legal contact rss
 
This is still (very much) under construction. Although a lot of information of this section is already available, I still haven't finished yet. - So please be patient and come back a little later. THX
This is still (very much) under construction. Although a lot of information of this section is already available, I still haven't finished yet. - So please be patient and come back a little later. THX

Memory

The first vague steps in Windows memory forensics after a recent detection of a client machine beaconing to a known malicious IP.

These articel base on the Volatility 2.4 tool ("The Art of Memory Forensics")

Download it from the main page here.

A command description can be found here.

For playing around, I have two interesting memory dumps here:

Stuxnet and Spyeye memory dumps.

Recomended readings

Title

The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac MemoryMichael Hale LighAndrew CaseJamie LevyAAron Walters

ISBN: 978-1-118-82509-9912 pagesOctober 2014

Windows Internals, Part 1 (6th Edition) (Developer Reference) Paperback – March 25, 2012by Mark E. Russinovich  (Author), David A. Solomon (Author), Alex Ionescu  (Author) 

ISBN-13: 978-0735648739  ISBN-10: 0735648735  Edition: 6th

 

Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code

Michael LighSteven AdairBlake HartsteinMatthew Richard

ISBN: 978-0-470-61303-0744 pagesOctober 2010

   The Volatility cheet sheet 2.3
   SANS Memory Forensics Cheat Sheet v1.0
   Training slides provided by Basistech
   Virustotal search engine
   FortiGuard Threat Research Center

 

  Good sample discovering a Zeus Trojan by Javier Nieto