Scribd
Upload
24 views4 pages

Unit 4 Memory Forensics

Memory forensics helps analyze advanced malware and memory-resident malware that does not write to disk. It involves capturing memory from an affected system, analyzing it to find artifacts like running processes, network connections, and drivers. Tools like Volatility and Rekall then analyze the memory dump to detect hidden malware activity and build indicators of compromise. The document provides examples of Volatility commands to analyze memory dumps and retrieve information from process lists, network connections, and the Windows registry hives.

Uploaded by

ninja
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
24 views4 pages

Unit 4 Memory Forensics

Memory forensics helps analyze advanced malware and memory-resident malware that does not write to disk. It involves capturing memory from an affected system, analyzing it to find artifacts like running processes, network connections, and drivers. Tools like Volatility and Rekall then analyze the memory dump to detect hidden malware activity and build indicators of compromise. The document provides examples of Volatility commands to analyze memory dumps and retrieve information from process lists, network connections, and the Windows registry hives.

Uploaded by

ninja
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 4

Memory Forensics

Tripti Misra
Memory Forensics
• Memory forensics helps in analyzing advanced malware since in memory, malware artifacts can be
analyzed more thoroughly, and more useful IoCs can be built.

• Memory Forensics is a process starting from finding an affected system, capturing its memory,
analyzing it and if needed dumping the malicious process for further analysis. With memory forensics,
we can analyze many types of OS artifacts like running processes, live network connections, loaded
drivers, API hooks and artifacts like shim cache that will reside only in memory and gets flushed to disk
only after a system reboot.

• It is also useful for analyzing memory resident malware which never writes any information to disk
and thus can go unnoticed. With memory forensics, we can also analyze advanced kernel level attacks
like Direct Kernel Object Manipulation(DKOM) to detect malware hiding activity.

• There are various tools like such as Volatility, Redline, Rekall, etc. which helps in memory forensics.
Basic Memory Forensics with Volatility
• https://blog.horangi.com/basic-memory-forensics-with-volatility-58a19627da13
• http://resources.infosecinstitute.com/memory-forensics-and-analysis-using-volatilit
y/

• Vol.py imageinfo -f <Location of the memory dump>


• Vol.py — profile=<memory OS> pslist -f <location of the memory dump>
• Vol.py — profile=<memory OS> psscan -f <location of the memory dump>
• Vol.py — profile=<memory OS> dlllist -f <location of the memory dump>
• Vol.py — profile=<memory OS> connscan -f <location of the memory dump>
• Vol.py — profile=<memory OS> hivelist -f <location of the memory dump>
• Vol.py — profile=<memory OS> hivescan -f <location of the memory dump>

You might also like