Investigating Malware using Memory Forensics

Monnappa K A

Info Security Investigator - Cisco CSIRTCo-founder Cysinfo - Cyber Security CommunityAuthor of Limon SandboxMalware Analysis, Reverse Engineering, Memory ForensicsConferences - Black Hat, FIRST, 4SICSArticles - eForensics, Hakin9, Hack Insight

Who am I

Finding and extracting forensic artifacts Helps in malware analysis Determining process, network, registry activities Reconstructing original state of the system Assists with unpacking, rootkit detection and reverse

engineering Sophisticated actors Critical data exists in memory

Why Memory Forensics?

Memory acquisition - Dumping the memory of a target machine

Memory analysis - Analyzing the memory dump for forensic artifacts

Steps in Memory Forensics

Process of Acquiring Volatile memory to non volatile storage

On Physical Machines(Tools): KnTTools F-Response Mandiant Memoryze HBGary FastDump MoonSols Windows Memory Toolkit(DumpIt)

On Virtual Machines: Suspend the VM (.vmem)

Memory Acquisition and tools

Your security device alerts on a http communication from 192.168.1.100 to a domain livedieoslix.com which resolves to 192.168.1.3, you suspect 192.168.1.100 to infected. You are asked to investigate the machine.- To start with, acquire the memory image “infected.dmp” from 192.168.1.100, using memory acquisition

tools- Analyze the memory dump “infected.dmp”

Demo-Scenario

Video Demo

Thank You !

@monnappa22

http://malware-unplugged.blogspot.in

monnappa22@gmail.com

Twitter:

Blog:

Gmail: