Hands down, the best practical volatility case description I have seen so far. You, Sir, just got a follower now and I can't wait to watch more of your videos.
Richard, Much thanks to the amazing content you put out for free on RUclips. Using what I have learned from you, I have passed my Threat Hunting (eCTHPv2) examination!
Beautiful video giving very good knowledge about memory forensics. Try zooming in while using commands.... Which will be very useful fr us... while seeing these...
This is a pretty old episode. I think you will find that the production quality has greatly increased in newer videos, and they are much easier to read/see.
Since windows 8.1 you cant extract the passwords from the memory image dump because there is no plain text inside the lsass.exe (or lsass.dmp if you created a dump file from task manager or powershell command),but you can get the hash and brute -force it by terminal (you can use macOS as well instead of linux).
I haven't had time to watch your other videos but this is really informative thank you, quick question what is your background ? are you in the forensic industry?
I've been in the IT field for 23+ years, InfoSec for 10+ of that time. Forensics is often a significant part of my job, but not my only concentration or responsibility.
Can you please give a video for rekall and what its best cases? I found that some results are better than volatility but volatility is somehow easier to use.
at 10:30 you say that it is running executable code without a program on disk. Whenever we see the flag "PAGE_EXECUTE_READWRITE", does that mean it isn't written on disk?
PAGE_EXECUTE_READWRITE means the process has execute, read, and write permissions. Typically, memory sections shouldn't be simultaneously executable and writable at the same time. Malfind shows hidden or injected code / DLLs in user mode memory. The combination of both of these things together -- the fact that it showed up in malfind, and that those permissions are associated with it, is a red flag.
A little beyond the scope of this channel. Once the incident is properly scoped and contained, and only then, should you proceed to remediation. In many instances that involves nuking the box(es) and restoring from trusted media.
Good video and really apreciate your work, but I got some troubles during analyzing this vmem (stuxnet.vmem). When I used the hollowfind plugin, it said "ERROR : volatility.debug : You must specify something to do (try -h)"
Hello. Is it possible to do the same with W10 .dmp file? How can I do that? Eg. when I try use imageinfo for dump file I see "PAE type: No PAE" and no more information.
Hands down, the best practical volatility case description I have seen so far. You, Sir, just got a follower now and I can't wait to watch more of your videos.
Thanks again! So awesome how everything it’s explained so well.
This presentation is so cool and on point with the information! Thanks for sharing!
Richard, Much thanks to the amazing content you put out for free on RUclips. Using what I have learned from you, I have passed my Threat Hunting (eCTHPv2) examination!
Great to hear - congrats!
@@13Cubed Looking forward to do FOR500 in the near future!
@@HamsterLover1337 Awesome. Check out Investigating Windows Endpoints as well! training.13cubed.com/investigating-windows-endpoints
Beautiful video giving very good knowledge about memory forensics. Try zooming in while using commands.... Which will be very useful fr us... while seeing these...
This is a pretty old episode. I think you will find that the production quality has greatly increased in newer videos, and they are much easier to read/see.
@@13Cubed true.... Thank u so much fr ur reply
Please expand on other modules from volatility. Especially SSDT as code injection and hooks go hand in hand. :)
Another good video. Once you have identified the malware, what steps would you take to remove it?
I see thanks for the response.
Since windows 8.1 you cant extract the passwords from the memory image dump because there is no plain text inside the lsass.exe (or lsass.dmp if you created a dump file from task manager or powershell command),but you can get the hash and brute -force it by terminal (you can use macOS as well instead of linux).
Excellent Video Just need to make the Screen a little bigger. ty
I haven't had time to watch your other videos but this is really informative thank you, quick question what is your background ? are you in the forensic industry?
I've been in the IT field for 23+ years, InfoSec for 10+ of that time. Forensics is often a significant part of my job, but not my only concentration or responsibility.
Very nice and informative, thanks for sharing the knowledge.
This video is amazing. Thank you.
Can you please give a video for rekall and what its best cases? I found that some results are better than volatility but volatility is somehow easier to use.
Ahmed Elshaer Thanks for the suggestion. I will add this to my list.
at 10:30 you say that it is running executable code without a program on disk.
Whenever we see the flag "PAGE_EXECUTE_READWRITE", does that mean it isn't written on disk?
PAGE_EXECUTE_READWRITE means the process has execute, read, and write permissions. Typically, memory sections shouldn't be simultaneously executable and writable at the same time. Malfind shows hidden or injected code / DLLs in user mode memory. The combination of both of these things together -- the fact that it showed up in malfind, and that those permissions are associated with it, is a red flag.
@@13Cubed Thanks for the quick reply.
can't seem to run hollowfind..
Once we recognize the evil processes, how do we get rid of those files and in essence clean the machine?
A little beyond the scope of this channel. Once the incident is properly scoped and contained, and only then, should you proceed to remediation. In many instances that involves nuking the box(es) and restoring from trusted media.
@@13Cubed Thank you, I'll take that and do a little research. Thank you for your expertise and time.
which memory sample you used in this video?
I honestly don't remember, but check out "Mini Memory CTF" -- that episode has a downloadable memory sample you can grab and follow along with.
@@13Cubed okay Thank you man your videos are really informative
Good video and really apreciate your work, but I got some troubles during analyzing this vmem (stuxnet.vmem). When I used the hollowfind plugin, it said "ERROR : volatility.debug : You must specify something to do (try -h)"
It sounds like you don’t have the hollowfind plugin installed. See here: github.com/monnappa22/HollowFind/blob/master/README.md
Thanks a lot for your help and kindness, finally solved the problem. Keep up the good work btw
Hello. Is it possible to do the same with W10 .dmp file? How can I do that? Eg. when I try use imageinfo for dump file I see "PAE type: No PAE" and no more information.
Are you referring to extracting data from a complete crash dump?
@@13Cubed Yup, some of my crash dump files don't work properly. Profiles are good, dumps work good in WinDbg, but not in Volatility and Rekall.
@@MrRodzyn7 What happens? Do you get parsing errors, gibberish, some good data mixed with bad data, etc?
I love you
that's how people played among us in 2017, who's the impostor here?