The Pit-Falls of Memory forensics; When Your Memory Forensics Tools Only Tell Half the Story
Malware authors are becoming increasingly creative in their creation of malicious binaries, which are successful at both compromising a system and hiding from the incident responder’s analysis tools. This presentation will demonstrate techniques and methods that forensic analysts can use to dig deeper when their analysis tools are telling half the story, yet they know there is more of the story to be told. Using lessons learned from previous incident response cases, I will demonstrate how to use various open-source tools such as volatility 2.6.1, volatility 3, malwoverview, capa, speakeasy, stringsifter, Yara, and many others to complete the story and locate the malicious binaries for further analysis. Participants will gain new insights into how various tools provide the analyst information and which gaps they must fill to accurately complete the investigation.