Time
1 hour 21 minutes
Difficulty
Intermediate
CEU/CPE
2

Video Transcription

00:00
Hello, My name's David. Welcome to analyzing attacks
00:05
we are talking about. Memory lasts, and in particular we were talking about red line. So shall we. If you got a red line downloaded and installed, the fantastic You're gonna need it for our discussion points here. Now,
00:23
Red Line is
00:26
pretty
00:28
fantastic. Tool it can allow you to do a lot of its primary focus is on what's called live memory forensics. So
00:39
what you will want to do is when the system is on and running, you want to bring Red Line into that system and run it against the live memory
00:50
so that they can examine the memory wallets. It's going now. Ah, lot of people call alive analysis the future of memory forensics. And I don't know future is a happy couple term because technically, we are in because it is.
01:07
Hey, he currents. If you have a good incident handling team, you should be incorporating live memory forensics into all of your incident. Healing process is, to put it bluntly,
01:25
red lines of free tool. It's being detained by a man in which is a very well known cyber security company. So when you're going to be performing live memory. Forensics gives you a couple of different advantages to doing. I guess what you would call dead memory forensic analysis
01:44
Faster triage capability.
01:46
You could include the page file system, which gives you more complete picture of the memory itself, um, again access to the file system for digital signature checks of different executed bols or B L. L's and different drivers that are running on the system.
02:05
If you think back to some of can undergoes courses, he talks about booking.
02:09
He talks about the DLL infection in the injection process injection process, following all of those revival attacks. And you can see those if you're conducting good memory analysis of memory forensics.
02:25
A great thing here is you can do I have sea searches or what desires you sample
02:31
indicator of compromise. Right. So you can incorporate all that into live memory forensics, and you can get it off course using Mandy. It's red line. Um, very handy handy tool have, um, which makes it much water formaldehyde of the, uh,
02:52
different
02:53
methods. Like, uh uh, see memory paging, for example.
02:59
Live analysis actually does still access. We're all memory. It doesn't rely on the system itself for a P I calls who handles the buggers. So I lied off pieces of Mauer that are actually designed to not be found
03:19
can be found if you're doing a live memory Forensics now
03:23
again in order to do live memory forensics have a cool. It's a little more sophisticated at one disuse for standard memory acquisition. Like
03:34
remember the example that I used for standard one?
03:38
Yes, after *** imagery. Um, Manya dread line is a little bit more robust in them was sophisticated,
03:45
and what Red Line would actually do is something called a memory audit to go through and identify the processes and drivers and other artifacts that you're blowing me on and what it will do well, actually allow you to create your own, collect our being here.
04:03
Do you pack the standard collector, which basically does it for you on allows
04:09
all the data needed for redline, actually score and assess a computer. You could do a comprehensive collector which configures a package collecting all the data needed and also data for in here a compromise. And if you have IOC's already developed and built out,
04:29
then you can actually bring them into grand line and Red Line will utilize those IOC's to go out and search specifically for there's indicates says You can see it's pretty robust after day. Emma's doesn't allow you to do any of these things. All after K imagery will do
04:47
has captured the memory itself on writing system
04:50
ethic. Amateur will allow you to do so little bits of string searching and things of that nature, but nowhere near as were a bust as redline itself. Now, once you've done your live analysis,
05:06
run your data collector. You can actually take the report itself and analyze it on your friends work station rather than on the system that you're running it on. So because you made,
05:19
you didn't really want oh,
05:21
do your analysis on possibly infected machine. So again real quick Here, Standard collector collects data necessary to do the memory analysis. You do the comprehensive collector Um,
05:35
you get host based our back, such as file meta data you get from those registry highs, event logs, prefect files,
05:43
all of which can help you do a deeper And of course, that's the titles. As more comprehensive search in the indicator here with indicators compromise or I have sea searches combines that with
06:00
just those indicators compromise that you're looking now. This may be used later on in an incident followed through the process. We may be at such a stage and ours and handling process where we don't have any indicators of compromise.
06:15
Our scenario here is a usual reporter phishing email that could link on
06:20
and became suspicious on they recorded help past help accident to you.
06:26
Attn. This point, you don't have any indicators of compromise to run with, so we're not going to be able to do that. So if we want to create a standard collector, which we do, you can see it gives you a little overview walking through. So you've chosen to create a standard collector.
06:45
We will collect the data necessary form. A red line analysis was done, then rebased audits.
06:50
This will not enable the options move full range of data that remind is capable of collecting. So again you're you're kind of not, including your indicators compromise, which technically we really don't have,
07:05
you could click at it. Your script on include whatever it is that you want. So let's look at the process listening. Always want to include strings, which for some reason, Mandy. It doesn't include Let's go ahead and do a show one as well. Uh, identification purposes
07:25
to look at drivers. You do imports exports again. Let's do string for drivers. Um, and of course, we do want to acquire an image of memory that we can examine later. Let's check over here disk. So look at all the different things that we can do here from the desk now
07:45
caviar here. The more you pick,
07:47
the longer this is going to take a run on the system that you want to do the examination. So,
07:57
uh, choose wisely. So again, here we could look at machine and less information use. Your scouts can analyze prefect files, and we can also do registered hiving operation, which we can click either here or here. For
08:13
then, you can also pull event long. That may be sitting there on the system. So let's look at network information. Let's go ahead and do some networking information.
08:22
Um, browser history again. What file downloads that we have
08:28
who click that pick and choose
08:33
if they're running fire pots on their system. Of course, you could include those well and under other have different service is so we've already are doing hashes. But if you want hash out, service is you can ask and some common persistent mechanisms.
08:48
So let's say we want to make sure that this isn't going to be setting up.
08:54
Yeah, persistence on our system. We want to look for some of these items as well
09:03
in order to be able to properly identify the malware as it's running. Now you can change this. You could experiment with it, change it around however you want. But for the purpose of this lab, this is the women were going to run with. So let's save our collector out,
09:22
brows out where we want to save it so we could save it out to our desktop, which is where we want to go. So
09:33
again, you have to have the right to directory. Let's jump back here will make a boulder. Call it lab redline. Choose that voter itself. It's select. You can see it, populates the field down here and hit OK
09:52
in a walking through
09:54
very fast. The collector is now ready to go on and say to the location, I specified. So let's check here and see. Will come out to my desktop and there's Lab Red Line. But we can see all the files of the necessary inside of that file to run this on our virtual. She once we get it.
10:15
Thanks for jumping in on a little bit of a red line introduction. Uh, ST Jude's, We're going to start playing with my wares. You
10:22
have a great day.

Up Next

Analyzing Attacks for Incident Handlers

In Analyzing Attacks for Incident Handlers, David Biser explains memory analysis and how to use it to uncover information about a computer. He demonstrates this process of analyzing an attack using labs such as a Redline lab and a VM and Malware lab to conduct an analysis on a computer.

Instructed By

Instructor Profile Image
David Biser
Incident Response Engineer at Iron Mountain
Instructor