-mining-pfn-database-for.html OMFW 2012: Mining the PFN Database for Malware Artifacts]
|}
+
* [http://volatility-labs.blogspot.com/2014/01/truecrypt-master-key-extraction-and.html TrueCrypt Master Key Extraction And Volume Identification], by [[Michael Hale Ligh]], January 14, 2014
|-
+
 
|Computer Forensics Training and CCE&trade; Testing for Litigation Support Professionals
+
=== Volatility Videos ===
|February 15, 16, 17, 18  (Fri, Sat, Sun, Mon), Dallas, TX
+
* [http://sketchymoose.blogspot.com/2011/10/set-up-to-more-memory-forensics.html Set Up to More Memory Forensics!], October 2011
All equipment and software supplied in our lab environment.
+
* [http://www.youtube.com/watch?v=8HsZLge0wWc Using Volatility: Suspicious Process (1/2)]
|http://www.md5group.com
+
* [http://www.youtube.com/watch?v=XTZPNk-Esok Using Volatility: Suspicious Process (2/2)]
|-
+
 
|}
+
=== WinDBG ===
|-
+
* [http://blog.opensecurityresearch.com/2013/12/getting-started-with-windbg-part-1.html Getting Started with WinDBG - Part 1], by Brad Antoniewicz, December 17, 2013
|Computer Forensics Training and CCE&trade; Testing for Litigation Support Professionals
+
* [http://blog.opensecurityresearch.com/2013/12/getting-started-with-windbg-part-2.html Getting Started with WinDBG - Part 2], by Brad Antoniewicz, December 24, 2013
|March 14, 15, 16, 17 (Fri, Sat, Sun, Mon), Dallas, TX
+
* [http://blog.opensecurityresearch.com/2013/12/getting-started-with-windbg-part-3.html Getting Started with WinDBG - Part 3], by Brad Antoniewicz, December 31, 2013
All equipment and software supplied in our lab environment.
+
 
|http://www.md5group.com
+
[[Category:Memory Analysis]]
|-
+
|}
+

Revision as of 16:01, 14 January 2014

Memory Analysis is the science of using a memory image to determine information about running programs, the operating system, and the overall state of a computer. Because the analysis is highly dependent on the operating system, it has been divded into the following pages:

OS-Independent Analysis

At the IEEE Security and Privacy conference in May 2011, Brendan Dolan-Gavitt presented a novel system, Virtuoso, that was able to perform operating-system independent memory analysis. Using virtual machine introspection accompanied by a number of formal program analysis techniques, his system was able to monitor the machine-level instructions and behavior of application actions (listing processes, network connections, etc) and then automatically generate Volatility plugins that replicated this analysis.

Encryption Keys

Various types of encryption keys can be extracted during memory analysis.

See Also

External Links

Computer architecture

Volatility Labs

Volatility Videos

WinDBG