Dr Weihan Goh
[Singapore Institute of Technology]
Dr Weihan Goh is an Assistant Professor at the Singapore Institute of Technology (SIT), where he teaches primarily in the BEng (Hons) Information and Communications Technology (Information Security) degree programme.

He leads the GoSecure vulnerability assessment programme at SIT funded by the Infocomm Media Development Authority of Singapore (IMDA), and participates in capture-the-flag exercises outside of his work.

His research interest is in security testing, digital forensics, blockchains, and applied cryptography, as well as technologies for cybersecurity education, such as cyber ranges, CTF / CDX, and anti-fraud / anti-cheat systems.

Project Enigma: Detecting Indicators of Compromise through RAM Analysis, Event Logs and Malware Machine Learning

The agglomeration of different independent forensic tools is essential for proper forensic analysis, which usually require an arduous amount of manual labour sifting through the data, in addition to the technical skills required to operate the tools. We have developed a solution to aid DFIR investigators by swiftly and effectively determining indicators of compromise (IOC) when responding to cyber security incidents, so as to steer and guide follow up investigations in the right direction.

Our solution, comprising a portable software coupled with components running on a widely available red-teaming hardware, aims to provide as much information within the forensic bailiwick of an investigation. We utilize a Bash Bunny, a USB multipurpose device typically used for attack orchestration, to perform data triage of the host machine's RAM data and Event Logs, which will then be analyzed by our software solution.

Data obtained through the Bash Bunny can then be put through our portable software, which will first automate RAM analysis techniques while extracting artifacts relating to the incident. Following that, the artifacts will be processed by our trilogy of modules - a Windows Security Event Log analyzer, a Portable Executable (PE) static analyzer, and PE Predictor that utilizes pre-trained model to identify information of interest. Upon completion, a report containing discovered findings will be generated for review by the incident responder.

This integrated solution aims to provide automation whenever possible, reducing manual labour and associated errors that may come with it. Our presentation is structured as follows

- The challenge with DFIR
- DFIR tools landscape (i.e., where we come in)
- Our integrated solution to the problem
- A description and demonstration of our solution
- The road ahead

Spaces Selling Fast!