I look forward to seeing everyone at the conference. Rob Lee has put together what I believe everyone will find is an informative show. Do not forget to catch Kris Harms’ talk and see if you can find evil or not.

Speakers: Jamie Butler and Peter Silberman
Date: Tuesday, July 7, 3:10pm – 3:50pm
Title: Memory Forensics and Analysis

The memory in today’s business desktops is now larger than the hard drives that were in systems just a few years ago. Traditionally, forensic analysis has meant taking an image of the hard drive and sifting through files. This is only half of the story and can no longer be considered sufficient. Attackers are writing less to disk and hiding more in the ample memory users now enjoy. Memory analysis – once a niche function performed by only the most advanced forensic investigators – is now mainstream and common in professional investigations. Tools have been written to make memory analysis as easy for the investigator if not easier than hard drive analysis and in a fraction of the time. In this talk, we will show you how to quickly identify suspicious things in memory without having to be a reverse engineer. This talk will feature research, use cases, and real world examples.

Speaker: Kris Harms
Date: Tuesday, July 7, 9:30am – 10:30am
Title: Evil or Not? Rapid Confirmation of Compromised Hosts Via Live Incident Response

During this presentation, attendees will learn practical, tried, and true methods to review live incident response information. You will obtain the skillful eye required to quickly confirm or dispel if a system is compromised. Recent case data from PCI credit card breaches as well as the Advanced Persistent Threat (APT) will be used as samples. Armed with this knowledge, you will excel as an initial responder to any incident.

This research led me to write two new components. The first component is MindSniffer. This tool takes a Snort rule file and generates either Xpath filters for Memoryze to use or plugins for the Audit Viewer.

python mindsniffer.py
 Written by Peter Silberman (peter.silberman@mandiant.com)
 USAGE: mindsnort.py

    <-r|–rules RULE FILE>  snort rule file to parse

   <-x|–xpath>            generate xpath signatures

    <-p|–py>                 generate py files for use in AuditViewer

    [-o|--output]           specify output directory

 The second component written is a plugin framework/manager for the Audit Viewer. This new component allows users to apply Snort “signatures” to Audit Viewer results (strings must be turned on during the process audit).

The presentation will cover the above research, what was learned, and how Memoryze accesses/parses physical memory and associates strings to processes. As always there will be live demonstrations of Snort signatures working in memory. You can see the official abstract https://www.blackhat.com/html/bh-dc-09/bh-dc-09-speakers.html#Silberman

I hope to see you guys there in February. Feel free to e-mail me if you have questions or want to see the demo from Hack In The Box Malaysia ’08 (http://conference.hitb.org/hitbsecconf2008kl/).

As final note and shameless plug, stay tuned for some major updates to the Audit Viewer in the coming month or so.