on Information Security Management Vice President of ISACA Kingston Jamaica (formed 2015) Proud husband and father Twitter: @norvalwest Credentials: MBA, CISSP, GCIH, GCFA, GPEN
Check for security products, virtualization, and sandboxing Replaces DNS filtering services Replaces the Windows Host File Force a reboot Installs at Kernel level Blocks user access to command line and task manager Disable windows notification and popup mechanisms Sends unique computer info to C&C server
to answer the question, “is malware running on my computer? WHY? Everything in the OS traverses RAM Combined with other areas of digital forensics, it also shows how and when the computer was compromised
2) Acquire Memory Image 3) Copy image to the Analyst’s machine 4) Determine if the machine is compromised, using Memory Analysis 5) Consider possible next steps? 6) Repeat on other machines
analysis 1. Identify rogue processes 2. Analyze process DLL and handles 3. Review network artifacts 4. Look for evidence of code injection 5. Check for signs of a rootkit 6. Dump suspicious processes and drivers
1 Identify rogue processes - 2 Analyze process DLLs and Handles - 3 Review network artifacts Network Connections 4 Look for evidence of code injection Process Injection (Commonly used with Root Kits) 5 Check for signs of a rootkit API Hooking 6 Dump suspicious processes and drivers System Driver Installation
active malware Pros ▪ Identifies Rootkits ▪ Identifies anomalies associated with malware ▪ Support incident response activities Cons ▪ It is a manual process ▪ Does not efficiently scale to finding malware on a large computer network