Wednesday, August 21, 2013

Results are in for the 1st Annual Volatility Framework Plugin Contest!

We are excited to announce the results of the 1st Annual Volatility Plugin Contest. We were pleasantly surprised with 8 submissions to the contest. Each submission provides an exciting new capability to the memory analysis community or demonstrates the power of Volatility to solve a variety of real world problems. The submissions included everything from new plugins to new address spaces and operating system plugins to application plugins.  We also had submissions for Linux, Windows, and OS X. It's great to see so many people giving back to the memory analysis community and taking this opportunity to do pioneering research in such an exciting field.

Given the number of deserving submissions we received, the judging took a little longer than we originally anticipated. We wanted to make sure that we were able to thoroughly test and verify each submission. We would like to thank all the participants for their submissions. A number of these submissions will be highlighted in upcoming blog posts and at OMFW 2013!

The winners of the 1st Annual Volatility Framework Plugin Contest are:
  1. Mariano Graziano from EURECOM with Actaeon, Intel VT-x introspection.
  2. Cem Gurkok with OS X rootkit detection and Window's security auditing plugins.
  3. Jeff Bryner with the Facebook and Twitter artifact extraction.
  4. Carl Pulley with a plugin to find the nearest function/method within a symbol table & Edwin Smulders with his Linux process information, stack analysis, and syscall register plugins [Note: Carl and Edwin tied for 4th place, this is not a joint submission]
  5. Jamaal Speights with extracting networking packets from memory samples.
Honorable Mention: Jeremy Jones from Delphix with a plugin to convert VMware suspended state to Illumos debug format

1st Place 


Mariano Graziano from EURECOM with Actaeon, Intel VT-x introspection.
Description:
This submission enables memory forensics of guest operating systems in virtualization environments using Intel VT-x technology. This includes the ability to locate memory resident hypervisors and nested virtualization.  It's current implementation enables virtual machine instrospection of 32-bit Windows guests. It was tested with KVM, Xen, VMware Workstation, VirtualBox and HyperDbg.
Download Link:
downloads.volatilityfoundation.org/contest/2013/MarianoGraziano_Actaeon.zip
Related Links:
http://www.s3.eurecom.fr/tools/actaeon/
https://github.com/eurecom-s3/actaeon
http://www.s3.eurecom.fr/docs/raid13_graziano.pdf
Author's Twitter: @emd3l

2nd Place 


Cem Gurkok with the Window's security permission plugin
Description:
This plugin displays the security permission information for files, processes, services, tokens, threads, devices, and registry keys. The information includes DACLs, SACLs (Discretionary/System access control lists), object integrity level, and object ownership. Security permission information is obtained from the object’s security descriptor. This plugin can help administrators proactively assess the security of their systems and can also help determine possible "holes" that led to successful privilege escalation attacks. This plugin dumps verbose information that you can categorize and filter for your needs, and it also supports all major 32-bit and 64-bit Windows operating systems.
Download Link:
downloads.volatilityfoundation.org/contest/2013/CemGurkok_WindowsSecurity.zip
Author's Twitter: @CGurkok

Cem Gurkok with the OS X rootkit detection plugins
Description:
This submission provides detection capabilities for a number of rootkit hooking techniques within 64 bit OS X:
  • Direct syscall table modification
  • Syscall function inlining (ie DTrace hooks)
  • Patching the syscall handler (ie, shadow sycall table)
  • Hooked functions in kernel/kext symbol tables
  • Modified IDT descriptors
  • Modified IDT handlers
There is published research and example rootkits that are leveraging the exact hooking techniques detected by this plugin, and the addition of the plugin into the core framework will greatly enhance Volatility's Mac rootkit detection capabilities.
Download Link:
downloads.volatilityfoundation.org/contest/2013/CemGurkok_OSXDetect.zip
Related Links:
http://siliconblade.blogspot.com/2013/07/idt-hooks-and-detecting-them-in-osx.html
http://siliconblade.blogspot.com/2013/07/back-to-defense-finding-hooks-in-os-x.html
http://siliconblade.blogspot.com/2013/07/offensive-volatility-messing-with-os-x.html
http://siliconblade.blogspot.com/2013/05/checkdtrace-volatility-plugin-arises.html
Author's Twitter: @CGurkok

3rd Place 


Jeff Bryner with the Facebook and Twitter artifact extraction
Description:
This submission provides plugins for carving Twitter and Facebook artifacts from a process' address space.  This is accomplished by scanning the address space for the json/html structures that are used by the social media applications.  Examples of information extracted include: Twitter direct messages, identifying user information, Facebook direct messages, etc.
Download Link:
downloads.volatilityfoundation.org/contest/2013/JeffBryner_FacebookTwitter.zip
Related Links:
https://github.com/jeffbryner/volatilityPlugins
http://www.youtube.com/watch?v=K_gBpdK936o
Author's Twitter: @0x7eff

4th Place (tie)


Carl Pulley with a plugin to find the nearest function/method within a symbol table.

Description:
This submission demonstrates the usefulness of being able to dynamically extract Window's symbol information.  It includes a plugin that will automatically extract symbol information from PDB files associated with memory resident modules.   The submission also includes a "profile modification" that creates a new member of the _EPROCESS object, which facilitates "nearest symbol" lookups of addresses. This can be very useful when investigating unknown pointers or the control flow history of a corrupted execution stack.
Download Link:
downloads.volatilityfoundation.org/contest/2013/CarlPulley_Symbols.zip
Related Links:
https://github.com/carlpulley/volatility/blob/master/symbols.py
https://code.google.com/p/pdbparse/issues/detail?id=13
Author's Githubhttps://github.com/carlpulley

Edwin Smulders with his Linux process information, stack analysis, and syscall register plugins
Description:
This submission provides plugins for extracting information from x86_64 Linux memory samples. They provide extensive insight into the state of the system at the time of the memory samples. Examples of the extracted information include:
  • Detailed process information
  • Networking data structures
  • Detailed analysis and annotation of the execution stacks
  • System call context
Download Link:
downloads.volatilityfoundation.org/contest/2013/EdwinSmulders_Symbols.zip
Related Links:
https://github.com/Dutchy-/volatility-plugins
Author's Twitter: @0x445554434859

5th Place 


Jamaal Speights with a plugin that extracts networking packets from memory samples.
Description:
The ethscan plugin provides the ability to recover Ethernet frames from memory samples. It provides extraction support for both IPV4 and IPV6. It also provides the option to extract the frame data to either binary files or to a pcap file. It should work against any binary file (not just memory dumps).
Download Link:
downloads.volatilityfoundation.org/contest/2013/JamaalSpeights_Network.zip
Related Links:
https://code.google.com/p/jamaal-re-tools/source/browse/volplugins/ethscan.py
Author's Twitter: @jamaalspeights

Honorable Mention


Jeremy Jones from Delphix with a plugin to convert VMware suspended state to Illumos debug format
Description:
This submission includes a plugin that converts a VMware suspended state file (.vmss) into a format supported by Illumos debugging tools (mdb, adb, etc.). It was tested on an OpenIndiana VM, which it converted successfully and whose files worked well when anaylzed with mdb. This plugin was created to solve a real world system administration challenge of collecting a crash dump from a system that was hanging during the boot process. It demonstrates the power of memory analysis beyond just forensics and security.
Download Link:
downloads.volatilityfoundation.org/contest/2013/JeremyJones_Illumos.zip


The Volatility Foundation would like to thank everyone who participated in this year's contest. Memory analysis is one of the most exciting and important fields in information security and digital forensics. It requires a deep technical skill set and an investigative mindset that are often rare to find. The participants in the plugin contest were not only competing for prizes but they were also contributing pioneering research that will help shape the future of the field. While this page highlighted research that was officially submitted to the contest, there were also a few other efforts worth mentioning: a new Xen address space written by Nehal Bandi from Citrix Systems and patches to mftparser and timeliner that facilitate including memory artifacts into Plaso and log2timeline by David Nides and Kristinn Gudjonsson.

If you have any questions about a particular submission, please contact the participant directly.