Michael Cohen (Google)

Abstract

Memory analysis is now a routine and essential technique in triaging and responding to security incidents. Rekall is an advanced, open source memory analysis framework boasting a large number of plugins implementing state of the art memory analysis techniques. 

This interactive workshop will specifically focus on using GRR and Rekall in a large scale environment, such as a corporate incident response team. The workshop will be divided into a number of areas: 

  1. Use of Rekall interactively. This is a short introduction to the Rekall tool and will cover some common plugins and techniques. We cover use of Rekall for Windows, Linux and OSX machines, as well as using Rekall for memory acquisition. 
  2. Use of GRR. The GRR incident response tool will be installed and configured by participants. We have a short introduction to what GRR is, how it works, and how one can use it. 
  3. Use of Rekall for hunting. Rekall is embedded in the GRR enterprise incident response tool. This allows Rekall to perform automated memory analysis on the entire fleet in detecting advanced threats. We use this unique capability to detect anomalies between a group of systems, some of which may be compromised. 
  4. Searching the enterprise. We introduce the new search capability developed within Rekall using the EFilter forensic filtering library. This allows us to craft a search expression using an SQL-like language to reveal certain anomalies. 


Users should have a laptop with one of the major operating systems (Windows, Linux, OSX) with a web browser.