The traditional method of collecting digital evidence was to shutdown the system, either gracefully or by pulling the plug, and then image all the media contained within the system for later static forensic analysis. With the advancement of malware today, and memory-only resident malicious code that never touches the hard drive, it is extremely important to try to capture the contents of memory for inclusion in your overall analysis methods. As I mentioned in my last posting on network forensic analysis, volatile data analysis is a crucial part of the three pillars of an incident response investigation, and the topic of the Cyber Response lab entitled Memory Analysis & Malware Triage.
Volatile data exists in the main memory (RAM) of a server or workstation; if power is lost or a system fault occurs, the data is gone. Volatile data can help you determine if suspicious applications or activities are present on a system, and help guide you in the search for backdoors or malicious code. Additionally, it may help you determine who and what is accessing the system and its resources, whether internal or externally. One of the most important aspects of volatile data capture is that it provides you with the ability to quickly ascertain if unauthorized ports, processes, or applications are active. This information is critical when deciding whether to continue system operations or take the system offline. This is a core component of incident response triage; the ability to rapidly determine to what extent, if any, a system has been compromised, ideally using network-enabled tools such as EnCase® Cybersecurity.
David Nardoni (EnCE, CISSP, GCIH) will lead this hands-on lab, where you will learn the basics of live memory collection and its importance during an investigation, especially involving malware. With David, you will explore the differences between memory collection and analysis tools, including the widely used Volatility Framework. David is a Director at PwC. He has over 14 years of experience in the information security industry and eight years in practicing computer forensics investigations. Also, he taught computer forensics at the University of Southern California (USC) and is a Reserve Police Officer with the City of Sierra Madre.
With David’s vast experience in computer based investigations, ranging from PCI data breaches, APT attacks, identity theft, malware attacks, email extortion and intellectual property theft; I know there will be many memory analysis & malware triage tips and tricks to glean from his lab!
Jessica Bair
Senior Director, Curriculum Development
@jessicambair
CEIC 2012 – Cyber Response Lab
Wednesday
1:30 PM - 3:00 PM
Memory Analysis & Malware Triage
David Nardoni, Director (PwC)
Skill Level: Intermediate
No comments :
Post a Comment