Do you feel like your current methods of performing digital investigations are antiquated and unable to deal with the threats posed by the modern digital adversary? Do you feel that forensic vendors have lost touch with the needs of investigators? Do you believe that the ability to perform investigations is not a privilege for those who can afford an $100,000 price tag? Are you tired of forensics vendors who seem more interested in exploiting the community rather than helping to empower investigators? We are in the midst of a "Digital Forensics Revolution"!
During our presentation at the SANS Forensics Summit, "Upping the 'Anti': Using Memory Analysis to Fight Malware", we made two major announcements which will dramatically affect the way digital investigations are performed across the enterprise. The first announcement related to the availability of a powerful new feature in F-Response 2.03, remote real-time read-only access to a computer system's physical memory. By coupling this revolutionary technology with their ability to provide remote access to a computer's physical disks, F-Response has provided digital investigators a truly unique capability that will shape the future of digital investigations.
During the presentation, we also publicly unveiled Voltage. Voltage is a platform that combines the award winning memory analysis capabilities of Volatility with the remote real-time access provided by F-Response. Imagine being able to reach across the network into the physical memory of a remote system and extract a sample of a suspicious executable in real time! While some investigators will prefer the command-line interface and cost effectiveness of Volatility (free!), Voltage provides an option for enterprise investigators who desire advanced automation and visualization. It also provides investigators with the ability to continuously monitor and verify the runtime state (integrity) of the systems within their organization. If an incident is detected, Voltage is able to automatically capture a sample of physical memory while the artifacts are still resident in memory and temporally relevant. It also provides the ability to search for Advanced Persistent Threats (APT) that may be hiding within the enterprise. Voltage gives investigators unprecedented visibility into the once opaque components of the information infrastructure.
It's important to emphasize that Voltage provides a capability unlike anything you have ever seen. Unlike other enterprise solutions, which deploy heavyweight agents or servlets that attempt to naively perform live analysis on a compromised machine, the minimal F-Response target merely provides access to the raw data. At the same time, all of the complex processing and analysis is done remotely on a trusted machine. As a result, you have complete access to the runtime state of the remote system, physical memory and pagefile (swap), while minimizing your impact on potential artifacts and reducing your exposure to subversion. Whereas other solutions force you to collect a snapshot of physical memory, sometimes taking hours before analysis can even begin, Voltage allows the investigator to begin analyzing physical memory on a remote system in real time.
Thursday, October 16, 2008
Thursday, October 9, 2008
I'm very excited to announce a new training opportunity for those in Europe or those who like to travel to Europe. My colleagues at Hoffmann Investigations will be hosting advanced forensics training for experienced investigators. As a part of this unique week long training, I will be leading a 2-day session on Memory and Malware Forensics. This session is designed to combine informative lectures with hands-on training exercises and realistic scenarios, similar to those that our investigators have faced in the field. This is your opportunity to learn how to leverage the power of Volatility 1.3 to improve your digital investigation process.
- Session 1 - Advanced Vista forensics: Lance Mueller
- Session 2 - Apple and iPhone forensics: Remon Verkerk
- Session 3 - Open source forensics, File Formats and Advanced File Carving: Joachim Metz and Robert-Jan Mora
- Session 4 - Advanced Memory Forensics and Malware Analysis: AAron Walters
Posted by AW at 8:47 AM