Volatility Developer Responds

In Issue 5 of Digital Forensics Magazine, Ron Tasker discussed the subject of Volatile RAM Analysis and the use of Volatility. This prompted a letter from Marc Remmert published in Issue 6 raising concerns about the limitations of Volatility and Windows XP.

Whilst Ron responded to these concerns (his comments can be found in 360 of issue 6) DFM approached AAron Walters who is the founder of Volatile Systems, LLC and the lead developer for the Volatility Project, for his comments on the article, the comments made by Marc and Ron’s response. Unfortunately they were not received in time to be included in Issue 6. In the interests of balance we agreed to include his comments in a blog.

“Let me begin by thanking Ron for the excellent article.  I think he did a very good job explaining the importance of memory analysis and the associated challenges and base that modern digital investigators face.

It is imperative for digital investigators to realize that we are facing an adaptive human adversary and thus we can’t afford to simply rely on the rules we once learned.  Not doing the right thing because it is complicated or new, is never a justification for complacency.  It seems hard to defend the antiquated statement that “powering off the system is good” when, comparatively, it destroys more artifacts within the perspective of entire digital crime scene (RAM, disk, etc) than running a tool that samples the state of physical memory.

In Ron’s response to the comment about his article he also raises some interesting points about Open Source forensics tools. The comment’s author states that Volatility 1.3 only supports Windows XP 32-bit memory samples and contends that this a big obstacle. While the comment’s author is correct with respect to 1.3, it seems interesting that they contend their only option is to buy expensive tools or hope Volatility is updated. As the leader of the Volatility Project, I always find these statements disheartening. I’m not sure why people feel the need to complain from the sidelines as opposed to actually getting involved and contributing to the community.  It is only then that they would come to appreciate the unique flexibility and modularity of The Volatility Framework, which has allowed it to support a variety of operating systems and hardware architectures (Windows, Linux, etc).

As Ron mentioned in his reference to Dr. Schatz’s work, there are many groups out there using Volatility to support other operating systems including Windows 7. I’m even aware of groups using Volatility to analyze cell phones. Thus, the “tool-users” can sit back and wait till 1.4 (http://code.google.com/p/volatility/) is released or they take the initiative to contribute. Regardless, if that contribution is writing an article (i.e. Ron Tasker) or helping test a new operating system (i.e. Dr. Schatz), all contributions help to move the community forward.”

AAron Walters

Founder, Volatile Systems, LLC

Lead Developer, The Volatility Project

You too can have your say by adding your comments here or writing directly to DFM via 360.



New iPhone Forenics White Paper

Are you looking for the best mobile forensics tool for iPhone Forensics? Well, a good place to start is viaForensics’ updated (and free) iPhone Forensics white paper at:


The white paper is geared towards forensic examiners and includes plenty of screenshots, comments and other useful information.

Why do we provide this white paper for free? Well, all of us are struggling with the influx of mobile devices. By reviewing each of the tools, we not only provide a service to the forensics community but we have great dialogue with the development companies and we hope it leads to improvements in their software (a.k.a make our jobs easier). We’ve observed great strides in the software since 2009 and if the community at large shares their feedback, we can make things better.

So check it out…and by all mean, please let us know what you think, where we can improve the tool or any other suggestions you have. And stay tuned for more updates. We are working on our Android Forensics white paper (as well as Syngress books on both iPhone and Android forensics) and since we’re clearly not busy enough, we might kick off a series with DFM on Forensics and Programming.

Andrew Hoog
Chief Investigative Officer
tel: +1 312-878-1100



PeerLab Reviewed!

On behalf of DFM, Afentis Forensics have completed our second product review, this time of PeerLab, a windows based piece of software designed by Alexander Kuiper (Kuiper Forensics) to search for and detect any Peer to Peer applications, web-disks and UseNet-clients on local hard drives.

“In this authors opinion this is a nice little application, with some useful and time-saving features.”

The reviewer makes a point of demonstrating how easy to install and use this small application is, however, the reporting system is described as being very basic and lacking in certain details. Afentis also say that the method in which these reports are saved could cause problems in court when printed.
The full review can be found in the Product Review section of the DFM website.



Accent Office Password Recovery v4.0 Review

“It happens to us all at some point – we decide to put a password on a file, either for opening, or for modifying and as time goes by we just simply forget the password.”

The first of DFM’s new product reviews is now available for download. In this first review Andrew Edney tests the capabilities of Accent Softwares Office Password Recovery version 4.

After testing the software, Andrew Edney suggests that it is very quick to set up and easy to use but may require the user to change their equipment configuration when used with a GPU.

Edney rates the software at 4/5.

To read the full review, visit the Product Review section on the DFM website.



The 10 Minute Guide to Forensics and Virtualization (Ubuntu/VBox style)

By Andrew Hoog

While virtualization is a key technology in the infrastructure of many enterprises, it is essential in the operation of a digital forensic organization.  Virtualization can be used in number ways, include:

–        Return analyst workstation to validated state for each investigation

–        Data recovery by attaching dd image of a drive as a secondary drive on a VM and running recovery software

–         Booting a dd image (similar to liveview)

–        Application and system profiling/footprinting essentially to the scientific method

–        Develop virtual appliances for specific functions (i.e. Android forensics appliance)

And these are just a few examples.  I’m sure many of you have additional uses you can share.  This brief article will share with you our experiences in this area.

Selecting a virtualization solution

There are many virtualization solutions available, including both commercial and non-commercial ones.  One of the best known is VMWare which offer a full suite of products ranging for their free VMWare Player to fully redundant enterprise solutions.  Another software giant in the virtualization game is Microsoft which offers desktop (Virtual PC) through enterprise (Hyper-V) solutions (and many in between).  On the Apple platform, there are two primary options are VMWare’ Fusion product and Parallels suite of products.  And on the Linux side, there are a number of options include KVM, Xen and VirtualBox.

After much testing, we ultimately chose VirtualBox by Oracle/Sun.  There were a number of reasons why we chose Virtual Box:

  1. KVM had serious performance issues on our computers…did not identify root cause
  2. Xen was a more significant commitment in time and energy
  3. VirtualBox has a nice GUI, performed great and has both an open source version and a commercial one.  It also provided a “headless” option allowing us to forego monitors.

Some folks could take issue with Virtual Box or at least have their own favorite and that’s fine.  But, we chose VirtualBox, are quite happy and so that’s what the rest of this article covers.  Our forensics workstations run a modified version of Ubuntu 10.04 service.  They have 8GB of RAM and a couple of multi-core processors.

VirtualBox just released an update on June 7, 2010.  The 3.2.4 release is a maintenance release but I like to see projects which are actively maintained and updated.  Additional details are available on the http://www.virtualbox.org/ website.

Step by step guide

For a test project we had, we needed a Windows 2008 Server R2 64-bit.  Below are the steps you would follow on a computer running Ubuntu 10.04 Server 64-bit server (the .iso for that platform is ubuntu-10.04-server-amd64.iso):

Create blank VM

VBoxManage createvm –name Win2008SvrR2 –ostype Windows2008_64 –register

Add options, including full h/w visualization support (the online VirtualBox manual at http://www.virtualbox.org/manual/ch08.html is indispensable)

VBoxManage modifyvm Win2008SvrR2 –memory 4096 –acpi on –boot1 dvd –nic1 bridged –usb on –usbehci on –vrdp on –vrdpport 3390 –clipboard bidirectional –pae on –hwvirtex on –hwvirtexexcl on –vtxvpid on –nestedpaging on –largepages on

Setup bridged network using first Ethernet card (eth0)

VBoxManage modifyvm Win2008SvrR2 –bridgeadapter1 eth0

Add IDE controller (other options exist such as SCSI and SATA…IDE seems be the most used)

VBoxManage storagectl Win2008SvrR2 –name “IDE Controller” –add ide

Create and register hard drive (vdi)

VBoxManage createvdi -filename “/opt/vbox/HardDisks/win2008svrR2.vdi” -size 20000 -register

Attach hdd to VM

VBoxManage storageattach Win2008SvrR2 –storagectl “IDE Controller” –port 0 –device 0 –type hdd –medium /opt/vbox/HardDisks/win2008svrR2.vdi

Attach DVD to VM (upload your OS installation .iso to the host machine first)

VBoxManage storageattach Win2008SvrR2 –storagectl “IDE Controller” –port 1 –device 0 –type dvddrive –medium ~/win2008svr.iso

Start VM and install OS (recommend using screen to prevent killed session on detach)

VBoxHeadless -startvm Win2008SvrR2 -p 3390 &

Connect to new VM

Now that the new VM is booting up (and running the OS install), you need to connect to it.  To do so, you need an application which support Remote Desktop Protocol (RDP).  In Windows computers, you can run the Remote Desktop Connection/Terminal Services client but going to Start -> Run, type in mstsc and press OK.  In the Computer: section, you could type the IP address of your Ubuntu server.  The Linux and Apple platforms have similar RDP applications and the process is the same.  Complete the install of the operating system and reboot as needed.

Install VBox Additions

To enable shared folder, better video, usb support (if you downloaded/bought the PUEL edition), you need to install VBox Additions.

wget http://download.virtualbox.org/virtualbox/3.2.0/VBoxGuestAdditions_3.2.0.iso

VBoxManage registerimage dvd ~/VBoxGuestAdditions_3.2.0.iso

VBoxManage storageattach Win2008SvrR2 –storagectl “IDE Controller” –port 1 –device 0 –type dvddrive –medium ~/VBoxGuestAdditions_3.2.0.iso

DVD should now be mapped on the VM.  You can remote into the VM with the direction above or determine what the IP address of the VM itself is, ensure RDP is enabled and remote into the computer directly.  From there, double click the DVD, perform the VBox Additions install and reboot.

Add shared folders

Make sure Windows guest OS is shutdown and type the following in the Ubuntu server:

VBoxManage sharedfolder add Win2008SvrR2 –name “mnt” –hostpath “/mnt” –readonly

VBoxManage sharedfolder add Win2008SvrR2 –name “ahoog” –hostpath “/home/ahoog”

Restart the VM with the following command:

VBoxHeadless -startvm Win2008SvrR2 -p 3390 &

And then connect to the VM directly as described above.  To access the new shared drives, you use UNC.  Essentially, go to Start -> Run, type \\VBoxSvr and press OK.  You will then see a list of shared folders.

Connect USB devices

If you purchased the enterprise version or are simply evaluating for PUEL (Personal Use and Evaluation License) version, you can connect USB devices.  The documentation was not clear but we determined the necessary steps.

Add usbusers group

sudo addgroup usbusers

Add each user

Then, you need to add each local user that might run VirtualBox to the userusers group:

sudo usermod -a -G usbusers ahoog


There is much more to say about forensics and virtualization.  But, alas, cases are piling up and it will have to wait until the next install of this article that will begin to cover how to use your shiny new VBox virtual machine for some of the tasks I outlined at the start of this article.   If you are interested in additional how to articles or information, check out my own blog at http://viaforensics.com/blog/ or feel free to contact me directly.

Andrew Hoog is a computer scientist, computer/mobile forensic researcher and Chief Investigative Officer at viaForensics. His company assists and trains law enforcement and provides innovative digital forensics solutions to corporations and attorneys. He is currently writing a book about Android Forensics and maintains the Android Forensics Wiki at http://viaforensics.com/wiki.