ScusiBlog

background emmission of scusi

Oct 30, 2013 - 2 minute read - Malware analysis

Volatility 2.3 Released

The memory forensic tool Volatility was released in version 2.3, just a couple of days ago.

Downloads can be found at: https://code.google.com/p/volatility/downloads/list

New Features are:

Mac OS X: * New MachO address space for 32-bit and 64-bit Mac memory samples * Over 30+ plugins for Mac memory forensics

Linux/Android * New ARM address space to support memory dumps from Linux and Android devices on ARM hardware * Plugins to scan Linux process and kernel memory with yara signatures, dump LKMs to disk, and check TTY devices for rootkit hooks * Plugins to check the ARM system call and exception vector tables for hooks

Windows * New plugins: - Parse IE history/index.dat URLs - Recover shellbags data - Dump cached files (exe/pdf/doc/etc) - Extract the MBR and MFT records - Explore recently unloaded kernel modules - Dump SSL private and public keys/certs - Display details on process privileges - Detect poison ivy infections - Find and decrypt configurations in memory for poison ivy, zeus v1, zeus v2 and citadelscan 1.3.4.5

* Plugin Enhancements:
     - Apihooks detects duqu style instruction modifications
     - Crashinfo displays uptime, systemtime, and dump type
     - Psxview plugin adds two new sources of process listings from the GUI APIs
     - Screenshots plugin shows text for window titles
     - Svcscan automatically queries the cached registry for service dlls
     - Dlllist shows load count to distinguish between static and dynamic loaded dlls

New Address Spaces * VirtualBox ELF64 core dumps * VMware saved state (vmss) * VMware snapshot (vmsn) files * FDPro’s non-standard HPAK format * New plugins: vboxinfo, vmwareinfo, hpakinfo, hpakextract