(Un)Fucking Forensics
Who are we ?
Georges-James Duchamp De La Trufinière
Coffee maker
Brian
Memory Forensic response team
Summary
- What is this ?
- Basics concepts
- How we proceed (why we get paid)
- Case study
What is this ?
RAM
Processes
CPU
Disk
What is this ?
- Extracting information from RAM
- Finding interesting things
- Enumerate running processes
- Malwares may only leave clues in memory, not on disk
Basics concepts
Memory acquisition
Memory analysis
Dumping the memory of a target machine to disk
Analysing the memory dump for finding forensics artifacts
Basics concepts
Usefull tools
- Volatility <3
- Recall
- binwalk
- foremost
- SIFT & Remnux VMs
- Process Hacker
- Process monitor
- Lime
Basics concepts
Memory analysis
We should look at :
- Running processes
- Opened files
- Registries
- Network connections
- Hidden data
- dotfiles
- obfuscated data
- Malicious code
How we proceed
Checklist :
- Profile infos
- Commands history
- Running processes
- Network connections
- Look for cool files
Practice
Example :
ECSC forensics challenge : "3615 Incident"
Mission : Find the ransomware, its PID and the name of the encrypted file.
Questions ?
Copy of (Un)Fucking Forensics
By lambdhack
Copy of (Un)Fucking Forensics
- 511