Volatile memory analysis is a critical skill for cyber practitioners. The current approach to analyze memory is inefficient and very labor intensive. I developed a tool that fully automates the analysis process, produces a new construct consolidating results, and eliminate the user’s heavy workload.
Malware continues to advance in sophistication and prevalence. Well-engineered malware can obfuscate itself from the user, network, and even the operating system running host-based security applications. But one place malware cannot easily hide itself is within volatile computer memory (RAM). Many problems and inefficiencies exist with our current approach of conducting memory analysis: it takes too much time, is very labor intensive, and artifact extraction comes with a deluge of raw data that is not practical to analyze on real-world computer systems compromised with malware. These inefficiencies ultimately result in greater resource expenditure to conduct the analysis while providing less accurate results since it is too easy to miss a key artifact from the overload of data during the analysis. I have seen many people struggle with capture the flag memory challenges as well due to these same issues. I have solved this problem by engineering a new construct for memory analysis along with a new tool release to provide an automated process for advanced memory analysis, correlation, and user-interaction that increases investigation accuracy, reduces analysis workload, and better detects obfuscated malware.
This talk is especially perfect if you conducted memory analysis before and understand the pain and difficulty with completing this type of investigation. During this session, I will provide many new features that optimize memory analysis to include a new, revolutionary interactive construct that provides a visual representation of artifacts and indicators extracted from memory. We will also cover a new data cross-reference (data xref) ability I built into the open-source tool (Xavier Memory Analysis Framework) that creates a new index and memory context feature to view how your keyword data is coupled with processes, modules, and events captured in memory. This data xref feature also allows you immediately pivot to create specific process-memory dumps and file extraction directly from each keyword entered by the user. Finally, a new concept called a System Manifest is delivered by this research. The System Manifest is a single file detailing significant artifacts (and their relationships) distilled from a memory image. This manifest allows Xavier to immediately reload the full memory image context in seconds versus hours to without this tool. Another feature about the manifest file creation is the new ability to create memory snapshot analyses. This uniquely provides a new light-weight yet very powerful and precise memory analysis capability to discover system changes captured in memory that’s extremely beneficial for exploit development and Malware Reverse Engineering.
/ carpenter1010
www.solomonson...
Негізгі бет Exploiting Volatile Memory Analysis Challenges for Fun & Profit by Solomon Sonya
Пікірлер