Making complex data simple and compelling
From digital device to digital evidence
Unlock your vehicle's digital evidence potential
Forensic Analysis and Enhancement
Investigating and analyzing financial records
Gain access to the online accounts of deceased loved ones
Clear, precise evidence for a messy world
Expert reports to suit your specific needs
We can locate people anywhere
Stop worrying and learn the truth
Prevent, Detect, Respond To Cyberattacks
First response is crucial. Every minute counts.
The first response is critical to reduce liability
Detection & Removing Spyware Services
Reduce your electronic risk from digital transmittals
Find out who you are really talking to
Experienced, Confidential Services
Swift, professional incident response
Complicated cases require compelling digital facts
Find, recover and document digital evidence
Bring solid evidence before a judge
Cases can be investigated using Social Media
Vortessence is a tool, whose aim is to partially automate memory forensics analysis. Vortessence is a project of the Security Engineering Lab of the Bern University of Applied Sciences. While Vortessence is conceptually a rather straightforward tool, it turns out to be quite effective in practice.
In fact, a key problem in memory forensics is that an analyst needs to be able to memorize lots of “encyclopedic” details about the state of a clean system in order to be able to spot anomalies originating from an intrusion. Examples of such encyclopedic details would be names of legitimate drivers, legitimate parent child relations ships for processes, legitimate DLLs being loaded into processes etc. We believe that it is impossible for humans to memorize all the relevant information — and even if it would be possible, it is still a rather boring and cumbersome task to check a candidate memory image against the clean states. The fun parts in memory forensics are the more advanced analysis techniques, as well as researching new analysis techniques.
Another issue concerns memory forensics techniques that are geared towards the direct detection of anomalies caused by malware. An example is the malfind plugin in Volatility which uses heuristics to detect anomalous memory allocations which are characteristic for code injections. Although clever heuristics are being employed, it seems to be impossible to entirely avoid false positives. Sorting out these false positives from true positives requires manual intervention by the analyst, whereas in some cases it can be hard to tell false from true positives.
Vortessence provides some remedy to the above issues. There are two main activities when using Vortessence, one is populating / maintaining the whitelist, the other is running the detection component on a memory image to be analyzed (the “target image”), which generates a report showing the anomalies that have been detected. The analyst will then go through the report, and check whether the reported anomalies are true or false positives.
Vortessence allows users to populate their own whitelist, typically by adding images of a known clean system to Vortessence. The detection is performed by the Vortessence rule engine, which essentially checks the target image against the whitelist database. The resulting report can be either queried using a command line tool or be displayed using the Vortessence Web fronted.
Technically, Vortessence is currently based on Volatility and uses the Volatility plugins to query memory information for populating whitelists as well as detection.
The image below shows the process related information of a report in the Vortessence Web front-end:
Please enter the result of the calculation above.
Save my name, email, and website in this browser for the next time I comment.
Δ
Speak to a Specialist Now
Get Help Now