IN-PERSON: Finding malware using memory forensics tools

As antivirus and anti-malware tools have improved, attackers have become sneakier, and begun hiding malicious files when compromising a system. As defenders, it is important to know how to find this malware on an infected system in order to determine how an attacker infected your system, what tools they used, and what actions they accomplished. 

In this hands-on course, we will discuss different memory analysis tools and techniques, and will walk you through the steps of identifying hidden malware on a system by dumping the memory and using the Volatility Framework to:

•  Discover suspicious ports and processes

• Identify malware on the system

• Determine method of compromise

• identify what actions the attacker has attempted on the system

In addition, we will discuss methods malware uses to hide from the operating system, memory forensics for mobile devices, and alternative forensic techniques when  memory dump is not available. Join us for this exciting class!

Join or login to comment.

  • Amir A.

    Hopefully if you can setup another hands on lab for the people that weren't able to make it that would be great. The class lecture was great!

    1 · August 22, 2013

    • Kris

      We are planning on creating a video for the example lab, but my schedule is pretty full right now, so I will see if I can do it this weekend.

      August 22, 2013

  • Alfred

    Although licensing issues precluded sharing the XP image to the remote attendees, sharing the XP mem dump file used in the live training would allow for replication of the majority of the lab at home (remotely).
    Kelly and Kris - would this be OK? A Windows mem dump file should be free to share.

    August 22, 2013

    • Kelly B.

      We were actually discussing that last night. In this case I think it would be ok to share the memory dump. However it's a 500 meg file. We're going to see if we can zip it to a reasonable size and get it posted. Not sure if meetup has a file size limit or not. We might be able to share it out another way as well. We're also discussing way to go all linux so that we can share the labs on-line.

      1 · August 22, 2013

    • Alfred

      Thank you Kelly. I really appreciate all you do for us. You have created a wonderful community.

      August 22, 2013

  • Ed G.

    Great presentation! Will attend another one next time...

    August 22, 2013

  • Michelle

    Please set up another class
    Thanks

    August 22, 2013

  • Alfred

    Thank you to Kelly, Kris, Eli, and all the other organizers. This Meetup is consistently excellent.

    1 · August 22, 2013

  • Claudia H.

    Loved it! Great lesson, awesome hands on exercise, even better conversation. Thanks so much for putting this together, can't wait for the next one!

    1 · August 21, 2013

  • Lillian Ekwosi S.

    Brilliantly delivered and excellent lab provision. Kudos to the organizers

    1 · August 21, 2013

  • J o² N

    Online

    August 21, 2013

  • Salma

    Working late...

    August 21, 2013

  • David E.

    The slide deck for tonight has been posted. Go to More -> Fileson Meetup to download it.

    August 21, 2013

  • Kay

    hi, I also will need to attend remotely at this time. Please provide the instructions to join the presentation. Thank you!

    August 21, 2013

    • David E.

      The instructions are in the ONLINE meetup which is http://www.meetup.com...­

      If you are going to attend online, please change your RSVP on the IN-PERSON to *NO* and RSVP for the ONLINE one so we can get accurate counts.

      August 21, 2013

  • Chris

    Is there a remote option? If so, where's the instruction?

    August 20, 2013

  • prasad c.

    exactly wen can i join online session. now adobe connect showing that there is nothing to show. please update me as im waiting for online session.

    1 · August 21, 2013

  • Derrik O.

    I can't make it there for sure so hope someone else can take my spot

    August 20, 2013

  • Robert E G.

    Working in Adelphi, will attend in person, should not be a bad drive to Rockvile unless the usual happens!

    August 20, 2013

  • Adam

    I work 1.5 miles away. I will be present in Person. what are the logistics needed to get in the Lokheed Martin Building?

    August 20, 2013

    • David E.

      The main building doors are locked at 7pm so you will need to get there before. Just need to go to the 3rd floor. Doors for the suite are right in front of the elevator when you get off them. There should be someone there, if not right the bell.

      August 20, 2013

  • Garima J.

    Will be attending in person.

    August 20, 2013

  • erez

    How long will it be? Even better -- do you have a schedule? TNXS!

    August 19, 2013

    • Kelly B.

      We try to limit the meetings to 3 hours which we usually hit. We have a bit of break in the middle for pizza which includes quite a bit of discussion as well.

      August 20, 2013

    • erez

      Pizza? I'm coming ;) (call it the cherry tomato on top of a great subject).

      1 · August 20, 2013

  • Salma

    So far...I plan to attend in-person.

    August 20, 2013

  • Amir A.

    If I am on the wait list and there aren't any open spots does it mean I wont be able to attend at all?

    amir

    August 20, 2013

    • Kelly B.

      We had to limit attendance because we just don't have space for the number of people that RSVPed this time. We broadcast the meeting on-line, but you won't be able to the do labs remotely. We created a separate on-line meeting and are trying to divide the on-line vs in person attendees.

      August 20, 2013

  • Moiz A.

    On the waitlist

    August 20, 2013

    • Moiz A.

      Actually I will be attending online as well

      August 20, 2013

  • Nonino

    I will be there. Btw any CEU possibilities ?

    August 19, 2013

    • Kelly B.

      Depending on what you need them for attending the user group is 1 CEU per hour, since the meeting is usually 3 hours you get 3 CEUs for meeting. You can earn more CEUs for presenting and many of the presenters have certifications such as CISSP. We have a signup sheet to track attendance in case you are ever audited.

      August 20, 2013

  • David E.

    Still will be there, just clearing an RSVP for wait list.

    August 20, 2013

  • Alfred

    I will attend in person.

    August 20, 2013

  • Bilal A.

    Will be attending online.

    August 20, 2013

  • Michelle

    Just found out my son has golf practice will not be able to attend in person.

    August 20, 2013

  • Harrison W.

    I will be attending online.

    August 20, 2013

  • Lillian Ekwosi S.

    Will be attending

    August 19, 2013

  • Gabriel

    I'm attending too.

    August 19, 2013

  • A former member
    A former member

    I am attending in person.

    August 19, 2013

  • Kelly B.

    The URL to attend the meeting on-line is:
    http://adobechats.adobeconnect.com/capsec2013august/

    August 19, 2013

  • Kris

    Can I get a head count of how many people are planning on attending the event in-person, and how many will be online?
    We will not be able to share out the memory files, so you will not be able to participate in the lab portion, but i will walk through the solution at the end of the meeting.

    August 19, 2013

  • Michelle

    I will be there in person

    August 19, 2013

  • Nonino

    Do you need to have a programmer background?

    August 10, 2013

    • Kelly B.

      Generally we try to keep everything at an entry level because there's a wide variety of people with different backgrounds that attend the meetings.

      August 12, 2013

    • Kris

      I'll be presenting this workshop. You don't need to know any programming for this, but having a good handle on the Windows OS will be helpful.

      1 · August 14, 2013

  • Aldo R.

    Do we need to bring anything?

    August 12, 2013

    • Kelly B.

      No, we provide the machines to use for the labs. However, the group is large so you may have to share.

      1 · August 12, 2013

  • A former member
    A former member

    Hello, I am new to the group and not very knowledgeable on IT.
    Is that ok if still attend to the meeting?

    August 11, 2013

    • Kelly B.

      Yes, everyone is welcome. The goal of the group is teach people about cybersecurity and give them some hands on experience with some of the tools that are available.

      August 12, 2013

  • Diego

    It will be relly cool to be there
    Pura Vida (Awesome Life)

    August 10, 2013

  • Robert E G.

    May be a tad late!

    August 9, 2013

  • Michelle

    Can't wait

    August 9, 2013

Our Sponsors

  • AboutWeb

    Capital Area Cyber Security User Group

People in this
Meetup are also in:

Imagine having a community behind you

Get started Learn more
Rafaël

We just grab a coffee and speak French. Some people have been coming every week for months... it creates a kind of warmth to the group.

Rafaël, started French Conversation Group

Sign up

Meetup members, Log in

By clicking "Sign up" or "Sign up using Facebook", you confirm that you accept our Terms of Service & Privacy Policy