(Un)Fucking Forensics

Who are we ?

Georges-James Duchamp De La Trufinière

Coffee maker

Brian

Memory Forensic response team

Summary

  • What is this ?
  • Basics concepts
  • How we proceed (why we get paid)
  • Case study

What is this ?

RAM

Processes

CPU

Disk

What is this ?

  • Extracting information from RAM
  • Finding interesting things
  • Enumerate running processes
  • Malwares may only leave clues in memory, not on disk

Basics concepts

Memory acquisition

Memory analysis

Dumping the memory of a target machine to disk

Analysing the memory dump for finding forensics artifacts

Basics concepts

Usefull tools

  • Volatility <3
  • Recall
  • binwalk
  • foremost
  • SIFT & Remnux VMs
  • Process Hacker
  • Process monitor
  • Lime

Basics concepts

Memory analysis

We should look at :

  • Running processes
  • Opened files
  • Registries
  • Network connections
  • Hidden data
    • dotfiles
    • obfuscated data
  • Malicious code

How we proceed

Checklist :

  • Profile infos
  • Commands history
  • Running processes
  • Network connections
  • Look for cool files

Practice

Example :

ECSC forensics challenge : "3615 Incident"

Mission : Find the ransomware, its PID and the name of the encrypted file.

Questions ?

(Un)Fucking Forensics

By xninja

(Un)Fucking Forensics

  • 631