Farming the Loot Cave: Threat Hunting in Memory with the Volatility Framework and Big Data (Workshop)

Andrew Quill
Independent Researcher

Christopher Burch
Independent Researcher

Workshops

Memory analysis has become a key way to hunt and track malware and advanced persistent threats (APTs). So, it is more important than ever to arm analysts and investigators with better tools and capabilities for memory analysis. We created an app called TA-Volatility to help hunter in this endeavor. We will show you how to use this app to get your volatility output into Splunk and create simple yet effective dashboards that visualize critical artifacts and rapidly pinpoint threats in memory. We will also demonstrate how to extend TA-volatility to ingest additional volatility and community plugins. Welcome to the new world of mass forensic memory hunting! This capability can be utilized with nothing more than a free instance of Splunk and a Sift Workstation.

Requirements:

• Updated Volatility Framework installed either directly on a laptop or via SANS SIFT workstation virtual machine
• Splunk 7.1.x installed either directly on a laptop or a VM (preferable).  A preconfigured VM can be provided if you do not have one.
• Memory sample from: http://downloads.digitalcorpora.org/corpora/ram/nps-2009-m57-patents/

Andrew Quill

Andrew Quill has been working in the cybersecurity industry since 2004, ranging from the Health Care Industry to serving as a Cyber Network Defender in the US Army in 2016. He holds several SANS certifications to include GXPN, GCFA AND GCIH to name a few. He has most recently been invested in supporting open source advanced threat hunting using big data platforms like Splunk.

Christopher Burch