Is Dead Memory Analysis Dead? Finding Infected Systems through Live Memory Analysis

Presented at CactusCon 11 (2023), Jan. 28, 2023, 6 p.m. (60 minutes).

For a long time, the best way for a Security Operations Center or Incident Response team to get answers was to take and analyze memory snapshots of systems that were suspected to be compromised. Increased numbers of systems in large environments that now have very large memory capacity has made this approach no longer feasible for rapid triage and enterprise incident response. For incident responders to meet the demand of obtaining accurate answers at a rapid pace, they need a more scalable solution. Luckily, live memory analysis across an enterprise can be accomplished with tools like Velociraptor. So, why isn’t that now the standard? There is an ongoing debate as to whether live memory analysis can be effective when it relies on the Windows API. Anti-forensics is definitely much easier to detect in dead memory analysis with a tool like Volatility. So then how does an analyst go about finding the infected systems in the sea of thousands? This talk will provide an argument for leaving the old school method of dead memory analysis in favor of live memory forensics to discover and triage infected systems. The talk will demonstrate artifacts and techniques that show the audience how to detect malware designed to defeat live memory analysis. They will gain confidence that through live memory analysis Incident Response at speed, scale, and effectiveness are possible.

Presenters:

  • Marcus Guevara - Director of Security Services, Recon InfoSec
    Marcus Guevara is the Director of Security Services for Recon InfoSec and a SANS Instructor for FOR508. Marcus previously spent time in the Air Force and the US Coast Guard performing Threat Hunting and Incident Response.

Links:

Similar Presentations: