Presented at DoD Cyber Crime in Saint Louis, MO on January 27, 2009.
Traditionally, forensic analysis has meant taking an image of a hard drive and sifting through files. This is a time consuming task that can take days to complete. Hard drive analysis is only half of the story and can no longer be considered sufficient. Attackers are packing malware, writing less of it to disk and hiding more of it in memory. Memory analysis û once a niche function performed by only the most advanced forensic investigators û is now mainstream and should be used in most investigations. Tools have been written to make memory analysis as easy, if not easier, for the investigator than hard drive analysis; and memory analysis can be done in a fraction of the time. In this talk, we will provide tips and tricks you can use to quickly identify suspicious processes, handles, and hooks in memory without having to be a reverse engineer. This talk will feature research, use cases, and two to three walk demonstrations of real-world incidents and how to identify what occurred.
Peter Silberman works at MANDIANT on the product development team. For a number of years, Peter has specialized in offensive and defensive kernel technologies, reverse engineering, and vulnerability discovery. He enjoys automating solutions to problems both in the domain of reverse engineering and rootkit analysis. Although he is college educated, Peter does not believe formal education should interfere with learning.