Malware analysis made easy with Volatility plugins presented at hacklu 2016

by Thomas Chopitea,

Summary : Volatility is a very well known, used, and loved memory forensics framework in the DFIR community. It’s usage has been largely documented and illustrated with different use-cases. But one aspect of Volatility that may remain a bit obscure to analysts with even solid experience with memory forensics is the creation of Volatility plugins to automate specific tasks.
This workshop is meant to make malware and DFIR analysts familiar with Volatility’s plugin framework. The goal is to cover Volatility and live-memory analysis basics and have every attendee leaving with an operational understanding of the different plugin strategies and implementations. To illustrate the plugin creation process, the workshop will be articulated around the analysis of an instance of the Locky ransomware.