Advanced Memory Forensics in Incident Response

Overview

Though many people in the security industry do forensics, very few do memory forensics. As an industry, we have overlooked some of the most important data in an investigation. Attackers know this. Forensic analysts can no longer rely on getting all of the information they need from the hard drive. Since there are many examples of malware that never touch the disk, drive analysis may lead to one conclusion, while memory analysis can lead to quite another. Drive analysis also takes significantly more time than memory analysis.

In performing Windows memory analysis, this class will focus on the use of freeware and open source tools to perform advanced memory analysis. Students will also be taught the concepts necessary to extend these tools or build new ones where the existing toolset does not meet all the needs of a particular incident.

What You Will Learn

This course was designed for students who have a basic understanding of programming as well as more advanced students wishing to apply their knowledge to memory forensics.

New for Black Hat 2012:

• Coverage of 64-bit operating systems
• New section on malware covering different malware techniques and how they stand out in memory
• Four new case studies ranging from real Advanced Persistent Threat (APT) incidents, to spear phishing attacks, and everything in between
• Added a new APT section which specifically talks about how to detect certain APT threats in memory
• Students receive the only free tool to analyze Windows Vista
• Students receive the only free tool to analyze Windows 2003 64-bit
• Better data collection to help identify processes and drivers as malicious or not
• Added the Malware Rating Index (MRI), which helps automatically identify many malware behaviors discussed in the class. Through a simple user interface, students learn how to write rules to identify malware in their own work environments. MRI then uses those rules to score processes as suspicious or not.
• This course will cover the entire memory forensic process beginning with hardware and software acquisition.
• Starting with just an unknown capture of memory, students will learn how to determine the operating system in use.
• They will learn how to perform virtual to physical memory translation.
• Once the student understands how to read their environment, the course will teach them how to look for hidden processes and ports, injected DLLs, rogue drivers, and hooking malware.
• To understand what malware looks like in memory, students will be given exercises working with real-world malware samples.
• Tricks for memory analysis of live virtual machines will also be revealed.
• Finally, the student will be asked to solve case studies which will require the application of all of the techniques learned in class.

Course Structure

In addition to reinforcing learning with hands-on exercises throughout the two-day course, as a final exercise, students will be given typical case studies with actual memory to apply their new analysis skills. In these exercises, students will use classroom learning to perform the exact functions they will be asked to perform when they get back to the office—look at memory and determine what happened to the system.

Who Should Take this Course

You should attend if you are interested in the field of forensics, and want to learn the advanced techniques that attackers are using to hide in memory and how to detect them. This class is targeted at incident responders and forensic examiners, though people involved in all aspects of the security industry will benefit.

Prerequisites

Prospective students should have a basic understanding of python or a similar programming language.

Course Length

Two days. All course materials, lunch and two coffee breaks will be provided. A Certificate of Completion will be offered. You must provide your own laptop.

What to bring

Students should bring a laptop, with ONE OF the following software installed:

• Microsoft Windows XP SP2/SP3 32-bit, Vista SP1/SP2 32-bit, Windows 2003 SP2 32/64-bit
• DVD drive or port for a USB2.0 drive
• A working network card to research malware on the Internet
• Python 2.5
• Microsoft Windbg

Students are encouraged to bring their favorite hex editors, compilers, and disassemblers. Although these may be useful to the student when analyzing malware pulled from physical memory, such tools are not required and will not be explained in the class.

Trainers

James ("Jamie") Butler II is a Principal Software Engineer at MANDIANT and leads the agent team on the MRI product. He has over a decade of experience researching offensive security technologies and developing detection algorithms. Jamie has a Master of Science degree in Computer Science and holds a Top Secret security clearance.

He is the co-author and teacher of "Offensive Aspects of Rootkit Technologies" and "Advanced Second Generation Digital Weaponry". Jamie is also co-author of the bestseller, "Rootkits: Subverting the Windows Kernel." (Addison-Wesley, 2005). In addition, Jamie has authored numerous papers and is a frequent speaker at computer security conferences.

Peter Silberman works at MANDIANT on the product development team. For a number of years, Peter has specialized in offensive and defensive kernel technologies, reverse engineering, and vulnerability discovery. He enjoys automating solutions to problems both in the domain of reverse engineering and rootkit analysis. Although he is college educated, Peter does not believe formal education should interfere with learning.