The security sector is facing a shortage of digital forensics practitioners able to investigate attacks that use fileless malware and other anti-forensics measures configured to leave little trace on physical disks.
According to Alissa Torres, founder of Sibertor Forensics and former member of the Mandiant Computer Incident Response Team: “Attackers know how forensics investigators work and they’re becoming increasingly more sophisticated at using methods that leave few traces behind. Put simply, we’re in an arms race where the key difference is training.”
In the last year, Torres has witnessed a substantial rise in the presence of fileless malware that exists only in volatile memory and avoids installation on a target’s file system. “Five years ago,” urged Torres, “viewing sophisticated anti-analysis and acquisition techniques in the wild was something akin to the chances of witnessing a unicorn, but that’s no longer the case. As techniques for detecting trace artefacts on a compromised system have improved, it’s very much the case that the more sophisticated attackers have adapted quickly.”
Statistically, Torres estimates that possibly one in every four Digital Forensics and Incident Response (DFIR) professionals has the level of training necessary to successfully analyse the new types of self-defence techniques that include more sophisticated rootkit and anti-memory analysis mechanisms.
“The memory forensics field exploded around 2005 when many of the parsing tools started to become available,” explained Torres, “and its use in forensics has been growing ever since. An incredible advantage this analysis method has is speed. A skilled expert in memory forensics can discover insights a lot quicker and pick up on information that’s missed in traditional disk imaging.”
Although the investigation tools have improved, Torres points out: “Owning a hammer and a saw doesn’t make you a carpenter. A deeper understanding of the operating system internals to include memory management allows the examiner to access target data specific towards the needs of the case at hand.”
SANS FOR526: Memory Forensics In-Depth
Torres is lead author and instructor of the SANS FOR526: Memory Forensics In-Depth course which she will be teaching at the upcoming annual DFIR Summit and training event in Prague. This runs from 5-17 October.
The course uses the most effective freeware and open-source tools available in the industry today and provides an in-depth understanding of how these tools work in the real world.
Torres will also be presenting on the subject of ‘Baselining Memory for Anomaly Detection’. Indeed, a number of leading speakers are set to cover the most innovative DFIR topics at the DFIR Summit, which is to be held on Sunday 11 October.
*For more information visit: https://www.sans.org/event/dfir-prague-2015/
About the SANS Institute
The SANS Institute was established in 1989 as a co-operative research and education organisation. SANS instructors teach over 50 different courses at more than 200 live cyber security training events as well as online.
An affiliate of the SANS Institute, GIAC validates employee qualifications via 27 hands-on technical certifications in information security.
The SANS Technology Institute, itself a regionally accredited independent subsidiary, offers Master’s degrees in cyber security. SANS Institute also operates the Internet’s early warning system, designated the Internet Storm Center (www.SANS.org).