Register now for SANS Cyber Defense Initiative 2016 and save $400.

DFIR Summit 2014

Austin, TX | Tue, Jun 3 - Tue, Jun 10, 2014

Extracting User Credentials using Memory Forensics

  • Alissa Torres, Certified Instructor, SANS Institute
  • Wednesday, June 4th, 5:45pm - 6:45pm

Though Windows credential extraction and password cracking are often categorized as offensive skills, used by pentesters and sophisticated attackers, digital forensic examiners and incident responders can also put these techniques to use to further their investigations. Just by parsing a physical memory image of a Windows system, local and domain user account password hashes can be pulled from the registry hives and plaintext credentials can be extracted from the wdigest in the lsass process for logged on users. For employee or criminal investigations, cracking a userās logon password can allow the examiner access to encrypted files or accounts due to frequent password re-use by users. Likewise, in intrusion cases, being able to dump credentials from a compromised system allows the IR team to assess what accesses the attacker was able to acquire, providing for better scoping of the intrusion. This webcast walks through several practical forensics use cases for Windows credential extraction from memory and includes excerpts from the SANS FOR526: Memory Forensics In-Depth class.

Bonus Sessions

The following bonus sessions are open to all paid attendees at no additional cost. There are many different types of events that fall into these categories:

  • SANS@Night: Evening presentations given after day courses have ended. This category includes Keynotes.
  • Vendor: Events hosted by external vendor exhibitors.
  • Lunch & Learn: Short presentations given during the lunch break.
Tuesday, June 3
Session Speaker Time Type
Logs, Logs, Every Where / Nor Any Byte to Grok Phil Hagen, Instructor, SANS Institute Tuesday, June 3rd, 6:30pm - 7:30pm SANS@Night
Wednesday, June 4
Session Speaker Time Type
Extracting User Credentials using Memory Forensics Alissa Torres, Certified Instructor, SANS Institute Wednesday, June 4th, 5:45pm - 6:45pm SANS@Night
Sushi-grade Smartphone Forensics on a Ramen Noodle Budget Heather Mahalik, Certified Instructor, SANS Institute Wednesday, June 4th, 6:45pm - 7:45pm SANS@Night
Thursday, June 5
Session Speaker Time Type
The Great Browser Schism: How to Analyze IE10 & IE11 Chad Tilbury, Certified Instructor, SANS Institute & Technical Director, CrowdStrike Thursday, June 5th, 5:45pm - 6:45pm SANS@Night
Filesystem Journal Forensics David Cowen, Partner, G-C Partners Thursday, June 5th, 6:45pm - 7:45pm SANS@Night
Monday, June 9
Session Speaker Time Type
Vendor Showcase Monday, June 9th, 9:50am - 10:05am Vendor Event
Dealing With Persistent Smartphone Forensic Challenges Ronen Engler, Senior Manager, Technology & Innovation Monday, June 9th, 12:00pm - 1:00pm Lunch and Learn
Vendor Showcase Monday, June 9th, 3:45pm - 4:05pm Vendor Event
Tuesday, June 10
Session Speaker Time Type
Vendor Showcase Tuesday, June 10th, 10:30am - 11:00am Vendor Event
Facing The New Frontier: A Real Case Study In Performing Computer Forensics Without The Evidence Keith Jones, Lead Cybersecurity Engineer Tuesday, June 10th, 11:30am - 12:30pm Lunch and Learn
Vendor Showcase Tuesday, June 10th, 3:00pm - 3:20pm Vendor Event