Patrick Kang
[Singapore Institute of Technology]
Patrick Kang Wei Sheng is currently pursuing his BEng (Hons) Information and Communications Technology (Information Security) degree at the Singapore Institute of Technology (SIT).

Patrick's broad range of interests includes malware reverse engineering, machine learning, and automation. His experience includes security operations and developing automated programs to increase efficiency.

Project Enigma: Detecting Indicators of Compromise through RAM Analysis, Event Logs and Malware Machine Learning

The agglomeration of different independent forensic tools is essential for proper forensic analysis, which usually require an arduous amount of manual labour sifting through the data, in addition to the technical skills required to operate the tools. We have developed a solution to aid DFIR investigators by swiftly and effectively determining indicators of compromise (IOC) when responding to cyber security incidents, so as to steer and guide follow up investigations in the right direction.

Our solution, comprising a portable software coupled with components running on a widely available red-teaming hardware, aims to provide as much information within the forensic bailiwick of an investigation. We utilize a Bash Bunny, a USB multipurpose device typically used for attack orchestration, to perform data triage of the host machine's RAM data and Event Logs, which will then be analyzed by our software solution.

Data obtained through the Bash Bunny can then be put through our portable software, which will first automate RAM analysis techniques while extracting artifacts relating to the incident. Following that, the artifacts will be processed by our trilogy of modules - a Windows Security Event Log analyzer, a Portable Executable (PE) static analyzer, and PE Predictor that utilizes pre-trained model to identify information of interest. Upon completion, a report containing discovered findings will be generated for review by the incident responder.

This integrated solution aims to provide automation whenever possible, reducing manual labour and associated errors that may come with it. Our presentation is structured as follows

- The challenge with DFIR
- DFIR tools landscape (i.e., where we come in)
- Our integrated solution to the problem
- A description and demonstration of our solution
- The road ahead

Spaces Selling Fast!