Malware continues to advance in sophistication and prevalence. Well-engineered malware can obfuscate itself from the user, network, and even the operating system running host-based security applications. But one place malware cannot easily hide itself is within volatile computer memory (RAM). Many problems and inefficiencies exist with our current approach of conducting memory analysis: it takes too much time, is very labor intensive, and artifact extraction comes with a deluge of raw data that is not practical to analyze on real-world computer systems compromised with malware. These inefficiencies ultimately result in greater time and resource expenditure to conduct the analysis while impairing accuracy of results since it is too easy to miss a key artifact from the overload of data during the analysis. I have seen many people struggle with capture the flag memory challenges as well due to these same issues. I have solved this problem by engineering a new construct for memory analysis along with a new tool release to provide an automated process for advanced memory analysis, correlation, and user-interaction that increases investigation accuracy, reduces analysis workload, and better detects obfuscated malware.
This workshop is especially perfect if you have conducted memory analysis before and understand the pain and difficulty with completing this type of investigation. During this session, I will provide many new features that optimize memory analysis to include a new, revolutionary interactive construct that provides a visual representation of artifacts and indicators extracted from memory. During the many hands-on exercises in this workshop, will also cover a new data cross-reference (data xref) capability I built into the open-source tool (Xavier Memory Analysis Framework) that creates a new index and memory context feature to view how your keyword data is coupled with processes, modules, and events captured in memory. This data xref feature also allows you immediately pivot to create specific process-memory dumps and file extraction directly from each keyword entered by the user. Finally, a new concept called a System Manifest is delivered by this research. The System Manifest is a single file detailing significant artifacts (and their relationships) distilled from a memory image. This manifest allows Xavier to immediately reload the full memory image context in seconds versus hours to without this tool. The most beneficial feature about the manifest file creation is the new ability to create and analyze memory snapshots. This uniquely provides a new light-weight yet very powerful and precise memory analysis capability to automatically detect system changes captured in memory from malware execution especially useful for exploit dev and malware analysis and software reverse engineering!
This workshop is full of hands-on practicums as we will take a real-world capture the flag memory analysis engagement, and demonstrate how the Xavier Construct optimizes memory analysis. Additionally, we will cover advanced concepts including code injection and rootkit hooking and finally conclude with real-world capstone memory analysis capstone engagements.