Practical Memory Analysis for Incident Response

Brrcon 2017

Presented by: Dan Cao, Ryan Eikanger
Date: Tuesday June 23, 2015
Time: 10:00 - 15:50
Location: Workshop 1

NOTE Separate registration required.

OVERVIEW

Analysts in the class will be taught practical memory analysis by learning about common memory structures and acquisition; Identifying rogue or hidden processes, lateral network movement, and interesting process strings; extracting artifacts of interest for Incident Response utilizing tools such as bulk_extractor, Volatility and Rekall.

REQUIREMENTS

• CPU: An 64-bit Intel x64 2.0GHz+ processor or faster is mandatory for the class
• RAM: A minimum of 8GB of RAM
• Network: Ability to connect via Ethernet cable
• USB: Access to USB 2.0 or faster port
• Hard Drive: 100GB free space minimum
• Attendees should also have local administrator access on host and virtual operating systems
• Operating System: Fully patched & updated Windows (7+), Mac OSX (10.10+), or recent version of Linux operating system (released 2014 or later) that also can install and run virtualization software (VMWare or VirtualBox)
• Additional Software required: Microsoft Office (with Excel) or Open Office with Calc; winzip and/or 7zip

Please note: It is necessary to fully update your host operating system prior to the class to ensure you have the right drivers and patches installed to utilize the latest USB 3.0 devices. Those who use a Linux host must also be able to access ExFAT partitions using the appropriate kernel or FUSE modules.

Dan Cao

Dan Cao is an Incident Handler on Target’s Cyber Security Incident Response Team. Dan has domain knowledge in Incident Response, Memory Forensics, and Network Forensics. In addition to his passion for Cyber Security, Dan is also passionate about gaming, motorcycles, photography and baseball.

Ryan Eikanger

Ryan Eikanger is an Incident Handler with Target’s Cyber Security Incident Response Team. Ryan specializes in forensics, live response, and memory analysis.