Go Big with Bootcamp for Advanced Memory Forensics and Threat Detection


Many experienced security analysts end up repeating the same investigative playbook for similar types of cases day after day. They become technical experts but siloed into a single lane of investigative scenario, whether it be intellectual property theft, malware or intrusion investigations. With the rapid evolution of fileless malware and sophisticated anti-forensics mechanisms, security analysts need access to current system state that can be derived solely from memory analysis. Learning bleeding edge analysis skills such as memory interrogation can be a touch challenge requiring determined and extraordinary work. The relaunched bootcamp SANS FOR526 Advanced Memory Forensics and Threat Detection is the class that will get you and your team to this next level – it’s time for bootcamp!

Malware is more sophisticated, and its ability to evade detection growing. Cryptojacking – software programs and malware that hijack another’s computer without their knowledge to mine cryptocurrency – is one such example. Recently, researchers discovered a new cryptocurrency mining malware that employs multiple evasion techniques, including one that poses as an installer file for the Windows operating system so it seems less suspicious. And illicit cryptocurrency mining operations have increased dramatically over the past year, according to a recent Cyber Threat Alliance report, rising by as much as 459 percent in 2018.

The more complex, advanced malware and anti-analysis and evasion techniques pose great challenges to today’s security practitioners, as the endpoint detection methods and technologies, we rely upon to protect our enterprise fail. For this reason, we at SANS have decided to go big with a revised FOR526 course – with an additional boot camp – that teaches you how to isolate malicious activity using memory analysis to counter these evasions and allows you to determine the capability and intent of the intrusion for successful scoping and containment.

To move to proactive hunting, teams must have the skills to identify the activity for which there is no signature. The FOR526 course delivers this expertise with an intensive hands-on focus, allowing security practitioners to build on the knowledge advanced security professionals already have.

The two creators of FOR526, Alissa Torres and Jake Williams, understand the unique challenges of memory forensics and the complex types of cases examiners are up against today. Both forensics practitioners themselves, they know examiners need deeper technical expertise beyond just running a tool so they can perform memory analysis to understand the evidence, and that means offering students labs inspired by real-world investigations in which memory forensics saved the day. As Williams notes, “memory offers a very dense and target-rich search space for evidence of value. Memory-only malware? Malicious insiders using private browsing to eliminate disk evidence? Anti-forensics techniques? They all get stuck in memory.”

Williams and Torres have added a boot camp consisting of additional content and memory forensics challenges to make the course even more relevant for present-day memory forensics investigations and threat detection. The NEW FOR526: Advanced Memory Forensics and Threat Detection BootCamp brings you extended mid-week SANS NetWars challenges, more in-depth technical content and advanced threat detection scenarios to take senior incident responder professionals to the next level.

Slider_CTIAt this month’s Cyber Threat Intelligence Summit in Arlington, Virginia, Torres will run FOR526: Advanced Memory Forensics & Threat Detection January 23 – 28. The summit is a week-long conference and educational event with in-depth talks and interactive discussions, as well as community-building events, networking opportunities and hands-on, immersive courses designed to give you world-class training.

Learn more about the course new format and content by attending Alissa Torres webcast January 14th at 1:00 pm EST.

Register for the webcast: http://www.sans.org/u/Mi2

Next FOR526 course runs: http://www.sans.org/u/MhX

Top 11 Reasons Why You Should NOT Miss the SANS DFIR Summit and Training this Year

The SANS DFIR Summit and Training 2018 is turning 11! The 2018 event marks 11 years since SANS started what is today the digital forensics and incident response event of the year, attended by forensicators time after time. Join us and enjoy the latest in-depth presentations from influential DFIR experts and the opportunity to take an array of hands-on SANS DFIR courses. You can also earn CPE credits and get the opportunity to win coveted DFIR course coins!

summit video pic

To commemorate the 11th annual DFIR Summit and Training 2018, here are 11 reasons why you should NOT miss the Summit this year:

1.     Save money! There are two ways to save on your DFIR Summit & Training registration (offers cannot be combined):

·       Register for a DFIR course by May 7 and get 50% off a Summit seat (discount automatically applied at registration), or

·       Pay by April 19 and save $400 on any 4-day or 6-day course, or up to $200 off of the Summit. Enter code “EarlyBird18” when registering.

2.     Check out our jam-packed DFIR Summit agenda!

·       The two-day Summit will kick off with a keynote presentation by Kim Zetter, an award-winning journalist who has provided the industry with the most in-depth and important investigative reporting on information security topics. Her research on such topical issues as Stuxnet and election security has brought critical technical issues to the public in a way that clearly shows why we must continue to push the security industry forward.

·       The Summit agenda will also include a presentation about the Shadow Brokers, the group that allegedly leaked National Security Agency cyber tools, leading to some of the most significant cybersecurity incidents of 2017. Jake Williams and Matt Suiche, who were among those targeted by the Shadow Brokers, will cover the history of the group and the implications of its actions.

·       All DFIR Summit speakers are industry experts who practice digital forensics, incident response, and threat hunting in their daily jobs. The Summit Advisory Board handpicked these professionals to provide you with highly technical presentations that will give you a brand-new perspective of how the industry is evolving to fight against even the toughest of adversaries. But don’t take our word for it, have a sneak peek, check out some of the past DFIR Summit talks.


Immerse yourself in six days of the best in SANS DFIR training. Here are the courses you can choose from:

·       FOR500 – Advanced Windows Forensics

·       FOR585 – Advanced Smartphone Forensics

·       FOR610 – Reverse-Engineering Malware

·       FOR508 – Digital Forensics, Incident Response & Threat Hunting

·       FOR572 – Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response

·       FOR578 – Cyber Threat Intelligence

·       FOR526 – Memory Forensics In-Depth

·       FOR518 – Mac and iOS Forensic Analysis and Incident Response

·       MGT517 – Managing Security Operations: Detection, Response, and Intelligence

3.    All courses will be taught by SANS’s best DFIR instructors. Stay tuned for more information on the courses we’re offering at the conference in a future article post.

4.     Rub elbows and network with DFIR pros at evening events, including networking gatherings and receptions. On the first night of the Summit, we’re going to gather at one of Austin’s newest entertainment venues, SPiN, a ping pong restaurant and bar featuring 14 ping pong tables, lounges, great food, and drinks. Give your overloaded brain a break after class and join us at our SANS Community Night, Monday, June 9 at Speakeasy. We will have plenty of snacks and drinks to give you the opportunity to network with fellow students.

5.     Staying to take a DFIR course after the two-day Summit? Attend SANS@Night talks guaranteed to enrich your DFIR training experience with us. Want to know about threat detection on the cheap and other topics? As for cheap (and in this case, that doesn’t mean weak), there are actions you can take now to make threat detection more effective without breaking the bank. Attend this SANS@Night talk on Sunday evening to learn some baselines you should be measuring against and how to gain visibility into high-value actionable events that occur on your systems and networks.

6.     Celebrate this year’s Ken Johnson Scholarship Recipient, who will be announced at the Summit. This scholarship was created by the SANS Institute and KPMG LLP in honor of Ken Johnson, who passed away in 2016. Early in Ken’s digital forensics career, he submitted to a Call for Presentations and was accepted to present his findings at the 2012 SANS DFIR Summit. His networking at the Summit led to his job with KPMG.

7.     Prove you’ve mastered the DFIR arts by playing in the DFIR NetWars – Coin Slayer Tournament. Created by popular demand, this tournament will give you the chance to leave Austin with a motherlode of DFIR coinage! To win the new course coins, you must answer all questions correctly from all four levels of one or more of the six DFIR Domains: Windows Forensics & Incident Response, Smartphone Analysis, Mac Forensics, Memory Forensics, Advanced Network Forensics, and Malware Analysis. Take your pick or win them all!


8.     Enjoy updated DFIR NetWars levels with new challenges. See them first at the Summit! But not to worry, you will have the opportunity to train before the tournament. You’ll have access to a lot of updated posters that can serve as cheat sheets to help you conquer the new challenges, as well as the famous SIFT WorkStation that will arm you with the most powerful DFIR open-source tools available. You could also choose to do an hour of crash training on how to use some of our Summit sponsors’ tools prior to the tournament. That should help give you an edge, right? That new DFIR NetWars coin is as good as won!

9. The Forensic 4:cast Awards winners will be announced at the Summit. Help us text2985celebrate the achievements of digital forensic investigators around the world deemed worthy of the award by their peers. There is still time to cast your vote. (You may only submit one set of votes; any additional voting will be discounted). Voting will close at the end of the day on May 25, 2018.

10.  Come see the latest in tools offered by DFIR solution providers. Summit sponsors and exhibitors will showcase everything from managed services covering advanced threat detection, proactive threat hunting, and accredited incident response to tools that deliver rapid threat detection at scale, and reports that provide insights for identifying potential threats before they cause damage.

11.  Last but not least, who doesn’t want to go to Austin?!? When you think Austin, you think BBQ, right? This city isn’t just BBQ, Austin has amazing food everywhere and there’s no place like it when it comes to having a great time. The nightlife and music include the famous 6th Street – which, by the way, is just walking distance from the Summit venue. There are many other landmarks such as Red River, the Warehouse District, Downtown, and the Market District. You will find entertainment of all kinds no matter what you’re up for. Nothing wrong with some well-deserved play after days full of DFIR training, lectures, and networking!

As you can see, this is an event you do not want to miss! The SANS DFIR Summit and Training 2018 will be held at the Hilton Austin. The event features two days of in-depth digital forensics and incident response talks, nine SANS DFIR courses, two nights of DFIR NetWars, evening events, and SANS@Night talks.

The Summit will be held on June 7-8, and the training courses run from June 9-14.

We hope to see you there!

Coin Check: Win the challenge, join the elite list of lethal forensicators & take home a brand new DFIR challenge coin!

forensics_coin (1)Hundreds of SANS Institute digital forensics students have stepped up to the challenge and conquered. They’ve mastered the concepts and skills, beat out their classmates, and proven their prowess. These are the elite, the recipients of the SANS Lethal Forensicator Coin, an award given to a select portion of the thousands of students that have taken any of the SANS Institute Digital Forensics or Incident Response (DFIR) courses. Now, the institute is expanding the opportunity for students to earn these highly coveted tokens in each of the SANS DFIR courses.

Thanks to an effort led by curriculum lead Rob Lee & the SANS DFIR faculty, students can now win specific SANS Lethal Forensicator Coins designed to go with each of the DFIR course themes. These coins are tailored to be icons and the precious prizes to be won by students as a proof and symbol of their mastery in a specific digital forensics specialty.

New DFIR course challenge coins available now:

500FOR500: Windows Forensic Analysis

“Ex Umbra in Solem”: From the Shadows into the Light
In today’s digital world, forensics plays a critical role in uncovering the truth. Forensic examiners shine light on the facts of the case, making good decisions possible. And the forces of evil unceasingly develop new ways to hide their activities, forcing us to continually improve our skills to counter them.

508FOR508: Advanced Digital Forensics, Incident Response & Threat Hunting

“Non Potestis Celare”: You  cannot hide
The most successful incident response teams are evolving rapidly due to near-daily interaction with adversaries. New tools and techniques are being developed, providing better visibility and making the network more defensible. Adversaries can no longer hide.

610FOR610: Reverse-Engineering Malware

“R.E.M”: Reverse-Engineering Master

Today,  attackers are modifying their malware with increasing frequency to bypass antivirus and other endpoint controls. Through reverse-engineering Malware (R.E.M) Analysis Masters can isolate the most appropriate Indicators of Compromise (IOCs) to stop & identify malware.

585FOR585: Advanced Smartphone Forensics

“Omnis Tactus Vestigium Relinquit”:  Every contact leaves a trace
Knowing how to recover all of the data residing on the smartphone is now an expectation in the digital forensics field, and examiners must understand the fundamentals of smartphone handling, data recovery, accessing locked devices, and manually recovering data hiding in the background on the device. There are traces of evidence hiding on the device, and you know how to uncover them.

572FOR572: Advanced Network Forensics Analysis

“Malum Loquitur, Bonum Auscultat”: Evil must talk, so good must listen

Network Forensic professionals are hunters with great visibility, who can find a target among a mass of camouflaging data. Wisdom, experience, and stealth are all embodied by the owl’s watchful, unwavering eye, seeking its prey under the cover of darkness. No matter how crafty an adversary may be, their communications will allow the hunter to find, identify, and ultimately eliminate their presence.

518FOR518: Mac Forensics

“Impera magis. Aliter cogita”: Command more and think differently.

Apple users have always thought differently and that goes for Apple forensicators too. The analysts who hold this coin take command of their forensic analysis and appreciate looking at the raw data and interpreting it correctly without the necessity of superfluous tools. Knowing where you came from can help you move forward, this is where the hat tip to the original colored Apple logo comes in. New artifacts are presented to analysts in every OS update, the knowledge of historic elements may provide insight.

FOR578_coinFOR578: Cyber Threat Intelligence

“Hominem unius libri timeo”: I fear the man of one book.

FOR578 is all about developing analytical skills. To think critically and expand our views which is a skill that applies to any security profession. The quote is attributed to Thomas Aquinas and despite the common use of the phrase (which is meant to deride the person who is not well studied across multiple subjects) the original meaning was to state that a person who understood one good book well could defeat their opponent. Thus, this phrase can be interpreted two entirely different ways. Both are about self-education and broadening our views on the world.

FOR526_coinFOR526: Memory Forensics In-Depth

“Cur mihi oculi dolent?” Why do my eyes hurt?

Memory forensics reveals deeper insights into the state of a compromised system and stands as the best source for detection of malware and OS/process manipulation/subversion. These analysis methods reveal key evidence which may not be uncovered through querying the operating system or digging through network packets. This quote comes from the original Matrix movie, a question Neo asks of Morpheus when he first wakes from his life in the artificial reality created by sentient machines. It is this awakening and raw view of reality that we as forensic examiners/incident responders strive to achieve through deeper analysis of system memory.


Netwars DFIR Netwars

Staying up-to-date with the latest challenges in the digital forensics field demand analytical skills that cannot be gained by just reading a textbook. Just like firemen could never learn the skills of how to fight a fire by just studying theory, incident responders, threat hunters, and digital forensic investigators can test their skills with DFIR Netwars.

New DFIR Challenge coin back design:

BackThe challenges for each course are held on the last day. Students must successfully overcome a number of obstacles, directly compete against fellow students, and prove their proficiency during timed, hands-on incidents. The obstacles, competitions and hands-on scenarios have been created by SANS’ top instructors – digital forensics practitioners, subject matter experts, experienced teachers and professional leaders in their own right. At the end of the challenge, the instructor announces the winner(s) who are awarded the coins at the end of the 6th day of class and winners are later on listed on the SANS Institute’s virtual wall of Lethal Forensicator Coin Holders.


History of the SANS Challenge coins:

The coin – more precisely, Round Metal Object (RMO) – was initially created to recognize students who demonstrate exceptional talent, contributions, or who serve as leaders in the digital forensics profession and community. The coin is meant to be an honor; it is also intended to be rare. SANS Institute uses the coins to identify and honor those who excel at detecting and eradicating threats, understand the critical importance of cybersecurity and continually strive to further not only their knowledge but also the knowledge of the entire digital forensics field. They actively share their experience and encourage learning through participation in the community and are typically leaders in the digital forensics and incident response community.

Those who are awarded the Lethal Forensicator are also bestowed special privileges and recognition, including participation in the so-called and well-regarded “coin check” challenge and response.

“Coin check” Challenge:

Initiated by one coin holder to another, a coin check typically begins by a challenger holding his or her coin in the air or slamming it on a table and yelling “coin check!” All who are challenged must respond by showing their coins to the challenger within 10 seconds, and whoever fails to do so must buy everyone a round of drinks. If all the challenged coin holders do produce their coin, the challenger must by the round of drinks. (By the way, if you accidentally drop your coin and it makes an audible sound on impact, then you’ve “accidentally” initiated a coin check. And, there are no exceptions to the rules!)

Coin checks aside, there are other ways to win the DFIR Challenge coins besides being an exceptional DFIR student and winning the classroom challenges. Each GOLD GCFA, GREM, GCFE member that has written a published white paper that has furthered the field of research in the Digital Forensics field receives a coin, as do SANS Digital Forensics Blog authors who have written six published entries over a one-year span. In addition, speakers and panelists who participate at a SANS Digital Forensic Summit are awarded coins (vendors and vendor-related speakers are not eligible). Finally, any coin holder can nominate an individual in the digital forensics field who has contributed knowledge, tools or service.

For more information on our SANS DFIR courses, please visit our Forensics Courses list. And to read more about the coin and the history of the term “Forensicator,” check out our Community – Lethal Forensicator Coin page.



Call for Presentations Now Open!


dfirsummit 2017Submit your proposal here: http://dfir.to/DFIR-CFP-2017
Deadline: January 16th at 5pm CT


The 10th Annual Digital Forensics and Incident Response Summit Call for Presentations is open through 5 pm EST on Monday, January 16, 2017. If you are interested in presenting or participating on a panel, we’d be delighted to consider your practitioner-based case studies with communicable lessons.

The DFIR Summit offers speakers the opportunity for exposure and recognition as industry leaders. If you have something substantive, challenging, and original to offer, you are encouraged to submit a proposal.

Check out some of the DFIR Summit 2016 talks:


We are looking for Digital Forensics and Incident Response Presentations that focus on:

  • DFIR and Media Exploitation case studies hat solve a unique problem
  • New Forensic or analysis tools and techniques
  • Discussions of new artifacts related to smartphones, Windows, and Mac platforms
  • Focusing on improving the status quo of the DFIR industry by sharing novel approaches
  • Challenges to existing assumptions and methodologies that might change the industry
  • New, fast forensic techniques that can extract and analyze data rapidly
  • Focus on Enterprise or scalable forensics that can analyze hundreds of systems instead of one at a time


Malware Can Hide, But It Must Run


Article originally posted in forensicfocus.com
Author: Alissa Torres

It’s October, haunting season. However, in the forensics world, the hunting of evil never ends. And with Windows 10 expected to be the new normal, digital forensics and incident response (DFIR) professionals who lack the necessary (memory) hunting skills will pay the price.
Investigators who do not look at volatile memory are leaving evidence at the crime scene. RAM content holds evidence of user actions, as well as evil processes and furtive behaviors implemented by malicious code. It is this evidence that often proves to be the smoking gun that unravels the story of what happened on a system.
Although Microsoft is not expected to reach its Windows 10 rollout goal of one billion devices in the next two years, their glossiest OS to date currently makes up 22% of desktop systems according to netmarketshare.com1. By this time, as a forensic examiner, you have either encountered a Windows 10 system as the subject of an investigation or will in the near future. Significant changes introduced with Windows 10 (and actually with each new subsequent update) have required some “re-education” to learn what the “new normal” is.

Let’s jump in and check out the differences that Windows 10 has brought to the world of forensics by examining some key changes in the process list. In performing memory analysis, an investigator must understand the normal parent-child hierarchical relationships of native Windows processes. This is the essence of “know normal, find evil” and allows for effective and efficient analysis. Most of you have used the Edge browser which was released with Windows 10 in Summer 2015. Whereas Internet Explorer is typically launched by explorer.exe (run by default as the user’s initial process), Edge is spawned by the Runtime Broker process, which has a parent process of svchost (a system process). Edge runs as a Universal Windows Platform (UWP) application, one of the many Windows apps built to run on multiple types of devices. Runtime Broker manages permissions for Windows apps. This hierarchical process relationship deviates from one of the traditional analysis techniques we have relied on in past versions of Windows: System processes will have a parent/grandparent of the SYSTEM process and normal user processes, like browsers, will have parent lineage to explorer.exe. The screenshot below shows the hierarchical structures of a Win10 RTM system Build 10240 using Process Hacker tool.

Figure 1. Typical Hierarchy of Internet Explorer Process

Figure 2. Hierarchical Structure of Microsoft Edge and SearchUI Processes

Other new additions to the Windows process list are SearchUI.exe, the Search and Cortana application and ShellExperienceHost.exe, the Start menu and Desktop UI handler, . As Windows apps, they are both spawned from the same Runtime Broker process as Edge. In this screenshot above, the SearchUI and ShellExperienceHost processes are in gray, indicative of suspended processes. Only one Windows app is in the foreground at a time, those that are out of focus are suspended and swapped out, with process data being compressed and written to the swapfile.sys in the file system2.

Prepare for Internet connections to automatically be spawned by some of these new Win10 processes. OneDrive (formerly known as SkyDrive) has a connection to port 80 outbound and SearchUI (Cortana) creates outbound network connections as well when the user accesses the Start Menu. An example of network activity from the SearchUI process is shown below.

Figure 3. SearchUI.exe Network Connections

The memory data compression behavior first seen in Windows apps on Windows 8 has been implemented on a wider scale in Windows 10. Now when the memory manager detects “memory pressure”, meaning there is limited availability for data to be written to physical memory, data is compressed and written to the page file.3 Why is this relevant to the forensic examiner? Analysis of page file data can yield fruit, uncovering trace artifacts that indicate the malware at one point resided on the system. Remember that the contents of the page file was once in physical memory. This data, though highly fragmented, is great for string searches and yara signature scans. With the implementation of Windows 10 memory compression, a new obstacle exists for such analysis.

If you have done investigations involving nefarious command line activity, it is useful to know that the cmd.exe process now spawns its own conhost.exe process as of Windows 8. This is notable because in previous Windows versions, conhost is spawned by the csrss.exe process. I am always leery of a command shell running on an endpoint, particularly one to which a web browser has a handle.

It is often difficult to discern what version of Windows 10 your target system was running at the time memory was acquired. Two significant updates have been pushed since Windows 10 initial release, Threshold 2 in November 2015 and the Anniversary edition in July 2015. Shown below is imageinfo plugin output from Rekall Memory Forensic Framework (1.5.3 Furka)3 detailing the Build Version. With so many different features added between Windows versions as well as significant changes rolled out in updates, having a tool that uses the publicly available Windows symbols, like Rekall, is key. When profiles have to be created in order to support new versions of Windows as seen in analysis tools, there is lag time. Rekall automatically detects the Windows version and uses the hosted profile from its repository by default.

Pic 4

Xbox runs on Windows 10 now and you may be among those celebrating that you can now stream console games to your computer. But how does this effect our forensic findings? Expect to see Xbox gaming services present even if they are not being used. Since malware commonly instantiates new services or hijacks existing ones as a method of persistence, again, it is good to know what normal looks like.


Hopefully a recap on how things have changed in recent versions of Windows will speed your analysis as you work to unravel the story of what evil happened on a system. Happy hunting!

SANS FOR526: Memory Forensics In-Depth course provides you with the advanced skills you need to understand the newest Windows OS changes and find the evidence that might be left in the crime scene otherwise.  Learn these critical skills and master the advanced investigative methods to find evidence in volatile memory with course author Alissa Torres at SANS Security East 2017

[1] https://www.netmarketshare.com/operating-system-market-share.aspx
[2] https://blogs.technet.microsoft.com/askperf/2012/10/28/windows-8-windows-server-2012-the-new-swap-file/
[3] https://channel9.msdn.com/Blogs/Seth-Juarez/Memory-Compression-in-Windows-10-RTM
[3] https://github.com/google/rekall/releases

DFIR Summit 2016 – Call for Papers Now Open


The 9th annual Digital Forensics and Incident Response Summit will once again be held in the live musical capital of the world, Austin, Texas.

The Summit brings together DFIR practitioners who share their experiences, case studies and stories from the field. Summit attendees will explore real-world applications of technologies and solutions from all aspects of the fields of digital forensics and incident response.

Call for Presentations- Now Open
More information 

The 9th Annual Digital Forensics and Incident Response Summit Call for Presentations is now open. If you are interested in presenting or participating on a panel, we’d be delighted to consider your practitioner-based case studies with communicable lessons.

The DFIR Summit offers speakers the opportunity for exposure and recognition as industry leaders. If you have something substantive, challenging, and original to offer, you are encouraged to submit a proposal.

Deadline to submit is December 18th, 2015.

Summit Dates: June 23 & 24, 2016
Post-Summit Training Course Dates: June 25-30, 2016

Submit now 

Identifying and Disrupting Crypto-Ransomware (and Destructive Malware)

In recent years, malware has become very personal. Crypto-ransomware threats, including CryptoLocker, CryptoWall and TorrentLocker (pdf), have infected home users, businesses and even police departments, all of whom have had their personal data and hard work held hostage. When we think of precious family photos or an academic thesis being wiped by pure greed, it can become rather emotive. This is nasty stuff, and we need to do something about it!

I have been giving some thought to how we can stop crypto-ransomware doing it’s thing. Initially, I thought about interfering with the Windows CryptAPI, perhaps hooking the CryptEncrypt function, however page 16 of a report analysing various samples by Bromium shows that some samples use CryptoAPI, others use OpenSSL libraries and a few even use custom inline code.

I then began thinking about what else was common to all of these threats and realised that they all (by their very nature) access a LOT of files, and therefore create an above average number of handles.

This is also true of destructive malware, a growing trend which strikes fear into most enterprise administrators. This involves vast numbers of personal and system files being overwritten to prevent them from being recovered. Sure, we (should) have backups, but can you imagine rebuilding a network with 200,000 endpoints? Ouch!

Okay, so what is a handle?

Microsoft provides a neat definition of a handle on MSDN, and rather than trying to re-word it, I have attached a quote from the site below:

Microsoft – Windows Dev Center – Handles and Objects
An object is a data structure that represents a system resource, such as a file, thread, or graphic image. An application cannot directly access object data or the system resource that an object represents. Instead, an application must obtain an object handle, which it can use to examine or modify the system resource. Each handle has an entry in an internally maintained table. These entries contain the addresses of the resources and the means to identify the resource type.

This is one of the several layers of abstraction that separate the user (and all the processes they’re running), from their physical assets, such as the hard drive. Any request to access a file on disk needs to go through the Windows kernel, and if you want to modify that file in user mode, you need to create a handle – simple as that!

So how are handles going to save me?

As we’ve discovered, if crypto-ransomware wants to read and then encrypt your files, it needs to create a handle for every file it interacts with. It doesn’t matter what encryption algorithm it uses, this is a much lower level concept based on how the Windows kernel interacts with system hardware.

If we can keep an eye on the frequency of new handles being created by every process we might be able to detect abnormal activity. This would also apply to destructive malware that has been designed to overwrite lots of files to prevent recovery. Don’t forget, if it wants to write to a file, it needs a handle.

To trial this concept, I’ve written a tool named handle_monitor, which takes stock of every file handle, by process, across the system. It then has a little pause (at the users discretion), and checks again, identifying any new handles which haven’t been seen before and tallies up the number of new handles created. If a threshold is passed within a defined number of cycles, then an alert is raised and an action (such as suspending the suspicious process) can be taken.


To replicate the effect of malware which makes a large number of disk read/write operations, I’ve written a small program called hm_test.exe, which writes the requested number of files to disk.

Figure 1. hm_test.exe writing to a large number of files

The Handles tab from the Process Hacker properties page shows the rapid creation and release of handles as the files are written.

Figure 2. Process Hacker demonstrating the open handles

Now as we launch handle_monitor, we are able to specify, in detail, every element of the analytical process and how the program will go about monitoring. Notice that in this case we are using the /suspend parameter which instructs the program to attempt to suspend any suspicious processes.

Figure 3. handle_monitor.exe being launched with custom parameters

Within seconds, the program identifies, based on our options, that hm_test is acting suspiciously and suspends the process. If this was crypto-ransomware, it would have been stopped after only encrypting approximately 30 files.

Figure 4. hm_test’s activity being caught (and suspended) by handle_monitor

How about a video demo?

You can watch the tool in action by clicking on the image below, which will take you to a YouTube video demo of the tool in action.


How about false positives? I don’t want to accidentally suspend my antivirus!

Good question. This isn’t an exact science and the key to this tool is that the user has the power to decide:

  • Whether suspicious processes are suspended, or we just raise an alert
  • Whether we ignore signed processes assuming they’re safe and focus only on unsigned or whether we review all of them
  • What the threshold is for suspicious activity? We can set it as X new handles in Y cycles

I’d be really interested in hearing what settings work for the samples you hold. A comprehensive analysis of what settings worked against a variety of samples might be a nice idea for a GIAC Gold paper for anyone who is interested in completing one!

The default settings are fairly conservative and you may want to start with a threshold of 2 in 10 cycles with a 100ms pause (as per the example) to increase your chances of finding something. It is worth noting that the lower the pause time, the higher the amount of system resources the program will use, and the lower the threshold, the higher the chances of false positives.

The next step is all about finding the right balance; I’d be very interested in hearing from you if you think you’ve got it right. If you want to get involved either tweet me or post it as a comment below, and once we have a general consensus, I will change the defaults in the source code.

Sounds great! How much?

Free of course! You can download the source code or pre compiled binaries from my GitHub page. I would very much welcome any feedback!

Follow me on Twitter: @CyberKramer

Finding Evil on Windows Systems – SANS DFIR Poster Release

Adding to our ever growing number of Posters and Cheat Sheets for DFIR, we are proud to announce the  availability of a brand new SANS DFIR Poster “Finding Evil” created by SANS Instructors Mike Pilkington and Rob Lee.

This poster was released with the SANSFIRE 2014 Catalog you might already have one.  If you did not receive a poster with the catalog or would like another copy here is a way to get one.  For a limited time, we have set up a website where anyone can easily order one to use in their hunt to “Find Evil.”

Get the “Find Evil Poster” Here

In an intrusion case, spotting the difference between abnormal and normal is often the difference between success and failure. Your mission is to quickly identify suspicious artifacts in order to verify potential intrusions. Use the information in the poster as a reference for locating anomalies that could reveal the actions of an attacker.

One of the biggest challenges that we have in FOR526 Memory Forensics or FOR508 Advanced Incident Response is the ability for individuals to understand a “normal windows process list.”

  • What should be there?
  • What is good?
  • What would be a flag or something that would draw our attention?

Obviously, this training usually begins with a full explanation of how SVCHOST.EXE is abused, but begins to go further into the heart of windows process list and which processes should you expect and which ones are odd.

We quickly move on to discuss where we might find things that are odd on the 2nd side of the poster.  In the below example is a discussion of looking for Code Injection which we discuss in both FOR526 Memory Forensics and FOR508 Advanced Incident Response

Get the “Find Evil Poster” Here

This poster should be on the wall of every Security Operation Center (SOC) where you have IR teams and analysts hunting down the adversary in your enterprise.  It is meant to aid experts and those who are new in the field, the intricacies of “What is normal?” on a Microsoft Windows System.  This is part of our dedication to helping and giving back to the security community with contributions like these posters and the SIFT 3.0 workstation.

Poster Credits:

Lead authors -> Mike Pilkington and Rob Lee


  • Jared Atkinson
  • Jason Fossen
  • Jesse Kornblum
  • Doug Koster
  • Kristinn Gudjonsson
  • Kris Harms
  • Joachim Metz
  • David Nides
  • Partick Olsen
  • Christian Prickarts
  • Elizabeth Scweinsberg
  • Anuj Soni
  • Alissa Torres
  • Jake Williams
  • Tom Yarrish
  • Chad Tilbury
  • Lenny Zeltser

FOR526 (Memory Forensics) Course Updates – Live at DFIRCON!

Alissa Torres and Jake Williams recently updated the material in FOR526 just in time for DFIRCON.  Previously, FOR526 focused largely on malware investigations.  However, this new revision places new emphasis on misuse/criminal investigations and those investigations where malware may not have been used.  We see a lot of those cases now, where by the time we’re called to investigate, the attackers are just using VPN creds, no need for malware.  Sure, we still cover finding malware, but we find that this revision makes the subject of memory forensics more applicable to a broader range of DFIR professionals.

Is memory forensics a forensics discipline all its own?  Not really.  You’re unlikely to work an entire case using only memory artifacts (although you will learn how).  To be a true forensics professional though, you have to understand what’s available in the different forensics disciplines.  Memory is definitely one of those disciplines.  If you think that running half a dozen volatility plugins is all there is to memory forensics, we have much to teach you.  Just as disk forensics practitioners understand filesystem layouts, we’ll teach you memory layouts and how to interpret key structures in memory.

If you come to a course purely for slide count, this IS NOT the course for you.  If you like slides, we have some of those too.  But there is a heavy emphasis on hands on labs in the course (13 full length labs, numerous hands-on exercises, and final day challenges).

We also added the creation of YARA  signatures and page file analysis to the course.  The page file is often overlooked in memory investigations.  While it isn’t strictly memory, it does contain the contents of pages previously in memory.  As such, there are some really interesting things that can be found there.  You’ll learn what you can expect to find and just as important, what you aren’t likely to find in the page file.  You’ll also learn to write YARA signatures to quickly identify artifacts of interest.

Sometimes the pre-built plugins fail you.  When this happens, it’s time to drop into the shell.  In memory forensics, that’s the volatility shell, or volshell.  We covered volshell minimally in the course before.  But previous students wanted to know how to do more in volshell.  So we added additional labs covering more advanced use of volshell.  We decided to cover topics that Jake uses regularly when doing deep dives in memory investigations. Rather than being academic, you can put these techniques to work right away in your investigations.

One technique we see used increasingly by criminals is encrypted zip/rar/archive files.  Some insiders use these to get past DLP protections that would otherwise inspect email attachments.  However, criminals (just like legitimate users) are creatures of habit and often reuse passwords.  Fortunately, Windows passwords for currently logged in users are stored in plaintext in memory.  You’ll learn how to extract these passwords from memory so you can use them as a starting point for decrypting these files.

We’re also updating the final day challenges to include more focus on insider and criminal investigations.  Yeah, there’s malware too (@malwarejake is one of the course authors, of course there’s going to be malware).  Unravel the cases, one piece at a time and earn the coveted lethal forensicator RMO.

Windows 8 / Server 2012 Memory Forensics

With Memoryze 3.0, the folks at Mandiant hit their mid-summer goal to roll out memory analysis support for Windows 8 (x86 and x64) and Server 2012 (x64). While support has not yet been rolled into Redline collector scripts, data collected by Memoryze can be loaded and analyzed in the Redline interface.  This is no real surprise since Memoryze is the back-end collection and analysis tool that Redline relies upon.

You can dump Windows memory and process your memory image with the following commands (run MemoryDD.bat from a removable device and Process.bat on your forensic box):

MemoryDD.bat -output E:\ 

Process.bat -input memory.img -handles true -sections true -ports true -imports true -exports true -injected true -strings true

To perform live memory analysis and take advantage of capabilities like digital signature, MD5, and MemD5 checks, run the Process.bat directly on a live system without the “-input” parameter

Process.bat -output E:\ -handles true -sections true -ports true -imports true -exports true -injected true -strings true -digsig true -MD5 true -MemD5 true

If you have used Redline before, these options should look familiar since Redline simply provides a GUI and builds a similar command line in the background.

Redline vs. Memoryze Parameters

The results of Process.bat (stored in .\Audit by default) can be opened in Redline using the “From a Collector” option under “Analyze Data”.  Just point it to the folder with the Process.bat results.

To build the Memoryze collection scripts on a portable device you can use the method covered in the Memoryze user guide (below) or just install MemoryzeSetup.msi on your forensic system and copy the resulting x32 and x64 folders to your device.

msiexec /a MemoryzeSetup.msi /qb TARGETDIR=<path to device>

This entire process evokes some nostalgia, taking us back to the days when Redline was first  released.  Don’t get too comfortable with it as my guess is native support within Redline is only a release away.

In addition to Win8 support, expect a big upgrade in network connection identification including IPv6 support and improved carving of closed network connections resident in memory.  Download the update  here.  Thanks to Jamie Butler (@jamierbutler) for the heads up!

Chad Tilbury, GCFA, has spent over twelve years conducting computer crime investigations ranging from hacking to espionage to multi-million dollar fraud cases. He teaches   FOR408 Windows Forensics  and  FOR508 Advanced Computer Forensic Analysis and Incident Response    for the SANS Institute. Find him on Twitter  @chadtilbury  or at   http://forensicmethods.com.