Course Review SANS FOR526 Memory Forensics In-Depth

I have been delinquent in posting here, mostly because my duties have taken me more into the cyber hunting realm than malware analysis.  One of the skills I realized was invaluable to the hunter was memory analysis.

I attended the DFIR Summit in Austin Texas back in July of 2013.  I had an excellent time, learned a lot, laughed a lot, and could not recommend the event more highly.  After the summit, I took the new SANS FOR526 class devoted to Memory Forensics.

I found the course to be excellent.  It was well organized and had a broad set of challenges so a wide variety of experience levels were all able to be pushed out of their comfort zone and thus able to grow.  The instructor, Alissa Torres (aka @sibertor), was top notch.   She interacted with the students at their level, and made it easy to learn.

Okay, so far it is clear I loved the class, but here are the details:

  • The class was 5 days long with labs.
    • The labs covered a broad range but focused mostly on malware.  I would have liked to have had labs in these areas: intrusion detection, data loss prevention, and internal investigations.
    • A good machine to run VMs is vital.  I had an i7 quad core laptop with 16 gigs of memory and 250gigs of storage.  Even with that, there were times when I wanted more power.
      • I have used the SIFT workstation, which is part of the tool kit taught in this class.  I prefer to build my own Ubuntu guest and install the software manually, mostly so I can insure I have the latest version.
      • Number crunching and data indexing can take up a lot of CPU and Memory.  I think that memory is more important, so you are not paging work back and forth to a hard drive.
      • I had been a malware analyst for over two years already, but my memory analysis skills consisted mostly of running strings and using the malfind function with volatility
        • The instructor went through the structures of the artifacts in memory with precise details.  This included explaining the process link list, how to find process structures outside of this link list, and how false positives might be generated when scanning for processes outside of the link list.
        • This same detail was used when addressing all of the memory structures for different artifacts.  Detailed knowledge followed by labs to reinforce the concepts.
        • I found this technical level of detail outstanding.  This was more than “how to use some tools” and more “this is the data structure you need to look for, here is a tool(s) that can be used, and here is how you use them”
        • That level of detailed knowledge and understanding is vital when using open source tools because the user needs to be able to explain what the tool was looking for.  Without that knowledge the results mean less and false positives are more likely to cause confusion.
        • The two main tools used in the class were Bulk Extractor and Volatility.  Several other tools were referenced, but the student should leave the class with a very functional level of understanding of these tools as they relate to memory analysis.

I also need to add that since returning, I have already used the skills I learned in the class during my hunting sessions.  Prior to the class, I would grab the memory when I had time, but would often do other stuff first.  Now, I need to have a very strong reason to not grab the memory first when focused on a system.  In real world situations, solid memory analysis has use well beyond finding a malware infection.  It can be used by both detection specialists and incident responders when looking for malicious activity on a system.

I would be remiss if I did not mention the DFIR Netwars Tournament.  That was a lot of fun, and the memory and malware classes had a strong edge in that contest based on the tools they were using.

In summary, I highly recommend the course (as well as the DFIR Summit) to any malware analyst, detection specialist, or incident responder.

Memory never lies.

4 thoughts on “Course Review SANS FOR526 Memory Forensics In-Depth

  1. “Memory never lies.”

    Interesting. Didn’t @malwarejake and @sibertor admonish against this type of thinking at ShmooCon with their ADD presentation?

    • That is a good point. While I always try to keep a skeptical eye on all data, that likely could mislead and I will edit the post. Thanks.
      I still think a memory dump is the best thing to collect, if I have time. :)

  2. I wholeheartedly agree about getting a memory dump…I’ve had a couple of forensic analyses recently (blogged about one of them) where we’d asked for a memory dump but didn’t get it, and the system had a hibernation file, which really shed a great deal of light on the incident.

    However, I wasn’t suggesting at all that obtaining a memory dump wasn’t a good idea. Rather, I was referring specifically to the statement, “Memory never lies”, because in their presentation regarding ADD, the authors (and instructor of your course) really pointed out that memory can be made to “lie”.

    • I didn’t take it as a shot at memory dumps, I took it as good constructive criticism about that tag line that might mislead. I think we both value memory and I was just trying to emphasize that in my response. Thanks again.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>