Michael Cohen (Google)

Abstract

Memory forensics has become increasingly useful in recovering important forensically significant information. From detecting and analyzing malware to understanding how common applications store forensically significant information, reverse engineering is a useful skill. 

This workshop is a hands-on application of useful reverse engineering tools and techniques employed in order to rapidly extract forensically significant information. That is, this workshop's aim is not to understand every aspect of an application's operation - rather we use common tools and techniques to rapidly extract just the information we care about in a forensic investigative context. 

To this end we apply the tools available within the Rekall memory analysis tool to several different scenarios: 
- Analyze a strand of malware, and develop a query to hunt for indicators to search across a fleet of enterprise systems with GRR. 
- Reverse engineer a number of user-space applications, and extract passwords, keys and user activity history. We then use these findings to write new Rekall plugins to automatically extract these artifacts. 
- Finally we put these ideas together, by writing an entity collector, an entity search query, and hunt with GRR across the fleet for the newly discovered. 

This will be a hands on workshop, participants are expected to bring their own laptops with one of the major OS's installed (OSX, Linux or Windows). The instructor will provide memory images and tools required before the workshop. 

Although no special prerequisites exist, participants will benefit most from this workshop if they already have a basic understanding of memory analysis and are not afraid to look at hex dumps or the command line :-).