Skip to main content

Posts

Showing posts from June, 2015

Malware Analysis Using Volatility - Part 2

THE ARCHITECTURE OF THE GUI WINDOWS SYSTEM FROM THE FORENSICS POINT OF  VIEW  In this module:     ➡ The use of the Volatility plugins for forensic analysis of the Windows system.     ➡ How extract evidence from a Windows GUI subsystem.     ➡ Try to identify hidden processes.     ➡ Analyzing kernel driver identification.     ➡ Exploring the plugins to collect evidence. To deal with the topics of Module 2 we will explore a classic example of Malware forensics. Let's find out the profile of the memory sample. And from that point we will use some Volatility commands and try to understand the flow the Malware infection causes on the victim machine. We started considering that we don’t have any information about the image that we received to analyze. So, let's use imageinfo (can also use the kdbgscan command) to describe the profile of the operating system associated with this image. Then we use the pslist com...
Read more

Malware Analysis Using Volatility - Part 1

Malware Analysis with Volatility Module 1 ➡ How do you capture the image memory of a machine through the use of different      tools ➡ Software Imager Lite 3.1.1 (FTK), Ram Capturer 1.0 (Belkasoft) and Dumpit 1.3.2      (Moonsols). ➡ How to configure your computer environment to use the Volatility. ➡ And the basic use of imageinfo, kdbgscan, pslist, pstree and psscan plugins in the      Volatility (version 2.5). Memory tools for Live Analysis First let's start with the RAM capture tools. In a modern school of live analysis a forensic analyst should have more than one tool at your disposal. Will show the use of memory tools for live analysis. The tools and the file format Imager Lite     ➡ The Imager Lite captures the RAM and saved in a memdump.mem file.     ➡ The Imager doesn't need to be installed on the machine. Dumpit     ➡ The Dumpit saved the output in a PAULO-PC 20160617-213817....
Read more