Forensic Investigation & Malware Analysis against Targeted Attack using Free Tools (13:00-17:00)

FIRST Hands-On Classes (Room Kenshu)

Thursday — November 15th, 2012 14:00

Thursday — November 15th, 2012 15:15

Thursday — November 15th, 2012 15:45

We will learn how to examine a disk image of the compromised PC, then analyze malicious document and malware extracted from the image. This hands-on session is outlined as follows: Find malicious auto-started programs, Browse and recover (deleted) files, Analyze Windows registry hives, Analyze a malicious Office document, Analyze swf file and malware

Requirement

Students should bring your own laptop that matches the following requirements.

Hardware

  • at least 2GB RAM,
  • at least 50GB free disk space

Host OS

  • Windows XP SP3 or later with administrative accounts
  • VMware player 4 or higher or VMware workstation 8 or higher installed
  • Microsoft Office

Guest OS 1 for dynamic malware analysis

  • Windows XP SP3 or later 32bit with administrative accounts (Windows 7 is recommended)
  • Microsoft Office (Not essential, but we will use MS Office for opening malicious documents. 2007 is desirable.)

Guest OS 2 for forensic analysis

  • SANS SIFT Workstation 2.13 or 2.14 (Optional. SIFT is used for browsing and extracting files from a disk image.

download URL:http://computer-forensics.sans.org/community/downloads

Presenters

  • Hiroshi Suzuki (IIJ-SECT, JP) JP

    Hiroshi Suzuki is a malware analyst, working for a Japanese ISP company, Internet Initiative Japan Inc. His main job is to analyze malware and vulnerabilities, to observe malware activity, and digital forensics with over seven years.

  • Takahiro Haruyama (IIJ-SECT, JP) JP

    Takahiro Haruyama (Internet Initiative Japan Inc.) Takahiro Haruyama, EnCE, is a forensic professional with over seven years of extensive research experience and knowledge in intrusion detection, authentication, VPN, digital forensics and malware analysis. He is the author of memory forensic EnScript such as Raw Image Analyzer (previously called Memory Forensic Toolkit) and Crash Dump Analyzer. He also has spoken at several conferences about digital forensics and computer security including Black Hat Europe 2012, The Computer Enterprise and Investigations Conference (CEIC) 2011 and RSA Conference Japan 2010.