Recent Advances in Memory Forensics

-
Recent Advances in Memory Forensics:

My slides from the ZISC Workshop 2010 on Digital Forensics and Security are now available. The speaker notes, unfortunately, are not. I hope my presentation on Recent Advances in Memory Forensics will be interesting anyway.


The presentation features the following papers (in no particular order):



Comments

Post a Comment

Popular posts from this blog

Investigating Indicators of Compromise In Your Environment With Latest Version of Redline

-
Image
Investigating Indicators of Compromise In Your Environment With Latest Version of Redline : Recently, Mandiant ® released a new version of Redline ™ . If you are not familiar with Redline, it is a great tool for investigating a specific Windows host in depth. We will have a more thorough look into Redline in the next month or so. What I wanted to touch on today is one of Redline’s brand new features: you can now use Indicators of Compromise (IOCs) to drive your Redline investigations. If you are not familiar with IOCs, I urge to you take a moment and head over to http://OpenIOC.org and have a look around. IOCs are the best way for finding indications of compromise and/or intrusion throughout your enterprise. IOCs are one of the main technologies that power Mandiant Intelligent Response, Mandiant’s flagship IR appliance, and have previously been accessible in free products with IOC Editor & IOC Finder . Some blog entries that might help bring you up to speed are Ryan Kazanciya...
Read more

Both Mac and Windows are Targeted at Once

-
Image
Both Mac and Windows are Targeted at Once : Symantec Security Response, along with some other security vendors, reported the discovery of the OSX.Flashback malware recently patched by Apple. Many people may be surprised to learn the infection volume is reported at over 600,000 computers. On a new front, we have recently identified new Java Applet malware, which uses the Oracle Java SE Remote Java Runtime Environment Code Execution Vulnerability (CVE-2012-0507) to download its payload. This attack vector is the same as the older one, but in this case the Java Applet checks which OS it is running on and downloads a suitable malware for the OS. This is explained further in the following illustration: When a victim loads the Java Applet malware, it breaks the Java Applet sandbox by using the CVE-2012-0507 vulnerability. This vulnerability is effective for both Mac and Windows operating systems. Then, if the threat is running on a Mac operating system, it downloads a dropper type ...
Read more

PDF Malware Protected by AES-256

-
Image
PDF Malware Protected by AES-256 : Adobe Systems released a security update for Adobe Acrobat and Reader 9.x for Windows on December 16, 2011, in order to fix a zero-day vulnerability. As Vikram Thakur reported recently , there have been zero-day attacks using this PDF vulnerability, dropping Backdoor.Sykipot on to the compromised computer. We have found another variant of PDF malware in the wild using the same vulnerability. This version of PDF malware uses an encryption method that is found natively in the PDF specifications. As I wrote in my Portable Document Format Malware whitepaper , the encryption method used by PDF malware has changed from RC4 to AES. The AES specifies the encryption key has 128 bits in length. However, this variant adopts AES-256 as the encryption method, with a key length of 256 bits. The specification for the encryption method using AES-256 in a PDF is described as an extension of the ISO32000 version of PDF specification. It is able to download the PDF ex...
Read more