Based on FOR526 Memory Forensics In Depth content
I recently worked an investigation that involved anomalous network traffic occurring inside a customer's network between a handful of workstations and the internal DNS server. I was given memory images collected by the customer from two of the offending systems. Following the memory analysis methodology we teach in FOR526, I was able to "rule out"* malicious code running on these systems. In addition to doing memory structure-based analysis, I parsed the image with a stream-based data carving tool, Bulk Extractor. This impressive free open-source
Examining static properties of suspicious files is a good starting point for malware analysis. This effort allows you to perform an initial assessment of the file without even infecting a lab system or studying its code. Let's take a look at several free Windows tools that are useful for extracting such meta data from potentially-malicious executables.
DFIRCON APT Malware & Memory Challenge
The memory image contains real APT malware launched against a test system.Your job? Find it.
The object of our challenge is simple: Download the memory image and attempt to answer the questions. To successfully submit for the contest, all answers must be attempted. Each person that correctly answers 3 of the 5 questions will be entered into a drawing to win a FREE Simulcast seat at DFIRCON Monterey this March. The contest ends on January 31st, 2014 and we will announce the winner on February 3rd, 2014. Good luck!
Win a free Simulcast Seat at DFIRCON Monterey - http://dfir.to/DFIR-CON by downloading the memory image
PowerShell "Remoting" is a feature that holds a lot of promise for incident response. "Remoting" is the ability to run PowerShell commands directly on remote systems and have just the results sent back to the querying machine. From an IR standpoint, this is like a built-in agent ready and waiting to answer your investigative questions--at scale. As I'll discuss shortly, Remoting provides us the ability to query a thousand machine in just minutes!
Before I get to the details of Remoting though, let me kickoff the discussion by going through the basics of PowerShell and Windows Remote Management (WinRM), which provides the foundation for the PowerShell "Remoting" feature. After covering this background information, I'll go over the significant performance benefits of Remoting and then cover the authentication details and implications for privileged account use (fortunately there's a lot of good news on this front too).
PowerShell is the ...
With Memoryze 3.0, the folks at Mandiant hit their mid-summer goal to roll out memory analysis support for Windows 8 (x86 and x64) and Server 2012 (x64). While support has not yet been rolled into Redline collector scripts, data collected by Memoryze can be loaded and analyzed in the Redline interface. This is no real surprise since Memoryze is the back-end collection and analysis tool that Redline relies upon.
You can dump Windows memory and process your memory image with the following commands (run MemoryDD.bat from a removable device and Process.bat on your forensic box):
MemoryDD.bat -output E:\\
Process.bat -input memory.img -handles true -sections true -ports true -imports true -exports true -injected true -strings true
To perform live memory analysis and take advantage of capabilities like ...