In recent years, malware has become very personal. Crypto-ransomware threats, including CryptoLocker, CryptoWall and TorrentLocker (pdf), have infected home users, businesses and even police departments, all of whom have had their personal data and hard work held hostage. When we think of precious family photos or an academic thesis being wiped by pure greed, it can become rather emotive. This is nasty stuff, and we need to do something about it!
Adding to our ever growing number of Posters and Cheat Sheets for DFIR, we are proud to announce the availability of a brand new SANS DFIR Poster "Finding Evil" created by SANS Instructors Mike Pilkington and Rob Lee.
This poster was released with the SANSFIRE 2014 Catalog you might already have one. If you did not receive a poster with the catalog or would like another copy here is a way to get one. For a limited time, we have set up a website whereanyonecan easily order one to use in their hunt to "Find Evil."
Alissa Torres and Jake Williams recently updated the material in FOR526 just in time for DFIRCON. Previously, FOR526 focused largely on malware investigations. However, this new revision places new emphasis on misuse/criminal investigations and those investigations where malware may not have been used. We see a lot of those cases now, where by the time we're called to investigate, the attackers are just using VPN creds, no need for malware. Sure, we still cover finding malware, but we find that this revision makes the subject of memory forensics more applicable to a broader range of DFIR professionals.
Is memory forensics a forensics discipline all its own? Not really. You're unlikely to work an entire case using only memory artifacts (although you will learn how). To be a true...
With Memoryze 3.0, the folks at Mandiant hit their mid-summer goal to roll out memory analysis support for Windows 8 (x86 and x64) and Server 2012 (x64). While support has not yet been rolled into Redline collector scripts, data collected by Memoryze can be loaded and analyzed in the Redline interface. This is no real surprise since Memoryze is the back-end collection and analysis tool that Redline relies upon.
You can dump Windows memory and process your memory image with the following commands (run MemoryDD.bat from a removable device and Process.bat on your forensic box):
MemoryDD.bat -output E:\\
Process.bat -input memory.img -handles true -sections true -ports true -imports true -exports true -injected true -strings true
To perform live memory analysis and take advantage of capabilities like ...
Memory analysis skills are one of the most in-demand skills for digital forensics, incident response, and malware analysts today. SANS is introducing a brand new 5-day class dedicated to Windows Memory Forensics. The hands-on course, written by memory forensics pioneer Jesse Kornblum, is incredibly comprehensive and a crucial course for any investigator who is analyzing intrusions.