-
Notifications
You must be signed in to change notification settings - Fork 0
Home
gleeda edited this page Sep 7, 2016
·
4 revisions
Windows 8/10 hibernation file support
- Windows 8/8.1/2012/10/2016 32bit and 64bit see: https://github.com/volatilityfoundation/volatility/issues/25
Unknown unknowns in Windows 8/2012/10/2016
- with every OS comes new features that are yet to be discovered
Caching
- caching of addresses for overall speedups
Linux kernel identification
- something like "imageinfo" for linux memory samples
- See https://github.com/P1kachu/VolatilityProfileScan
Multithread scanning
- breaking up the memory sample into chunks and assigning chunks to each thread (or process if threading is too difficult) see: https://github.com/volatilityfoundation/volatility/tree/multiproc
On-the-fly PDB usage
- see: symbols plugin https://github.com/carlpulley/volatility
- see: https://github.com/moyix/pdbparse
GPU Malware
- address space addition
SQL in Memory
- https://blogs.mcafee.com/mcafee-labs/brazilian-banking-malware-hides-in-sql-database
- https://www.blackhat.com/presentations/bh-dc-09/Cerrudo/BlackHat-dc-09-Cerrudo-SQL-Anti-Forensics-slides.pdf
- https://www.blackhat.com/presentations/bh-dc-09/Cerrudo/BlackHat-dc-09-Cerrudo-SQL-Anti-Forensics.pdf
Integration between IDA or Hopper and Volatility
- Hopper scripts examples: https://github.com/phracker/HopperScripts
- IDA examples: https://github.com/search?utf8=%E2%9C%93&q=ida+scripts
Chart of Disassembly
- something like the last pic on https://github.com/joelpx/reverse
Identify potential malicious files (docs, ppts, pdfs etc)
- can use
dumpfilesto get cached files and then leverage other libs, for example: http://blog.didierstevens.com/programs/pdf-tools/
Object viewer (visualization/mapping of objects as they relate to each other)
- Imagine being able to drill down through each of the members of an _EPROCESS structure for instance (kind of like http://volatilityfoundation.github.io/volatility/treestuff.html)
- Also it would be nice if you could have different possible views for unknown members, like for instance to view a value as a timestamp, raw hex value or pointer to another object
- Visualization of where particular objects reside in memory: imagine a hilbert curve of where particular requested objects reside in memory
Timeline Visualization
- integration with D3 or something like https://github.com/tmyroadctfig/TimeFlow
Verification of current acquisition tools.
- Seeing what current acquisition tools really "do"
- Able to use something like PANDA as a start: https://github.com/moyix/panda
Acquiring Linux memory samples
- Figure out a way to embed System.map and get dwarf files embedded in the sample to avoid having to create profiles (or some other way).
- See https://github.com/emdel/ksfinder
OS X memory acquisition on 10.9+
- Nothing works reliably these days