HTCIA Members’ Webinar Series

HTCIA Webinar Series – Reconstructing User Activity with Memory Forensics

We are pleased to present the second webinar in our members-only training on March 25, 2014 from 10:00am – 11:30am PST.

Forensic investigations of all types have grown increasingly more complex, requiring advanced forensic techniques to identify trace file system artifacts and memory-resident evidence. The prevalence of encryption and user applications that do not log to disk, such as privacy-mode browsers and instant messaging clients, points to the increasing sophistication of today’s average user and raises the bar for investigators charged with working Acceptable Use Policy (AUP) employee cases or criminal investigations. Proof of the current or past existence of rogue applications can be found by parsing registry artifacts found in memory, as well as with traditional file system forensics. Evidence of execution, be it from registry keys or from terminated/active processes, can be the smoking gun needed to prove a suspect’s deliberate activity on a system. Clearly, memory forensics has an enormous impact in the outcome of today’s typical user investigation.

In this session, we will wield memory parsing tools in the pursuit of uncovering what a user did (or is actively doing) on a system. We will introduce powerful stream and structure-based forensic analysis techniques that target user artifacts, some of which can only be found in physical memory.

 

Your Speaker – Alissa Torres, SANS Instructor

Torres-1Alissa Torres is a certified SANS instructor, specializing in advanced computer forensics and incident response. She is the lead author of the SANS FOR526: Memory Forensics In Depth course. Her industry experience includes serving in the trenches as part of the Mandiant Computer Incident Response Team (MCIRT) as an incident handler and working on an internal security team as a digital forensic investigator. She has extensive experience in information security, spanning government, academic and corporate environments and holds a Bachelors degree from University of Virginia and a Masters from University of Maryland in Information Technology. Alissa has taught as an instructor at the Defense Cyber Investigations Training Academy (DCITA), delivering incident response and network basics to security professionals entering the forensics community. She has presented at various industry conferences and numerous B-Sides events. In addition to being a GIAC Certified Forensic Analyst (GCFA), she holds the GCFE, GPEN, GREM, CISSP, EnCE, CFCE, MCT and CTT+.

 

If you are a member and interested in registering for the next webinar (free of charge),please proceed to the registration page (you will need to sign into the member portal).

If you have any questions, please contact websupport@htcia.org

Leave a reply