[ mainpage :: register :: training :: conference :: hitb-labs :: the venue ]
[ capture the flag (CTF) :: wireless village :: lock picking village (LPV) :: open-hack ]
[ call for papers (CFP) :: conference agenda :: sponsors :: press/media :: forum ]
[ conference kit (PDF) :: past conferences :: contact us ]


HITBSecConf2008 - Malaysia (Day 1)

HITBSecConf2008 - Malaysia (Day 2)

Registration for HITBSecConf2009 - Dubai is also now open.

Peter Silberman (Engineer, Mandiant Inc)

Filed under: Main Page — Administrator @ 10:55 am

Jamie Butler who was originally slated to present this paper will unfortunately not be able to make it to HITB in October. Peter Silberman who works with Jamie at Mandiant and who was also involved in the research for this paper will be presenting instead.

Presentation Title: Full Process Reconstitution from Memory
Presentation Details:

Recently there has been a lot of discussion about using memory forensics during incident response as part of an investigation; however, memory forensics can also be leveraged when doing malware analysis in a lab. The only difference between the two use cases is how the binary is acquired. Using memory forensics a malicious process or the malicious portions of a process can be captured from memory without using a debugger; injecting into the process; or relying on any APIs to enumerate, address, and acquire the address space.

This talk will focus on the these forensic techniques and a demonstration of pulling a malicious process or portions of a process from both live memory and previously acquired memory images. The benefits of this approach are numerous but include

a.) the ability to analyze binaries after unpacking (assuming the binary is unpacked at initial runtime and not on a functional basis)
b.) the ability to analyze binaries that exist only in memory and not on disk
c.) the ability to get a full process view of malware including all subsequent binaries loaded and
d.) the ability to leverage other process metadata obtained from memory to include environment, user/owner of the process, start time, and all handles. It is important to realize that all parsing of memory, virtual to physical address translation, and pagefile translation is being done using “raw”, non-API based methods.

About Peter

Peter Silberman works at MANDIANT as an engineer on the agent team. For a number of years, Peter has specialized in offensive and defensive kernel technologies, reverse engineering, and vulnerability discovery. He enjoys automating solutions to problems both in the domain of reverse engineering and rootkit analysis. Peter now spends most of his time researching solutions to memory forensic problems. Peter is the co-author and teacher of “Advanced Memory Forensics in Incident Response”. Although he is college educated, Peter does not believe formal education should interfere with learning.

Event Organizer

Hack In The Box (M) Sdn. Bhd.

Supported & Endorsed By

Malaysian National Computer Confederation

Multimedia Development Corporation

Platinum Sponsors

Titanium Sponsor (Post Conference Reception)

Gold Sponsors

CTF Sponsor

CTF Prize Sponsor

Open-Hack Sponsor

Metro-e and Official Bandwidth Sponsor

Network Equipment Sponsor

Our Speakers are Supported By

Supporting Media:

Virus Bulletin

InfoSec News

InfoSec News

XAKEP (Russia)

Supporting Organizations

Professional Information Security Association - Hong Kong

Special Interest Group in Security & Information InteGrity Singapore