BruCON 0x0D

Malware continues to advance in sophistication and prevalence.  Well-engineered malware can obfuscate itself from the user, network, and even the operating system running host-based security applications.  But one place malware cannot easily hide itself is within volatile computer memory (RAM).  

Although an essential part of malware analysis, incident response, digital forensics, software reverse engineering, and exploit development, memory forensics is not trivial to master. In addition, many problems and inefficiencies exist within our current approach of conducting memory analysis: it takes too much time, is very labor intensive, and artifact extraction comes with an overload of raw data that is not practical on real-world compromised computer systems. These inefficiencies ultimately result in greater resource expenditure to conduct the analysis which provides less accurate results. I have solved this problem by engineering a new construct for memory analysis along with a new tool release to provide advanced memory analysis, correlation, and user-interaction to enhance analysis, increase accuracy, and better detect obfuscated malware.

This is a very hands-on workshop that provides an indepth approach at malware analysis via computer memory analysis. A brand new tool and new memory analysis construct is released to demonstrate advanced (yet easier to understand) capabilities for conducting memory analysis.

Advanced memory analysis is not easy – but it is not impossible either. This technical workshop gets the participant very comfortable with the Windows Internals and advanced techniques of conducting feature extraction, malware analysis from computer memory analysis. We will walk through multiple analysis of real-world malware exploitation samples. Advanced malware is capable of obfuscating from the user and the operating system. This workshop reveals how to discover and extract advanced malware and rootkits directly from memory and utilizes a brand new (completely open-source) tool that drastically saves hours and hours of analysis, enhances your capabilities, and encapsulates analysis results in a very interactive user interface and report. This talk is best suited for Software Reverse Engineers, Malware Analysts, Exploitation Developers, Digital Forensics Examiners, and Cyber Incident Responders.