Black Hat USA 2007 Briefings and Training
Caesars Palace, Las Vegas • July 28-29 (Weekend) & July 30-31 (Weekday)

Course Description
Almost every Incident Response now involves some Trojan, back door, virus component o rootkit. Incident Responders need to be able to perform rapid analysis on the malware encountered in an effort to determine the purpose of unknown code. Without understanding the function of the malware, remediation efforts usually fail to meet expectations. This course provides an introduction to the tools and methodologies used to perform dynamic and static analysis on portable executable programs found on Windows systems. Attendees will learn the following:

• The primary types of Malware–A Malware Bestiary
• How to create a safe malware analysis environment
• Malware Analysis Shortcuts
• The malware analysis and reporting process
• Legal issues involving malware analysis and reverse engineering
• The methodologies and differences between static and dynamic analysis
• How malware discovered on real systems was used as part of an elaborate intrusion
• Bits, Bytes, Binary, Decimal, Hexadecimal and converting values between the various numbering conventions
• Code, compilers and compilation
• The tools used to identify the most common obfuscation methods used by malware authors along with the tools used by analysts to recover the “hidden” data
• The fundamentals of Assembly Language programming & Windows registers
• How to perform dynamic analysis using virtual machines and a variety of utilities to capture the system, registry and network activity generated during malware analysis

Who Should Attend the Class
Information technology staff, information security staff, corporate investigators, or other staff that require an understanding of how malware works and the steps and processes behind the Malware Analysis process.

Prerequisites

• General knowledge of computer and operating system fundamentals is required
• Students should have some exposure to software development.
• Experience in assembly and C, while not required, would be beneficial.
• Suggested reading:
  • “Reversing: ” by Eldad Eilam
  • “Real Digital Forensics” by Keith Jones, Richard Beijtlich, and Curtis Rose

Kris Kendall
Kris Kendall is a Principal Engineer at Mandiant with over eight years of experience in computer forensics and incident response. Mr. Kendall is a key leader of Mandiant’s technical teams, providing expertise in computer intrusion investigations, computer forensics, secure software development, and research & development of advanced network security tools and techniques.

Prior to joining Mandiant, Mr. Kendall worked in the Computer Forensics and Intrusion Analysis group at Mantech International. During this time, he was the technical lead for a team that discovered several severe vulnerabilities in network infrastructure devices and critical operating system services. He also developed several innovative tools that advanced the state-of-the-art in the rapidly evolving field of reverse engineering and binary analysis.

As a Special Agent in the United States Air Force Office of Special Investigations, Kris was responsible for conducting forensic analysis and intrusion investigations in a geographically dispersed area including eleven states and more than thirty U.S. Air Force facilities. Always pushing the limits within the investigative arena, Mr. Kendall was the first Air Force agent to remotely image the hard drive on a hacked computer during an active intrusion incident—a strategy that enabled the collection of critical evidence without forewarning the intruder that his activity had been discovered.  While in the Air Force, Kris recognized shortcomings in existing tools used for forensic analysis. He created his own solutions, including foremost, a popular tool used in the recovery of files and file fragments from hard drive images, as well as several other programs that automated and expedited the forensic analysis process.

Mr. Kendall has extensive experience teaching and sharing his security knowledge with others. As an instructor at the United States Naval Academy, he helped to design the curriculum for the Bachelor of Science degree in Information Technology and taught courses in Software Engineering, Systems Analysis and Design, and Artificial Intelligence. Mr. Kendall’s extensive academic background, coupled with significant experience on the “front-lines” of the information security field, give him the rare ability to bring the real world into the classroom. Earlier in his Air Force career, Mr. Kendall developed and conducted training in the application of data mining and machine learning techniques used in criminal and counter-intelligence investigations. He also developed and taught an introductory training program in computer intrusions for senior leaders. 

Mr. Kendall earned both a Bachelor of Science and a Master of Engineering degree from the Massachusetts Institute of Technology. Mr. Kendall conducted his Master’s research at M.I.T.’s Lincoln Laboratory, where he designed, implemented, and automated more than thirty different computer attacks in support of a realistic test-bed for the evaluation of network and host-based Intrusion Detection Systems. His current research interests include automated binary analysis, recovery of data from memory images, and advanced techniques for software vulnerability discovery.

Jason A. Garman is a Principal Engineer within the Federal Services Division of MANDIANT.  Mr. Garman has over 8 years of experience in a variety of high-end technical fields, ranging from systems and network administration to reverse engineering complex applications and malicious code.  Mr. Garman has extensive experience not only performing high end technical analysis, but also briefing the results of these analyses to diverse audiences to include senior management at domestic and foreign government intelligence agencies.  In addition, he has authored a book, Kerberos: the Definitive Guide, published in 2003 by O’Reilly & Associates.  He has also helped design and teach training classes for digital crime investigators.

Mr. Garman came to MANDIANT from ManTech Corporation where he served as a Senior Computer Forensics Engineer within the Forensics Operation Division of the Computer Forensics & Intrusion Analysis Group.  He created a new program area, Reverse Engineering, to support ManTech’s government and commercial customers.  In this role, he worked closely with teams of forensics, data hiding, and protected data specialists to analyze some of the highest priority media arriving from the field.

His tasks included the reverse engineering of various software applications to determine whether malicious or otherwise covert functionality was present.  As part of these duties, Mr. Garman both red teamed locally developed applications as well as analyzing suspected suspicious foreign applications.  In addition to the analysis role, Mr. Garman also performed research and development into new, techniques for automating reverse engineering tasks.  He also assisted the other program area teams by quickly developing applications in reaction to immediate task requirements.

During his tenure at ManTech, Mr. Garman was involved in numerous counterintelligence and counterterrorism cases.  He performed cradle-to-grave analysis on cases, to include briefings to chiefs of government divisions both at home and abroad.  He has continually advanced the state-of-the-art in computer forensics and, in particular, reverse engineering for ManTech’s unique client base.

Before ManTech, Mr. Garman worked at several technology and consulting companies in the Maryland area, serving biotech and government clients.  He architected, implemented, and maintained complex heterogeneous networks for their clients.

Jason Garman holds a Bachelor of Science degree in Computer Science from the University of Maryland, College Park.  Mr. Garman also holds a current Top Secret security clearance.