Explore advanced techniques in memory forensics through this 29-minute conference talk from the CSAW'16 Security Open Source Workshop at New York University. Delve into the Volatility Framework, understanding its purpose and methodology. Learn about sampling, profile libraries, and baselines, with a focus on hook comparisons. Discover the importance of whitelisting/blacklisting and Indicators of Compromise (IOCs). Examine practical applications through plugins like Cyboxer, Profiler, and Stalker. Investigate multiple profiles, set operations, and CybOX generation. Analyze processes and executables using the Hunter plugin. Conclude with insights from the Jack Crook DFIR Challenge, enhancing your skills in digital forensics and incident response.
Overview
Syllabus
Intro
Documentation
Volatility Framework
Purpose
Methodology
Sampling
Profile Library
Baselines (continued)
Caveat: Hook comparisons
Hook comparisons (continued)
Whitelisting/Blacklisting
Indicators of Compromise (IOCs)
Cyboxer Plugin Example
Set Difference
Union
Intersection
Symmetric Difference
Multiple Profiles
Profiler Plugin (continued)
Symantecprofiler Plugin
Profiler Plugin Discussion
CybOX (IOC) generation
Stalker Plugin
Hunter Plugin
Jack Crook DFIR Challenge
Processes
Executables
Conclusion
Questions?
Taught by
NYU Tandon School of Engineering
