Memory Forensics: How we used to do it & how we use it to respond to large-scale breaches today

For many years, memory forensics had been the optimal method of gaining insight into a compromised machine. However, as breaches became more far-reaching and numerous computers were affected, classic memory forensics no longer proved sufficient. In this modern age, through the utilization of contemporary tools and information, memory forensics is again feasible even on a grand scale. This provides a wonderful chance to improve the tracking of attackers, understand their techniques, and support Security Operations Centers in developing specialized detection protocols for their Endpoint Detection and Response (EDR) systems.

In this video, FOR532: Enterprise Memory Forensics In-Depth course author Mathias Fuchs provides an overview of how memory forensics has been done in the past and how you can utilize many of the same tactics for the large-scale breaches of today.

About FOR532: Enterprise Memory Forensics In-Depth

Memory forensics ties into many disciplines in cyber investigations. From classical law enforcement investigations that focus on user artifacts through malware analysis to large-scale hunting, memory forensics has several applications that for many teams are still unknown territory. The FOR532 Enterprise Memory Forensics In-Depth class strives to change that and significantly speed up your incident response, your threat hunting, and your malware analysis. Visit the course page (www.sans.org/FOR532) to learn more

About Mathias Fuchs

Mathias began his career teaching Linux administration and general IT security and quickly moved into penetration testing and red teaming. As his skills improved (and as breaking into customer systems got more repetitive and less demanding), Mathias sought new challenges that would expand his IT security acumen. So, he moved over to digital forensics and incident response, a field where the attacker unintentionally sets the pace and partly controls what an investigator needs to do - rather than that being dictated by the customer or the investigator.