November TASK: A Gentle Introduction to Memory Forensics

Wednesday 28-November-2018 // 6:00 – 9:00 PM
Meeting Location: Michener Auditorium at UHN, 222 St. Patrick Street, Toronto


November TASK

This month we welcome Nick Johnson with a talk on memory forensics and René Hamel discussing cybercrime investigations at the Michener Auditorium at UHN.

As always, TASK is free, registration is not required to attend, and we invite you to bring your friends and colleagues.

We look forward to seeing you there!


Speaker: Nick Johnston
Topic: A Gentle Introduction to Memory Forensics

Memory resident post-exploitation frameworks like Empire[1] and mimikatz[2] are designed to minimize forensic artifact creation on a compromised host’s disk. This so-called “fileless” malware presents a significant challenge to traditional forensic disk image analysis. Memory analysis software like Volatility[3] enables incident responders and forensic investigators to examine a compromised system’s volatile storage and identify these otherwise stealthy attack tools.

This talk will serve as a light introduction to the how and why of memory forensics. The talk will begin with the arguments in favour of memory capture during a digital forensics and incident response (“DFIR”) matter vs immediately powering down the target system for disk imaging. Different memory collection scenarios will be presented and solutions using different software utilities will be demonstrated. Finally, collected memory samples will be analyzed using the Volatility framework with callouts to alternate software solutions where applicable. After this talk you will be able to explain the basic steps involved in memory forensics and recommend tools appropriate for different DFIR scenarios.

Speaker: René Hamel
Cybercrime Investigations: Handling the new Forensic Challenges

René’s digital forensic career spans over twenty years. His experience include several civil and criminal investigations for the Royal Canadian Mounted Police (“RCMP”), the banking industry, mid and large accounting firms in Canada, Europe and South East Asia. He currently manages the Forensics and E-Discovery practice at TELUS Security. René will talk about his latest experience with some of his cybercrime investigations challenges including some of the large scale forensic assignments he and his team managed.


This month’s TASK is sponsored by Proofpoint:

Proofpoint Inc. (NASDAQ: PFPT) is a leading next-generation security and compliance company that provides cloud-based solutions to protect the way people work today. Proofpoint solutions enable organizations to protect their users from advanced attacks delivered via email, social media, mobile, and cloud applications, protect the information their users create from advanced attacks and compliance risks, and respond quickly when incidents occur.


Meeting Location: Michener Auditorium, 222 Patrick Street, Toronto.

Posted in Events.