Malware that is capable of monitoring hardware devices poses a significant threat to the privacy and security of users and organizations. Common capabilities of such malware include keystroke logging, clipboard monitoring, sampling of microphone audio, and recording of web camera footage. All modern operating systems implement APIs that provide hardware access to processes, and all have been abused to monitor the activity of journalists and dissidents, conduct espionage operations, and gather data needed for blackmail. Existing memory forensic methods for detecting these techniques are largely confined to malware that operates within kernel space. The use of kernel rootkits has waned in recent years though as operating systems have sharply locked down access to kernel memory. These limitations placed upon kernel rootkits, along with the easy-to-use APIs in userland that allow for access to hardware devices, has led to many device monitoring malware samples that operate solely within process memory. Unfortunately, current methods for detection of such malware are severely outdated or completely lacking. These include attempts at live forensics, which relies on system APIs, but these APIs are often hooked by malware to hide their activity. Partial memory forensics techniques for Windows exist, but are outdated, and there are techniques across operating systems that have no detection support. Given the recent emphasis on memory analysis, such as in CISA directives related to ProxyLogon and SolarWindows, it is imperative that memory forensic techniques can properly detect modern threats. In this webinar, we present our effort to develop algorithms capable of detecting userland device monitoring malware across all major operating systems. Our efforts led to several Volatility plugins being created that are capable of automatically locating all information about processes that are monitoring hardware devices.
Andrew Case is a senior incident response handler and malware analyst. He has conducted numerous large-scale investigations that span enterprises and industries. Andrew's previous experience includes penetration tests, source code audits, and binary analysis. Andrew is the co-developer of Registry Decoder, a National Institute of Justice funded forensics application, as well as a developer on the Volatility memory analysis framework. He is a co-author of the highly popular and technical forensics analysis book "The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory". He has delivered trainings in the fields of digital forensics and incident response to a number of private and public organizations as well as at industry conferences. Andrew's primary research focus is physical memory analysis, and he has published a number of peer-reviewed papers in the field. He has presented his research at conferences including Black Hat, RSA, SOURCE, BSides, OMFW, GFirst, and DFRWS.
David Richardson has been building software to help individuals and enterprises secure mobile devices for over a decade. David currently oversees product management at Lookout. He has 45 patents issued related to mobile security. He is a frequent speaker at security conferences on the topic of iOS and Android security.
