Wednesday, July 1, 2009

Odds and Ends

I've been too busy to do any longer entries recently, but I wanted to note a couple things quickly.

First up, Andreas Schuster has just released a wonderful set of slides on using Volatility to do memory forensics. The slides include:
  • Great background material on the how, what, and why of memory acquisition and forensics.
  • A refresher on some OS basics you need to really understand memory analysis.
  • An amazing and comprehensive walkthrough on how to use a number of Volatility modules plugins in an investigation (including a few of my own tools, like and VolReg).
  • Great information on the internals of Volatility, including a tutorial on creating your own plugins.
This is really awesome stuff, and I highly recommend it to anyone looking to learn more about Volatility or even start contributing to the community with new plugins! Many thanks to Andreas!

Second, I wanted to let everyone know once again that I'm going to be speaking at the SANS WhatWorks Summit in Forensics and Incident Response in Washington, DC on how to combine registry analysis and memory forensics for more effective incident response. I'm really looking forward to this event, as it promises to bring together a lot of luminaries from the forensics community, such as Harlan Carvey, Jesse Kornblum, and Chris Pogue, as well some people with a lot of knowledge and experience with offensive techniques like Jamie Butler and Peter Silberman.

If you're planning on attending, or are in the DC area, drop me a note and perhaps we can meet up at the summit!

1 comment:

Andreas said...


Thanks for the all the praise. The plugin creation part is based on AAron's courseware, so I'd like to pass the kudos on to him.

Good luck for your presentation at SANS!