Magnet Forensics’ Matt Suiche on the Rise of e-Crime and Info Stealers

Desi: So, welcome, friends and foes to the forensic Focus Podcast. I’m Desi and as always, I’m joined by the lovely Si. And this week’s podcast is sponsored by Magnet forensics, and we have Matt, who is a director for Memory IR and R&D. Thanks for jumping on with us, Matt, and glad you could make it with us.

Matt: Well, thanks for the invitation, guys.

Si: No, it’s a pleasure. So, I mean, we’ve not met before and although I am familiar with Magnet as a provider, and I sort of spoke with some of your guys at a trade show, it is terribly long ago now, this year has flown by, but recently enough for good memory. Tell us tell us a bit about yourself. Tell us a bit about Magnet. How did you get into being with Magnet and what’s your background?

Matt: Sure. So, well, I guess  15 years ago I started a memory acquisition tool called DumpIt, it used to be called Win32dd. And I kept working on it and did a bunch of work regarding memory forensic, memory analysis. And most recently, so a few years ago, I started a startup called Comae Technologies, where we focused on using memory for incident response. So it was a continuation of all the work that I did in the past on memory acquisition and memory analysis to turn it into something that can be easily used by analysts and practitioners. And that company was acquired by Magnet at the beginning of 2022, so at the beginning of this year. And that’s where I got the opportunity to be part of the Magnet family.

Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.

Si: Fantastic. And your background really before that, were you an instant response guy or academia?

Matt: Yeah, mostly security research. So a lot of the things I would do would be related to doing things Windows cannot research. For instance, stuff  documenting the Windows hibernation file was one of my early works because I had to reverse the Windows Kernel, rewrite the compression algorithm so we could decompress the Windows hibernation file.

And then after that, yeah, mostly Kernel stuff I until decided to branch out and to do an application virtualization startup with a friend of mine which was called CloudVolumes that got acquired by VMware around 2014. And after that I decided to come back into security because I’m still part of the review board of a bunch of security conferences like Black Hat, Blue Hat, Shakacon. So I’ve always been involved in the security community even when I was not professionally active inside the security community.

Desi: Yeah, that’s really cool. There are so many, like,  I know a lot of our listeners will have used at least one of those, if not more than one. So it’s really cool to meet one person who’s had so much influence on so many influential tools within the industry that are kind of used day to day, especially in the old sense of incident response and forensics and using, especially DumpIt and that which is still used today in some places, which is cool.

Matt: That’s what we’re all trying to do, right?

Desi: Yeah.

Matt: Tools to make the life of people easier and if it’s something that can be repeated as a process or if we can expand the field of research for people to either save time or be able to, you know, catch bad guys more efficiently, it’s always a good thing. And every time we spend time on something, usually we like it to have an impact, right? So for instance, the podcast you guys are doing, you know, I’m sure you enjoy doing it because you get different perspectives and that’s something fun, you know, helps to expand the horizon of the audience to get new ideas, et cetera. Mm-hmm. Like, to keep communication going. In my case it’s through building tools, you know, so…

Si: Yeah. I can’t write code, so it has to be a podcast, so.

Desi: You just need to take a bootcamp coding course there, Si.

Si: As discussed I have my assembly language book turning up soon, so, you know, it’ll be fine.

Desi: Yep. There you go.

Matt: You can always learn Rust, you know, if you’re looking for language to use in the long term, Rust, all those memories, Surf languages, you know, they’re becoming extremely popular. There are a lot of best practice reports coming out. There is more coming out for next year on why it’s a good alternative to C and C++ if you start from scratch.

Desi: Some of some of the bigger ransomware groups were changing their code base into Rust from  what I was seeing towards the end of my incident response, which I thought was more to do with, for them, efficiency of encryption and all that, but I’m not super sure.

Matt: I mean, I think it’s also because ransomware groups now, the developers are becoming pretty good. So based on the technology people use, you can tell  how advanced they are in terms of understanding technology. You will not hear a ransomware group, I mean, you could, it happened few times, so whether you would use Python or Delfin to write stuff, but as soon as you stop to see, you know, they’re using Rust, et cetera, you can tell they have a really good understanding of a lot of low-level system stuff, you know?

So, you know, you’d have to write a driver, all those things, cause a lot of malwares and somewhere usually in terms of techniques, if we look at  all the TTPs from the mito attack framework, they would use a very similar modus operandi. But now you can see the evolution, because usually it’s not one group doing everything. They split tasks and they learn how to collaborate. And I think that’s why we see them using Go and Rust and all this cutting edge technology.

Desi: So that’s probably a good point there. We are talking about criminals. I know one of the topics we wanted to talk about today was e-crime and info stealers. So, where do you kind of see as the modern starting point of e-crime and info stealers that everyone kind of has been facing today and facing over the past couple of years?

Matt: Yeah. Well, e-crime is a big problem now, obviously, as we all know, you know, ranging from  business email compromise to ransomware. But this year we started to see a shift in terms of modus operandi. The big shift we are starting to see, and it was mentioned by Vitali Kremez a few months ago, he has been tracking a lot of different groups, he’s very active in the threat intelligence community, is that a lot of the major ransomware gangs are kind of changing their business model to move towards, you know, hacking, stealing, you know, extortion, leaking documents instead of just blindly encrypting file.

Whereas before they would just say, encrypt your files, ask for a ransom and try to get money out of it. But in that case, you know, it’s public, it gets on the news. Whereas now with the info stealer modus operandi that we start to see more and more, it does not have to be public, which usually is also an incentive for companies unless regulations are pushing them to disclose every time they’ve been compromised, but also a new way of monetizing cyber crime.

Desi: Yeah.

Matt: So that that itself, you know, and we would see them collaborating more and more. I mean, this  we started to see and we learned more about  the modus operandi of those ransomware groups like the Conti group, because a lot of their chat logs have been leaked. But that shift to what we call info stealers where either they would get in your network or they would buy access to your network to an initial access broker, which is something very common in the underground, and then you would see, well, a financially-motivated attacker coming inside your network and trying to steal as much information as they can after doing a bunch of lateral movements.

And then they would just, you know, try to blackmail you and get money out. And now, because of the usage of initial access brokers. IABs, sometimes you’d have multiple actors in your network. So from an incident response standpoint, it’s also becoming a bit more complex to identify within your network if you are in a scenario like this.

Desi: Yeah. Yeah. While I was researching for this chat with you today, I was looking up info dealers and kind of seeing where they’ve come from. So, you see attackers used to, and one of the previous talks hit banks quite a lot, and then they went to corporate because the security level was lower, bio virtue was easier, and attackers will always go for the lowest common denominator, what’s easiest for them, least path of resistance.

Do you think with, and some of the articles were suggesting that because everyone’s put money into crypto and NFTs and you’ve got this kind of decentralized economy that attackers might reshape their attack path to more of a consumer level again? So they’re attacking individuals rather than kind of a corporate sense as kind of corporate’s catching up with security?

Matt: Well, for attackers to target users, you know, usually they’re smaller pockets, you know, they have a  smaller “budget”. It’s not really a good target customer. If they’re running a criminal organization, you may as well just go after large organizations and focus on it. And with that shift of because we saw it with  once you have been infected by I ransomware, it’s pretty obvious because your screen is going to turn red, all your files are encrypted, everyone is panicking, what’s going on, it’s already too late, you know, you have been breached. Whereas if you use a different approach of  staying in the network, it could be a few weeks. In some cases it’s a few months.

We can see in business email compromise, you can observe and learn a lot from an internal organization. Sometimes the attackers would know more than internal employees because they would have access to the emails. They would just monitor all the emails. They would wait for you to go on vacation either to replace the invoice. In that case, they would expect a wire transfer on an actual bank account that they control.

If it’s a ransom, you know, they may ask for a transfer for cryptocurrency. Even in the case of the shadow brokers when it happened a few years back when they had files that belonged to a major  intelligence agency with exploits, et cetera, while they were posting a blog post saying people, “Okay, you can wire this money there” they were trying to do a bidding type of auction online for people to send money there. So that was already. Used in terms of web-free securities, so you were saying NFTs, cryptos, et cetera, well, that’s something we have seen a lot over the past few years where if we are thinking of, because there are different aspects, right?

If you’re an attacker to receive money, to leverage the cryptocurrency which was always there, and it’s kind of like what ransomware we’re using, but because of the security posture of people within companies, most companies will know that they need backup, they’re also moving more to the cloud. So a lot of the information they would have to encrypt would not be as efficient. You know, I’m sure it’s like your case too, even if you are losing your laptop, you know, you are like, okay, I still have my files because usually they’re saved somewhere or it’s in a repository. It’s not that dramatic. It’s more about not having a third party accessing it.

Whereas so that usage on cryptocurrency for transfer, you know, I think it’s debatable, it’s used, but one of the thing we see a lot is for instance, and we have seen it for the past five years since 2017, is crypto exchanges being targeted because usually they do manage a lot of money.

They’re like smaller banks. It would manage billions. We can see with FTX now, there’s some core document coming out saying that all the private keys were not even encrypted. You know, there are all those things. So if you’re an attacker, that’s the dream target is just like you access, you take the money out, you will also see some bridges,  the running bridge, which was related to a video game being hacked. And then you would see hundreds of millions of dollars being moved, because there are kind of smaller central banks with really bad security or the code would be available. So there’s all those new vectors around Web 3.0 that are also  present.

There’s still something I think traditional security catching up on cause it’s such a different scene to the crypto, Web 3.0 scene. And I think a lot of security people didn’t really dig much into it because you would have to learn about smart contract security, and all the different languages, some smart contract, you would have to learn a new language like Solidity or you would’ve to write them in Rust. Whereas  traditional security when it comes to detection, well, it’s more oriented around rules and things that can implement detection rules.

So you need to have  a product in place. But for crypto companies, yeah, it’s definitely a big problem. And I think the fact that it’s really hard now for defenders or corporations to detect the threat internally, they could stay in your system for months. That’s why you need to do active   threatening and all those things, rather than just waiting for, okay, we have been infected by ransomware because the screen is red. Okay, let’s try to see what happened. Because by that time, you know, the attacker would’ve done everything they wanted. I think what we see now is really the interfaces around detection and detection engineering and how it’s changing and how it needs to change to be more advanced.

As you said at the beginning, now we see some of the attackers writing their ransomware in Rust, there is ransomware called Black Bites. They also had a Kernel driver with it where they were actually removing a lot of the callbacks that could be used by EDR solutions because then they would be  undetectable. So they have all those proactive bypasses of security products being in place. And you can see, and it makes sense because it’s more profitable as a business companies are struggling with, you know, detection.

They have a different focus on, okay, let’s do security awareness around phishing emails, let’s use two-factor authentication, all those things. But when it comes to detection, when someone is in, if they come in with an exploit,  we have seen it many times with IAS, and now we see more and more zero days being found in the world which is instrumented by attackers, whereas before  zero days would be not as common as now, but now we’re at peak security, we have also a great security product that are supposed to find breaches, et cetera, while the reality is you’re going to get breached anyway, but what’s your plan of action? Or do you search for stuff actively?

Desi: Yeah. And I think you’re right on that. It’s interesting in that we are seeing the development now and that mindset of, you are going to get breached, what are you going to do? What’s going to be interesting I think for how the attackers respond, because I know at least within Australia and and other countries it might be different, but the regulatory compliance on not paying ransom is so high here and the fines are so high compared to if you get found out that you did pay ransom is quite severe.

So if corporations get attacked but the money dries up because they’re not getting any ransom, there’s no business model to keep attacking, right? They either need to put the thumb down on more pressure and attack more critical systems, which is terrible, or they need a different model, and where are they going to shift to make their money? So, I guess that’ll be interesting seeing this new year where that’s going to go, at least for me in Australia, cause I think the pressure is on that they’re not getting paid in ransom. So they’re doing work for nothing, really.

Matt: Yeah, no, definitely. And I guess we’ll see if they’re moving more towards economic intelligence and all those things where, you know, you keep it secret.

Desi: Yeah.

Si: So with the move away from, you know, specifically sort of drops and ransomware that is doing encryption and that kind of thing, is the memory forensics side of things becoming more important to try and detect active threats within a network because there’s less evidence in other areas? Is this driving the desire to do memory forensics? I mean, I come from a dead forensics background.

I mean, I do criminal cases whereby the police have kicked in the door and seized the computer and there’s no memory. Or once in a blue moon is there memory. So from my side, this is exciting and interesting and fascinating, but I have no real appreciation of how it actually provides use. So, in your experience, is this, you know, memory is your expertise area, is this something that we are going to have to look at more going forward because of the nature of the changing attacks?

Matt: Yeah, very good question. The short answer is definitely yes. And you would tend to see people are not really using the term memory forensic anymore. What you will see a lot is people talking about memory analysis as a large category to include file list threats, and more recently what we see a lot called living off the land type of threats. So that’s something we see more and more.

Because yeah, I mean the same concept of, okay, if you’re not touching the disk, well, there are a lot of operations, you know, that you are not logging in, if you’re just using process injection from one process to another, if you’re an exploit, you don’t even need to touch the disc, really. You know, just inject your payload in memory. And we see that also for mobile, a lot of zero-day click threats.

A lot of them are file-less, you know, getting a missed call, you know, boom, it makes it harder and harder to detect threats and on actual servers, either Mac, Linux or Windows, being able to analyze the system beyond what you collect in terms of telemetry from your XDR solutions is becoming more and more relevant because as attackers are becoming more and more evolved they understand how to bypass a lot of the traditional security telemetry that a lot of companies would collect.

Most of the time telemetry is great, but you also need to think of the blind spots you could have from telemetry. For instance, we were saying you before, if you have something like a ransomware like Black Bite, which is going to load the Kernel driver, look at the callback functions registered within the Kernel, remove them making it completely blind for any telemetry solution you have, you will not know what’s happening after.

That’s why doing active pro hunting and those things is being relevant. And that’s obviously, like you said, you know, something we’re working on, trying to make it more accessible for people without having to be, you know, a Kernel expert. But as we see more and more all this being found in the wild and as those groups are more and more advanced and will kind of stay in your network for a long time, being able to actively hunt for stuff beyond basic queries where you would have your traditional tools,  whatever XDR solution you have where you can run your quick queries, all those things, where there are more and more scenarios where you need to go beyond asking those basic questions where, okay, this is an image of a machine where we are pretty much sure it has been infected because it’s a critical asset and if it has not been infected, well at least we need to have confirmation that there is nothing suspicious in it. And usually that would be more than just checking if a file is present and all those things. So yeah,  understanding memory and the internals of operating systems now is becoming more and more important.

Si: You Talk a lot about making it as easy as possible. One of the sort of ongoing questions that we have when we’re talking to vendors is where do we draw the line in providing push-button forensics? You know, somebody needs to be able to understand what they’re getting out of a tool in order to be able to really action it. How do you feel about that and in terms of the training that Magnet provides, you know, when you’re teaching people to use this tool, are you going into depth about what the actual meaning of these things is?

Matt: Yeah, we do. So they are frameworks, you know, the monitor attack framework that kind of provide a midway vocabulary for an entry-level analyst where you have an existing  framework, where you have an existing definition and if you are a detection product, at least you can leverage this to have  a common vocabulary for people to understand. I think on the scale of things, you know, I think it’s very helpful in that sense where you just said, you know, you need to provide results that people can understand.

Whereas if you would just be talking to attackers, those groups of attackers that are collaborating with each other, for them it’s very specific. It’s like, while we bypass ABC, this is what we do and this is all we’re getting, this is what we’re going to use. The mindset is very different. You know, they will not think as a checklist, you know, there’s this quote from John Lambert  saying, “Defenders are  thinking in checklist and attackers are thinking in graph.” Because,  it’s a really good and difficult question to answer in the sense of if you are a defender or today, you are either going to be driven by regulation or saying, okay, we need to get that checklist compliant. Sometimes you may even waste some time on stuff that is not necessarily very significant or protecting you against what you should be focusing on. But it’s still good to have this because it allows you to get more budget and then to put the right people in place.

Whereas if you’re an attacker, you don’t need to do any security awareness or education. You’re going to focus on your KPI, on your objectives, you know, and that’s it. Whereas if you’re a defender, like you said, you know, you need to be able to kind of educate people on, okay, why do you need to do this? This is the reason why you need to do it, and this is how you can do it. Whereas if you’re an attacker you just don’t care, just I’m going in, you know, give me the hammer, you know?

Si: Is there value then in teaching people to attack? Should we be educating people from both sides of this? Would you recommend that any incident response person also does their training in, let’s call it ethical hacking, but maybe not cause that involves still following a checklist.

Matt: Like red teaming?

Si: Red teaming. Yeah.

Matt: So, there is a benefit in learning how an attack works, but I think the reality of it and personally, if people are saying, oh, I need to learn more about offense, usually they would do things that are really basic, not necessarily representative of how a real attack works, I guess, you know, that to be one of the downside. I’m always advocating for people to learn about proper software engineering, because that gives you way more than, you know, learning how to use Kernel and all those things. But in terms of learning offense, and I’m talking from experience,  there’s a blog post that should come out this week where I was looking at one of the zero-day or a zero-click attack that was released last year just trying to reproduce the exploit. The complexity of writing an exploit now in 2022, 2023 is way beyond what it was 10 years ago.

So if you are a defender switching from defense to offense, I mean, there are massive benefits, but the gap of expertise is becoming so wide now that even if you would want to, it’s really hard and you still need to be able to ask the right questions to the right people to progress. You can go to trainings and stuff, that’s definitely helpful, but if you want to stay up to date on the current state-of-the-art or, attacks remote code execution and all those things, or all things are being, you know, it is going to be very difficult to have a very precise understanding of it. Obviously you don’t need to know all the details. Most of the time you need just kind of the ABC or, you know, the monitor attack framework, it’s very helpful because that’s what it’s been using.

But from an application security standpoint, as we start to see exploits being used more and more in the wild it’s becoming very hard because even we saw it with when people are like, well, just update your system, that’s it, you know, there’s a patch available, you know, you just need to patch it. But now, as we see more and more zero days, there is no patch available or, even patching a system in production is very complicated because, well, a significant amount of time you may have your system down or you need to test patching, et cetera, et cetera. Even updating a personal machine or a phone is complicated because it feels like we have updates all the time. You know, we just spend our time updating our system, you know?

So it’s a difficult question to answer. There is value in it. It’s just extremely hard to know everything now. Even people writing exploits now, the way they work, you will not have one person writing an exploit. You would have people who will specialize in finding bugs and they’re going to have different specialties, you know, dead listing, phishing, et cetera, then when it comes to exploitation, some people are going to be specialized in browser exploitation. Some people are going to be specialized in routers exploitation, some people will be going to be specialized in only iOS exploitation, some people on Android, and so it’s  becoming so complex and that’s why we start to see the prices of exploit and by all those gray marketplaces that we know of, you know, in the public eyes raising their prices so much for a lot of the exploits is because it’s so hard now to write exploits and even understand how they work.

And by the time we get time, also, if you’re defender, you spend so much time reading through events,  doing triage, hours of alerts, you know, chasing your own tail that, you know, after that you still need to find  the mental bandwidth to like, okay, I want to do some research and learn about ABC, which is a huge problem because you have a certain amount of time that you can allocate to learning from your day job. And I think that’s one of the biggest problems of security because if you have more time to do research, you understand what you need better also and where you could collaborate, and I guess that’s one of the good things with open source because you get  people from different places and they can collaborate in a very unorthodox way.

But it’s difficult to find the time and focus and it’s understandable, especially now you get so many false positives alert fatigues and all those things that, yeah, if you want to find free time on the side, I have friends of mine, they literally want to quit their job just to spend a full year just doing research, not being back just to learn about stuff. They’re like, I’m spending so much time doing bureaucracy or anything with my work that I don’t have the time I want to do research, you know, because they genuinely enjoy research, you know? And we’re reaching that stage.

Si: I found a strange issue is that with, I mean, I used to do at least some commuting but now I’m working from home so much, I don’t even get 30 minutes or a couple of hours a week on the train to sit and listen to something or read something or do it. It’s funny how the world has changed in that regard. I’m also suffering from the fact I’m getting old, which means that every time I learn something new, I forget something that I should be remembering, which is not terribly helpful.

Matt: It is also a problem because staying up to date now, it’s hard. And I imagine it’s with you having an existing base of knowledge. So if you are a newcomer now, you may learn faster. Most of the people I see know learning reverse engineering, the new generation of people, would either come from the CTF scene or because they used to write cheats for video games.

That’s also a pretty big scene that was not that big  before because all the protection bypasses and all those techniques they’re learning, because now if you want to act on one of those online games, it’s pretty hard, you know? It’s more advanced than a lot of the XDR solutions you would know about. But around this, there is what we call being part of a community with private knowledge where you can ask the right question and get the right answer or have existing  knowledge resources that you can leverage to learn.

Desi: I had another question just on, I guess, the memory when we’re talking about using it in incident response, and from my experience and probably a lot of people who have done this kind of thing, and especially in forensics, is how do you do it at scale? Because especially when you’re looking for a wireless threat and you’re doing threat hunting, memory scanning generally even using lightweight tools is very expensive and very, very time intensive. So I guess it’d be really good to hear your thoughts on how you approach a threat hunt where you don’t necessarily have an initial indicator or you don’t know where it is in the network, but how do you approach that and how do you go find that in memory?

Matt: Well, you would always have some information telling you where to go, because if you have a suspicion on…

Desi: Yeah, so let’s say it’s a suspicion you’ve got.

Matt: At least you’d have a suspicion and what has been compromised or what you don’t want to be compromised. So for instance, your critical assets, you know? So I guess that’s where you do the different, tier one, tier two, tier three of incident response analysis. If you have phisings you’re going to start to narrow down on your scope on what you think is relevant. And even if you are, like I was saying before with those root kits that we see more and more that are kind of clearing all the callback functions, you would see an event happening before, so you would see, okay, the entered here, you know, and then they disappeared, but you would have a starting point. And obviously that’s not something you would find immediately or you need a bunch of people working on it, et cetera, know, or, and then they disappeared, but you would have a starting point.

 And obviously that’s not something you would find immediately. Or you need a bunch of people working on it, et cetera, probably for a few weeks to understand exactly what happens. But you always have  some sort of suspicion. and when it comes to memory, that’s something you’d use for instance,  critical assets. So once you have identified assets that have been compromised or may have been compromised and you don’t have to do the same thing, the disc, you would not do full disc acquisition all the time. You may just do a process memory image or for critical assets you would want to do a full disc or full memory acquisition because maybe that’s something you are going to need, you know, a year or two years from now for a legal case.

In the case of even the same thing with memory. If you can schedule memory snapshots over time, you know, let’s say for critical assets, let’s say if you are a bank, you have a swift server where you have, you know, really critical information coming in and out. We have seen some swift service bureaus being compromised in the past, the last time we heard of something like this happening publicly was many years ago. It does not mean that threat vector disappeared or something with ATMs, you know?

While you may want to schedule, you know, memory snapshots and use that as a raw form of log, follow your critical assets because obviously it’s large, very big. At least you would always have the opportunity in the future, let’s say one or two years from now, depending of how long you keep those logs, you know, to come back and do some retro hunting because you’ll have, oh, during this 24 months period, this vendor released some new IOCs about this threat. We think we may have been a target. So let’s run those IOCs on that memory measure we have from one or two years ago. At least you would be able to answer the question of okay, have we been compromised between that period and we didn’t know about it?

Desi: So it sounds like at a basic level it’s, have the visibility in your network with the correct telemetry to kind of do the threat hunting that you need to do either historically or at the time. And I guess a lot of our listeners know, it is a difficult thing to threat hunt when you, and you can’t when you don’t have visibility, cause you can’t find what you can’t see.

Si: Much the same as trying to find things in the real world when you can’t see it. Funny that.

Desi: Yeah. Put a blindfold on and find something.

Matt: And yeah, all the sort of telemetry, your network telemetry, telemetry and point telemetry, I guess  now memory telemetry, if we can call it this.

Si: Yeah, that’s a good term for it. I mean, you know, it’s interesting that we come back effectively to deviation from baseline, which has been the sort of traditional methodology of detecting unusual behavior. Just we are doing it with a larger data set across different things that allows us to do that. I think that’s quite cool. I heard a rumor that you have some experience with regards to Chat GPT. Does that have an acronym that gets pronounced in any different way? I’ve only ever read it. I’ve never actually spoken to anyone about it yet. Is it just Chat GPT?

Matt: Yeah, it’s just Chat GPT. So it’s by OpenAI which is a massive company. The last investment was a billion dollars for Microsoft.

Si: Wow. I’m in the wrong business.

Matt: It was in the work, well, I mean, we’ve seen,, I guess I cannot remember a $1 billion investment in cyber security. But yeah, I mean, everyone has been talking about it. So you say you didn’t play with it.

Si: I haven’t played with it yet. I mean, I can say, I’ve seen various things going past on Twitter between the one that interested me the most was actually somebody persuading it to tell them how to hotwire a car. But I’ve sort of seen an article being put forward that suggests that there may be a use for this in the creation of malware and that’s a real, is that a real problem? I’m going to say I have enough trouble writing code myself, so understanding that an AI can do it better than me, whilst totally plausible, does, you know, have some sort of doubts in my mind. What’s your opinion on this?

Matt: That’s a good question, actually. When I was at Black at last week in the round table we had, that’s something that came up a lot. So, remember at the beginning of our discussion when I was saying, well, if you want to learn now, one of the big problems is to know how to ask the right questions to the right people. And that’s all you can progress way faster when you’re learning. I think the best way to look at Chat GPT and all those, LLM, large language models is that first I think people like us are going to be better at articulating questions when we need something, when we try to understand something which is I’m sure, we all had a fair of amount of restrictions when talking with people saying, well, it’s not working.

And then you have to send back a questionnaire of, I mean, the reason for a questionnaire and checklist is because people don’t always know how to articulate a problem. And because we need to give them a journey into explaining and narrating their problems. So now as humans we are going to be able to  formulate those questions better and better, and we’re going to have very detailed answers. So if you think of a sequel type of database where you write your sequel query and your query database, there’s a specific format for questions and you get data back, you kind of know what you have to ask. Think of that as the next generation of sequel queries where instead of being a sequel query, it’s going to be leveraging  the human language, could be in English, could be in French, any other language.

And the database itself, when the case of Chat GPT, they use the internet to trend that model. So any encyclopedia you can think of, you know,  Google results like Stack Overflow, GitHub, everything you can think of. So in most of the cases it’s extremely accurate. It understands human language beyond the level, you know, that’s I used it a few times just to fix grammar on some text. Then I have a friend of mine who used it for  more complex questions like write me some PowerShell script to download the malware and to connect to that domain name, et cetera. So my friend tried that query and it wrote a script in PowerShell immediately and, you know, it went viral on Twitter.

Whatever question you would ask with the right set of requirements is going to come back with information. So for programming, there are definitely obvious benefits because a lot of it is very redundant, where you can use it to work it just picked me that code or converted even in some cases that piece of code in Rust or whatever. So when it comes to writing malware or exploits, especially exploits, there are so many unknown variables that you need to figure out as you exploit that it’s impossible at the moment because there are so many unknown variables.

But for a lot of redundant operation, if you think about it to what we were saying before, if you are a defender, you get so many alerts to filter so many things to process, or a lot of, you know, middle man operation whenever you want to get a task being executed and there’s this full chain of command to be passed, you know, just for  even emails between human operators, there’s definitely a lot of value there.

What I see, I would not be really worried of how it can be used from a man issue standpoint, but more from  an operational standpoint for enterprise or we’re wasting time today, or can it help us or even to learn, you know, as mentors, you know, if you want to learn programming now you have a small mentor where you can ask questions and you get extremely articulated  answers. That’s amazing, you know?

So I think from a defensive standpoint there are definitely a lot of benefits in terms of, you know, for instance  fake news, misinformation, et cetera, because it can write  full on articles, you know, if you want it can write tweets for you. So maybe that’s where there would be a danger. It’s kind of, you could detect what Chat GPT texts like, but I think very soon you will not be able to detect it because it’s the third generation of GPT now, there’s already a fourth generation in the works that hasn’t been released yet.

All the promises we heard about AI over the past 10 years with EDLs, using AI to solve crime and detect  bridges, that didn’t really work. But that was kind of enough for people to be, oh, well we’re using AI to solve cybersecurity and it was not really working. Well, we may see a next generation of real AI actually  helping operators to answer the questions for instance, or filter events, whereas 10 years ago a lot of security vendors were basically over-promising what AI could do. I think now we’re entering in that new generation where AI is becoming more mainstream, people understand what are the limitations of machine learning and how we can help, you know, people. And in our case for security, if we can save time and mental bandwidth for those redundant operations and have more time to learn, you know, I think it would be a huge progress for us.

Si: Yeah. Cool. So, a tool that we might bring to bear on our large data problems as and when they occur. Yeah, no, fair enough. I find the term AI a complete pet hate having actually studied it at university and just wanting to replace it with machine learning every time somebody mentions it, cause it’s just people.

Matt: It’s like the new keywords. If you want to look into it, it’s NM and GN.

Si: Yeah. That’s it.

Desi: Yeah. And I think it’s true. I was reading an article – we’ll link this in the show notes for people to have a read. But in his article there was research into having the code try and write an exploit for a vulnerability. So it’s obviously querying the cesspit of the internet to find everything, and it found the vulnerability, wrote the code for it, but the code didn’t run straight away. But then the researcher was able to go and prompt the Chat GPT to go to the next step. You need to change this bit of code for that to work.

So while it didn’t straight out write malware, which is I think probably some of the clickbait that we’re seeing with Chat GPT, but an experienced individual didn’t have to spend time writing an exploit. So it made their workload more efficient, which I think is what you were saying across organizations, good and bad, offense and defense, we can try and figure out how we can use that for efficiencies to free people up to do other things for the stuff that’s being done. It’s just you have to go search the internet for it and we’re kind of giving a program the information to do that for us. So that’s pretty exciting.

Matt: And it depends on the question of your question too, you know, that’s also two ways, you just said, you know, for code reviews because you kind of define the scope of what you want to do. It can work  pretty well, you know, I’m sure we’re going to see more and more of that for code reviews. You know, there is GitHub Copilot, which is kind of  using something similar For documenting source codes, you know, all those things, there are a lot of benefits for sure, yeah.

Desi: Code programmers will never have to comment their own code ever again cause they’ll just push it into Chat GPT.

Matt: Pretty much.

Si: Terrifying thought, yeah.

Matt: You can use it to summarize documents, you know, we are talking because if you’re a security researcher, you still need to be involved with all the policy makers to make sure that whatever comes out as a regulation because it’s going to happen anyway. Still makes sense. And yeah, we’re just joking, well now at least all those documents, you know, which is a lot of gibberish can be summarized in short  paragraphs. Same thing with legal documents, you know, because of the language that’s used, you know, the information can be summarized.

Si: I think I’m going to get you to rewrite my CV, actually. I’ve been meaning to do it for a while. I can’t be bothered. So yeah. Maybe that’s the optimal use case.

Desi: We’ll get him to write the blurb for this show.

Si: Actually we should do that. Let’s do that. Go on. Well feed him some prompts and see what it comes out with. So, aside from messing around with GBT…

Matt: A song, you know.

Desi: It’ll be, “Please write a blurb about Matt for our podcast in the format of Dr. Seuss.”

Si: I’m looking forward to this.

Matt: I’m doing it now.

Desi: There we go. It’ll be on the show for sure.

Si: Definitely in the show notes.

Matt: In the format of who, Dr. Seus?

Desi: Yeah, Dr. Seuss.

Matt: How do you spell it?

Desi: S-E-U-S-S. There you go.

Si: You don’t have children yet. That’s what it is.

Desi: No, it’s been years since I’ve owned a Dr. Suess book. I’ve seen some very interesting Chat GPT stuff, just in our words.

Si: Should be in rhyme.

Matt: Okay. That’s ready. “Once upon a time, not long ago in the Land of Forensics, there was a show called the Forensic Focus Podcast. You know, where they talk about all forensics. Oh ho, the host of this show…” Oh no, they say I was the host. “It was smart and funny. Never once did they chat about boring things, oh no, not that. His guests were experts.” Okay. We need to change the question to make sure he knows who are the hosts, you know?

Desi: We’ll, we’ll try some prompts and get something up, but yeah, that’s really good.

Matt: I mean, for rhymes and stuff, you know, it’s going to come out perfectly, you know?

Si: Yeah. Better than I would manage. So, apart from messing with GPT and Dr. Seuss, what do you do outside of forensics to stay fresh, to keep your mind going, to be, you know, not stuck in front of a computer 24/7?

Matt: It’s a good question. Well, I guess, you know, I don’t know if you ever noticed, but there is a bit of a trend in security people doing Brazilian jiu jitsu. So I guess I will try to do that.

Si: That’s pretty cool. I’ve noticed some interesting trends. I’ve seen baking come and go.

Matt: That’s  the COVID trend.

Si: That’s the COVID trend, but it seemed to have peaked slightly before for, for DFIR and there’s a little sort of background of that. The DFIR fit stuff, yeah, I’ve seen some martial artists. Yeah.

Matt: But yeah, just mostly conferences, to be honest. Even speaking of conferences, next year we have two conferences by Magnet. So we have our virtual summit happening at the end of February. And the physical summit, the Magnet user summit that’s happening in Nashville near the airport. So some interesting traveling and you know conferences, you know, it’s usually the easiest way to stay away from the computer. But yeah, I like talking about computer stuff, so…

Si: It’s just one of those things, isn’t it?

Desi: Good screen, bad screen all the time. Yeah.

Si: Yeah. Yeah. Cool. Excellent. Good stuff. Well, we really appreciate you giving up your time to chat with us today. It’s been really interesting. Really good fun. And as Matt was saying, if you want to hear more from him next year you can check out his presentation. He’s got “Know when to seek help for memory loss” which I must admit sounds like fun, both at the Magnet Virtual Summit and the User Summit in 2023. The virtual summit is going to be held, well, strangely, virtually from February 21st to March 2nd and will have more than 55 presentations from 60 industry experts. And the User Summit is in Nashville, which frankly sounds really cool. And I’d love to go and visit Elvis’ house and all sorts of cool things like that.

Desi: Yeah. Music City.

Si: But that runs from April 17th-19th and gives you the opportunity to go and connect with a load of other DFIR professionals. And we’ll see if we can send Alex or something and you can have a chat with him and do live broadcast recording there, if we can arrange it. And you’ll get to learn more about the latest from Magnet forensics and their solutions and other trends going on in the field. You can register online and we’ll put the links in the show notes so that you don’t have to try and copy them down as we go along, but or And we hope to see as many of you as possible attending and hopefully possibly one of us actually being there, as well. But we’ll see about that. But I will have to fight it out for who wants to go to Nashville, that’s the thing. So yeah.

Desi: Yeah. Anyway, it definitely does sound really good. But it does sound really good.

Si: And yeah, from what I’ve seen of Magnet Tools in the past, they are very nice bits of software to have fun and play with. So again, just to say thank you very much again, Matt. It’s been a pleasure talking to you. Really interesting. We hope that we can have an opportunity to catch up again in the future and learn about what’s going on in Memory Forensics and with Magnet and Chat GPT for that matter. So, you take care. Desi, as always a pleasure. The lovely Desi.

Desi: You too, Si.

Si: It’s all good. All right, fantastic. Thank you very much to all our listeners.

Desi: Thanks, man.

Si: Cheers. Bye.

Matt: See you.

Leave a Comment

Latest Videos

Digital Forensics News Round-Up, June 19 2024 #dfir #digitalforensics

Forensic Focus 19th June 2024 2:46 pm

Digital Forensics News Round-Up, June 19 2024 #dfir #digitalforensics

Forensic Focus 19th June 2024 2:14 pm

Digital Forensics News Round-Up, June 12 2024 #dfir #digitalforensics

Forensic Focus 12th June 2024 5:51 pm

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feeds settings page to add an API key after following these instructions.

Latest Articles