If you have ever been given the mission to “Find Evil” on a compromised system, you understand the enormity of that tasking. In this technical presentation, Alissa will introduce sound methodology for identifying malware, using strategies based on “Knowing Normal”, “Data Reduction” and “Least Frequency of Occurrence” in order to identify malicious binaries and common methods of persistence. The skills and tools presented here will aid in efficient identification of anomalous files in order to narrow further analysis and facilitate the creation of indicators of compromise.
Alissa Torres is a certified SANS instructor, specializing in advanced computer forensics and incident response. Her industry experience includes serving in the trenches as part of the Mandiant Computer Incident Response Team (MCIRT) as an incident handler and working on a internal security team as a digital forensic investigator. She has extensive experience in information security, spanning government, academic, and corporate environments and holds a Bachelors degree from University of Virginia and a Masters from University of Maryland in Information Technology. Alissa has taught as an instructor at the Defense Cyber Investigations Training Academy (DCITA), delivering incident response and network basics to security professionals entering the forensics community. She has presented at various industry conferences and numerous B-Sides events. In addition to being a GIAC Certified Forensic Analyst (GCFA), she holds the GCFE, GPEN, CISSP, EnCE, CFCE, MCT and CTT+.
Listen to Alissa discuss “Detecting Persistence Mechanisms” in this SANS webcast that every DFIR professional should listen to.