Modern threats necessitate active hunting for malware and attackers throughout an organization’s environment. Unfortunately, traditional approaches to detection of this malicious activity are now inadequate as advanced malware and skilled attackers easily mislead them. During this presentation attendees will learn how malware and attackers evade these traditional methods as well as how memory and network forensics can be used to give defenders an upper hand. Memory forensics, which is the examination of a system’s state through analysis of RAM, is much harder to fool as malicious applications necessarily create artifacts in memory in order to operate. Similarly, network forensics gives defenders a concrete look at data flowing throughout their environment, and it provides little room for attackers to hide their lateral movement and data exfiltration. Beyond initial detection, this presentation will also show how these types of analysis can also provide rapidly scalable triage of the rest of a potentially compromised network. The scenarios presented in this talk will be based on real-world malware as well as real investigations performed on large networks throughout the world. Attendees will leave with the ability to start proactively detecting and triaging threats in their environment – all using open source tools.
Andrew Case is the Director of Research at Volexity LLC, and a member of the Board of Directors for the Volatility Foundation. Prior to joining Volexity, he held positions as a senior incident response handler and malware analyst at Terremark Worldwide and Verizon Enterprise Solutions, where he frequently led large-scale investigations. Andrew’s previous experience also includes penetration tests, source code audits, and binary analysis. Andrew is the co-developer of Registry Decoder, a National Institute of Justice funded forensics application, as well as a core developer on the Volatility memory analysis framework. Andrew is also a co-author of the award winning book “The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory”. He has delivered private and public trainings in the fields of digital forensics and incident response to organizations around the world. Andrew’s primary research focus is physical memory analysis and he has published a number of peer-reviewed papers in the field. He has presented his research at conferences including Black Hat, RSA, SecTor, SOURCE, BSides, OMFW, GFirst, and DFRWS.