Memory Forensics & Forensic Incident Response

Robert Reed

Fri, 29th August 2014


Speaker Bio 1:
Robert Reed @tridentinfosec is a seasoned investigator with twenty years of law enforcement experience. He has investigated incidents ranging from simple traffic investigation to criminal homicides. With a Masters in Science in computer information systems he has leveraged this knowledge into the computer forensics field developing and operating the first ASCLD (American Society of Crime Lab Directors) Lab accredited computer forensic program in the State of Arizona.

In the course of his career, Reed has investigated numerous crimes involving computers, computer systems or digital evidence. He has been the affiant on countless search warrant applications, and participated in the service and execution of many warrants including those involving digital evidence. He has testified in hundreds of Criminal, Civil and Administrative hearings. He has obtained multiple certifications including the EC Council Computer Hacking Forensic Investigator (CHFI) and is a Certified EC Council Instructor (CEI).

Reed has taught computer forensics and cyber crime programs to clients from the US and foreign governments. Students include military personnel, law enforcement officials from national, state and local governments, educational institutions, corporate clients and Individuals. In addition to the computer forensic curricula, Reed has given guest lecturers to groups including the NSA accredited information assurance program at the University of Arizona, and the 2009 PISA (Policia Internacional Sonora Arizona) conference.

Learning Objectives:

Robert will explain:

  • What is meant by ‘Memory Forensics’ and give us an overview of the subject
  • Explain the processes of a ‘Forensic Incident Response’

Resources and materials:


Questions and answers

Max, Concise Courses:
@44.52 You spoke about the threat from insiders, do you believe in an internal corporate honeypot, i.e. leaving a vulnerable application open on the network and seeing if anyone in the organization accesses it?

Robert Reed:
I think that depends a lot on the type of business that you are in. If you have obviously more sensitive data that is on there and you suspect that there might be the type of thing going on [unauthorized access or unethical behavioral tendencies] inside your organization then yes, certainly. I think that one of the problems that we have had in the past is ‘where do we filter?’ We filter really heavily on the outside of the organization or the perimeter, but once somebody gets inside of our network they typically have free rein. When we talk about hacking that is exactly what you want to do, you want to compromise any machine that is in the network. If you can compromise any machine that is inside that network, you can then move around much more easily.

Even if you have that corporate honeypot that is inside your network that can be a good clue that one or more of your machines have been hacked, not necessarily from the outside of the organization, i.e. an internal or an insider, but from someone who has gained access to a computer from inside your network and has now tried to pivot that machine to gain access to other areas onside your network.

Internal honyepots are certainly beneficial and I encourage [them] as long as security inside your network isn’t to the level that will compromise your ability to actual do your business then yes there is nothing wrong with internal security. By all means we should all do more of that because that is where hackers are trying to go, and once they are inside they are going to pivot and then do a broader compromise from inside your network.


Max, Concise Courses:
@46:35 I’m interested in forensics as a career but I don’t have any direct work experience. What forensics certification would you recommend if any?

Robert Reed:
There are a lot of forensic certifications that are out there. In terms of ‘which is better’ a lot of this depends on what is out there. There is CHFI, GCFA (the Sans Certificate) ISC2 just came out with a forensics certification and then there are vendor specific certifications like the FTK certification and ‘A Certification’, ENCE that certify their tools as well.

There is nothing necessarily wrong with the vendor specific certifications because they teach the forensic approaches as well. The issue that I have with just using one tool is that, when you talk about forensics and forensic tools, its like having a tool box, so if you used Encase, as your primary tool (which is an excellent tool) so if you have any ENC Certification it tells you basic forensic methodology plus you understand all of the different ‘in’s and out’s‘ of how the case works. Well, that works really good and great, but there are going to be times and I’ve seen it happen when Encase falls on its’ face for whatever reason, perhaps for a hardware or software issue that is using an anti-forensics technique. Let’s face it, we know that the big boys in the forensics space program are Encase and FTK; those are the two big boys. If they are not using both in a forensics shop they are probably using one or the other. So, if I am going ot create a hack or some type of compromise and I want to do anti-forensic techniques I will want to figure out a way to anti-forensics against Encase, I am going to do that right!?

The advantage of some of the vendor neutral certifications like the CCE, the CHFI and GCFA is that they are vendor neutral. I teach CHFI a lot and it exposes a lot of people to a lot of different tools whilst the SANS certificate will expose [students] to a different set of tools as well. The more tools you are comfortable with the better it is going to be for you, so when you get out in the field, if tools that you use all the time suddenly falls on its’ face, you can look [up the problem] with a different set of forenics tools.

The other advantage of that is that if you use multiple tools you have the ability to help collaborate your finding from one tool to another tool. For example, the Casey Anthony case, they were talking about temporary Internet Caches and the forensics experts were using one set of forensics tools and then they looked at it with another tool and they found different artifacts. That is a problem because when it comes to court and you have disparate information from two different tools, the question the other side is going to bring up is, ‘ok which tool is correct and which one is incorrect?’ They are going to allege that the tool that you used was in fact not providing reliable results and that the jury should discount your findings because of the unreliability of that tool.