SANS DFIR Webcast - Memory Forensics for Incident Response
HTML-код
- Опубликовано: 7 фев 2015
- SANS Incident Response Training Course: www.sans.org/course/advanced-c...
Memory Forensics for Incident Response
Featuring: Hal Pomeranz
Modern malware has become extremely adept at avoiding detection by traditional endpoint analysis tools. Memory Forensics gives the investigator multiple solutions for detecting typical malware techniques such as code injection, API hooking, and process hiding. This talk is an overview of Memory Forensics including how to acquire memory images and tools and techniques for analyzing them.
Hal Pomeranz is the founder and technical lead for Deer Run Associates, a consulting company focusing on Digital Forensics and Information Security. He provides forensic analysis services through his own consulting firm and by special arrangement with MANDIANT. He has consulted on several major cases for both law enforcement and commercial clients. Hal is a SANS Faculty Fellow and and instructor in the SANS Forensics curriculum.
Hal Pomeranz: Hal is founder and CEO of Deer Run Associates, a systems management and security consulting firm. He has spent more than a decade managing systems and networks for some of the largest commercial, government, and academic organizations in the country. Hal participated in the first SANS conference and designed the SANS Step-by-Step course model. He is a top-rated instructor and author on topics ranging from information security to system and network management to Perl programming.
Hal Pomeranz is an independent digital forensic investigator who has consulted on cases ranging from intellectual property theft, to employee sabotage, to organized cybercrime and malicious software infrastructures. He has worked with law enforcement agencies in the US and Europe and global corporations.
While equally at home in the Windows or Mac environment, Hal is recognized as an expert in the analysis of Linux and Unix systems. His research on EXT4 file system forensics provided a basis for the development of Open Source forensic support for this file system. His EXT3 file recovery tools are used by investigators worldwide.
Hal is a SANS Faculty Fellow and Lethal Forensicator, and is the creator of the SANS Linux/Unix Security track (GCUX). He holds the GCFA and GREM certifications and teaches the related courses in the SANS Forensics curriculum. He is a respected author and speaker at industry gatherings worldwide. Hal is a regular contributor to the SANS Computer Forensics blog and co-author of the Command Line Kung Fu blog.
"Great intro to malware analysis. Hal Pomeranz, instructor, was extremely knowledgeable on the subject. Highly recommended." - Jonathon Hinson, Duke Energy 
Наука
Really helpful being a new bee with Memory Forensics. Thanks for the power packed stuff !!
i dont mean to be off topic but does someone know a method to get back into an instagram account?
I was stupid forgot my password. I would appreciate any assistance you can give me!
@Harlan Wilder instablaster =)
@Jude Caspian thanks so much for your reply. I found the site through google and im waiting for the hacking stuff now.
Takes a while so I will get back to you later with my results.
@Jude Caspian It did the trick and I now got access to my account again. I am so happy:D
Thank you so much you really help me out !
@Harlan Wilder happy to help =)
Can you please guide me, how to view this type of pane in Mandiant Redline?. Because when I open any triage for analysis, I am not able to see it in this view. This view looks cool with all the necessary details, especially investigative steps.
very good thank you
Redline 25:00
Volatility 35:10
Overall good, but the presenter is wrong about one thing. A false from ldrmodules in and of itself means nothing. To test, I installed a fresh Win7 from CD, no network cable, took an image, and still got a bunch of falses from ldrmodules. Now if ldrmodules can't ID the path, then worry.
Robert S You are correct that in this case the “false” listing is a false positive. This is because if you notice in the mapped path, this is the process executable and that’s just how it is,. The process executables won’t be in the InInit list. What we should be looking for here irregular file paths, or no mapped paths at all. That would be suspicious.