Black Mirror of Execution: How new artifacts have changed the 'O' and the 'D'

in this case I forgot to plug in my pointer

[Music]

[Music] every memory are that we bitter end the - road is about 40% of response to this answer do not have the true nature of

[Music] [Music]

[Music]

[Music] [Music] we'll share with you we learn everything doing a bit of a sample set some of those fascinating stuff that you can pull from memory memory and user in the speech in through trying to explain who these are human thing to compromise the system one finger is requires objective but

[Music]

[Music]

[Music]

so these are examples of schools that are being used in response to monetary and wondered exactly in quest when she does know

[Music]

we're going to start with the you guys ready yeah there's a little bit of a challenge

[Music]

[Music] okay

[Music]

[Music]

[Music]

[Music]

[Music]

[Music]

[Music]

we already run on your box to now point back to something how users behind all that seem close to either way from one to ten - machine join me in the box

[Applause]

[Music]

[Music]

[Music]

[Music]

[Music]

yeah so the start time ridiculous

[Music]

[Music]

so if you want to clean up more ps3

[Music]

so maybe some techniques up here yes tree increases parent-child presentation of the process list so become unstuck outs and sudden drill down and show these three things you see me run history in roseburg at TRADOC now we're looking at conclusively wouldn't have an expiation right we're gonna process it was launched that rural location then it's almost said hey Addison paradise but hey there's a copy of minor London every currently executing so we surely do need to worry about it we know that malware

[Music]

and so you get Parvati buys out of memory which is another fascinating thing to do I mean you probably have the memory image without concluding my reading the way in class notes when the machine was running so that's what we've done here and everybody said I found an observatory Google directory which is supposed to be there so this becomes quite lovable [Music] right my report right now my recommendations with us all the animals represent that time on here that's nice CSV then you go you see in light blue is the one we're just looking at them to the microscope the Google directory is created if you go too much time that passes between these really strange

backgrounds to loyalty card dot JPEG will be carved up yet see what is that we're starting to see a relationship is problem just what you do to is beginning context so I'm gonna have this prior to that straight rule of her to be created what did it uses you're answering question so another we correlated is data bringing a little bit of the new of execution that we're starting to see more and more in forensics is shoot actually these were entries their eyes the system registry hive with the

[Music]

[Music]

[Music]

[Music]

right there in the middle of the so this is the shim cache mem put and the topmost entry is the most recent program that executed as you start moving down on the list here it becomes an older entry so I think it is what entry number six so you can see my arrow here that's the rogue SVC hosts that I can't get a modified time of this binary is captured here and then of the 2010 last modified time down here a little bit further is a loyalty card exe so you have a little bit [Music] so to the story [Music]

[Music]

[Music]

and this one is the dark dark story and all started with it still watches here is that priests name [ __ ] them do that watch your asses businesses this song supporting supporting roles played by foreign cars but watch these certain index obviously others on the left

but but somebody definitely not as well we have our eternal IP address and if that 148 if you can see it the second red box 148 seems to have

[Music] [Music]

[Music]

[Music]

[Music]

[Music] the Blue Room you see there we have one very easy to turn - bottle flutters so here we go las casas down there yeah the luminosity of memory is not going to try staring this is a real memory image of our fighter so we got maybe you want to know how long this machine started [Music] flying so [Music]

[Music]

[Music]

[Music]

[Music]

we have entry number 19 and 20 anyone is anyone identifying this nowhere yet we're gonna end this SEC you can see the that's just right Augustine and then we have this task SP 1885 sharp locks okay next one next one next one what do you do next how about going deep this seven machine [Music]

[Music]

[Music]

[Music] it's women through the stuff you full and to be different great about where that would catch one at the bottom that's not supposed to be running their service so let's take this station step-by-step style grace of extracting recent efforts yeah you'll be fine on this machine so thirty right

Who am I these are taxes included but they each life into our business left behind by mystery actual this is the reality collection school leaving all the school stuff but you might know this closely mimics that which is perfect using the box - so you crazy so these are backs to posting when it turns out this is taking over the critical all this stuff so I have to go in and do some timeline analysis based on our blessing as long as you know who the true it is how about we go to the entity analysis down to the last completed out but still we got here I sent this to a body class eyeball and

the parser isn't over [Music] it means beauty and speed then I'm sharing with you yeah so we got more time four-time MVP in that second home that means the tile was right then that

you see blurred and then modified so you're thinking they have something to do with each other you'd be absolutely right we take another look this is what time liner another bullet

[Music]

[Music]

No

[Music]

[Laughter]

[Music]

[Music]

[Music]

[Music]

Bolivian stationed here a native species zero-waste 101 topic solid but now that's pretty cool we lose all our potential patient zeros now we find that [Music] [Laughter] [Music] so one more machine to share with you but ok box number three this one this one's a little personal

[Music]

[Music]

but I see them here you know [Music] [Applause]

[Music]

so we're not worthy hey baby welcome to turn out the new religion those religions from the ps3 technique this shirt on verbosity it was shared earlier why not same thing here very routine for one classmate remember with all my reason just me or if every single student who throws the end point

[Music]

[Music] they're terminated okay

[Music]

[Music]

[Music]

[Music]

okay our sewer where we travel inside insanity artists and you see just with his massive prahka lasa the scribbles were covered in creation time so we put this all right 24 files there was driving for you have the time to that first engine they show you three top trunk is reach out for my spreadsheets you know this person and true is the more time the prefect so what is that quarter there's one time which is creative or leagues with first at last 10 seconds this is probably my powerpoint you know I am I am running a Mac Soho it's sort of like how were that's what it is power and it's been a plague of mine does this

count as a demo fail can I say it can I say it's been two years in a row now damn now I owe you a demo I don't even see where to plug this guy in nice all right no who's in Oz as my machine comes back up ooh that was super fast I mean it has a bunch of signatures that are looking for some very specific data to include IP addresses in the same things done so I would include that I don't mean to only propose that you do structure analysis on your memory images no it's pissed it's like this is the last time you're gonna rob me a power

like note to self the next person that's coming up so you're not going to be the witness it's super fast start up I guess it is time for a new Mack

[Applause]

[Applause] that's it mm-hmm

it's absolutely angry now not responding

this gives me a chance you can see it's coming up cool yeah I think I'm gonna have to hold the line for when straightening the one

[Music] total but that was in fact as well see nature then again and forever clocks but because infected way early like that was released and spotted out there in the wild on the 8th of October and I think our infection was the seventh this explains why

[Music]

yeah so

[Music]

[Music] by machines intended to protect the environment from I agree that up but he was trying to see us with a lot of them these knocks man usual that can meet any prints to start different different routines yeah yeah so even we're looking for a foundation that points to detection watching for the beginnings of these routines and [Applause]