Malware authors are becoming ever more clever in regards to creating malicious binaries which are successful at both compromising a system and hiding from the incident responders analysis tools. This presentation will demonstrate techniques and methods that the forensic analyst can use to dig deeper when their tools are telling half the story and yet they know there is more of the story to be told. Using lessons learned from previous cases I will demonstrate how to use various open source tools such as volatility 2.6, volatility 3, malwoverview, capa, binee, stringsifter, Yara and many others to complete the story and locate the malicious binaries for further analysis. Participants will gain new insights into how various tools provide the analyst information and what gaps they have to fill without the automation of a forensic tools or scripts in order to complete the investigation.

Aaron Sparling is an Officer with the Portland Police Bureau in Portland Oregon where he serves in the Investigations Branch, Forensic Evidence Divisions Digital Forensic Unit. Prior to serving in the Digital Forensic Unit, Aaron was assigned to the Criminal Intelligence Unit where he focused on Open Source Intelligence. Aaron has been working in digital forensics for the past eight years and has served as a Task Force Officer on the United States Secret Service Electronic Crimes Task Force and the Portland FBI/Oregon Cyber Crimes Task Force. Aaron currently serves as the Chairman of the Technical Advisory Council for the United States Secret Service National Computer Forensics Institute (NCFI). Aaron holds a GREM, GFCA, GFCE, GSEC, and CFCE.