Botconf Author Listing

Félix Guyard




Date: 2023-04-13
VISION-ProcMon: Visualization tool dedicated to malware analysts
Félix Guyard 🗣

Abstract (click to view)

Félix won the Botconf 2023 Lightning talk prize for the quality of his demonstration

Slides Icon
PDF
Video
Date: 2024-04-26
Streamlining Memory Forensics with VolWeb
🗣 | Félix Guyard

Abstract (click to view)

While open-source memory forensics tools have become more prevalent in recent years, there are still a lot of challenges associated with its use. Current opensource memory forensics tools lack of consistency in terms of automation, user interface, data visualization and collaboration. As criminals and hacker methods become ever more sophisticated, memory forensics has emerged as a crucial method for identifying cyber threats and analyzing malware.

However, traditional opensource memory analysis tools used alone can be time-consuming, and difficult to use for one who seek to investigate and collaborate on a memory image. The increasing complexity of attacks means that investigators need to centralize and process more data than ever before, making it even harder to keep up. The need to automate and make memory forensics more human friendly is crucial and should not be a luxury.

VolWeb is an open-source digital memory forensic web platform. The goal of this tool is to improve the efficiency of memory forensics by providing a centralized, collaborative, visual and enhanced platform dedicated to investigators. It gives the opportunity to work together on cases, use visualization tools to quickly identify anomalies, tag interesting elements, dump processes and files to later perform malware analysis, generate technical reports and more. The core memory analysis engine is based on the volatility3 framework which is still under active development to replace the previous stable version of volatility written in python2 (deprecated). Using the Django framework in combination with this engine, this interconnection allows for the creation of user-friendly interfaces, making the tool more accessible even to those who may not have extensive knowledge of the command-line interfaces. This can save time and effort on the part of the forensic investigator by automating the entire data extraction process of a memory image and presenting the data in a standardized way.

The tool initial configuration, deployment and update in a digital investigation lab is made easier with the use of docker. In this proposal, we will explore the development and implementation of VolWeb, highlight its benefits for investigators in the digital forensics’ community.

Scroll to Top