View
2.678
Download
3
Category
Preview:
Citation preview
Investigating Malware using Memory Forensics
Monnappa K A
Info Security Investigator - Cisco CSIRTCo-founder Cysinfo - Cyber Security CommunityAuthor of Limon SandboxMalware Analysis, Reverse Engineering, Memory ForensicsConferences - Black Hat, FIRST, 4SICSArticles - eForensics, Hakin9, Hack Insight
Who am I
Finding and extracting forensic artifacts Helps in malware analysis Determining process, network, registry activities Reconstructing original state of the system Assists with unpacking, rootkit detection and reverse
engineering Sophisticated actors Critical data exists in memory
Why Memory Forensics?
Memory acquisition - Dumping the memory of a target machine
Memory analysis - Analyzing the memory dump for forensic artifacts
Steps in Memory Forensics
Process of Acquiring Volatile memory to non volatile storage
On Physical Machines(Tools): KnTTools F-Response Mandiant Memoryze HBGary FastDump MoonSols Windows Memory Toolkit(DumpIt)
On Virtual Machines: Suspend the VM (.vmem)
Memory Acquisition and tools
Your security device alerts on a http communication from 192.168.1.100 to a domain livedieoslix.com which resolves to 192.168.1.3, you suspect 192.168.1.100 to infected. You are asked to investigate the machine.- To start with, acquire the memory image “infected.dmp” from 192.168.1.100, using memory acquisition
tools- Analyze the memory dump “infected.dmp”
Demo-Scenario
Video Demo
Thank You !
@monnappa22
http://malware-unplugged.blogspot.in
monnappa22@gmail.com
Twitter:
Blog:
Gmail:
Recommended