Windows Memory Analysis
HTML-код
- Опубликовано: 27 авг 2017
- As a continuation of the “Introduction to Memory Forensics” video, we will use Volatility to analyze a Windows memory image that contains malware. We’ll first start by using some of the more common plugins that were covered in the previous video, including pstree, pslist, and psscan. As we sift through that data, we’ll look for any processes that stand out as being odd, or potentially malicious. Then, we’ll move on to a more advanced plugin called malfind. As the name implies, malfind helps us locate malicious code within our memory image, including hidden or injected code or DLLs. Next, we’ll look at a similar plugin called hollowfind, which won first place in the 2016 Volatility Plugin Contest, and is designed to automate detection of various process hollowing techniques you may encounter. Lastly, we’ll use procdump to dump a couple of the identified malicious processes. We’ll then hash them, and submit those hashes to VirusTotal to verify our findings.
Introduction to Memory Forensics:
• Introduction to Memory...
Volatility Memory Samples:
github.com/volatilityfoundati...
Detecting Deceptive Process Hollowing Techniques:
cysinfo.com/detecting-decepti...
This website provides an analysis of the same memory image, and provides a great overview of process hollowing.
HollowFind:
github.com/monnappa22/HollowFind
Ten Process Injection Techniques:
www.endgame.com/blog/technica...
#Forensics #DigitalForensics #DFIR #ComputerForensics #WindowsForensics #MemoryForensics 
Наука
Hands down, the best practical volatility case description I have seen so far. You, Sir, just got a follower now and I can't wait to watch more of your videos.
Thanks again! So awesome how everything it’s explained so well.
This presentation is so cool and on point with the information! Thanks for sharing!
Very nice and informative, thanks for sharing the knowledge.
This video is amazing. Thank you.
Since windows 8.1 you cant extract the passwords from the memory image dump because there is no plain text inside the lsass.exe (or lsass.dmp if you created a dump file from task manager or powershell command),but you can get the hash and brute -force it by terminal (you can use macOS as well instead of linux).
Please expand on other modules from volatility. Especially SSDT as code injection and hooks go hand in hand. :)
Another good video. Once you have identified the malware, what steps would you take to remove it?
I see thanks for the response.
Excellent Video Just need to make the Screen a little bigger. ty
Richard, Much thanks to the amazing content you put out for free on RUclips. Using what I have learned from you, I have passed my Threat Hunting (eCTHPv2) examination!
Great to hear - congrats!
@@13Cubed Looking forward to do FOR500 in the near future!
@@HamsterLover1337 Awesome. Check out Investigating Windows Endpoints as well! training.13cubed.com/investigating-windows-endpoints
I haven't had time to watch your other videos but this is really informative thank you, quick question what is your background ? are you in the forensic industry?
I've been in the IT field for 23+ years, InfoSec for 10+ of that time. Forensics is often a significant part of my job, but not my only concentration or responsibility.
Beautiful video giving very good knowledge about memory forensics. Try zooming in while using commands.... Which will be very useful fr us... while seeing these...
This is a pretty old episode. I think you will find that the production quality has greatly increased in newer videos, and they are much easier to read/see.
@@13Cubed true.... Thank u so much fr ur reply
Can you please give a video for rekall and what its best cases? I found that some results are better than volatility but volatility is somehow easier to use.
Ahmed Elshaer Thanks for the suggestion. I will add this to my list.
at 10:30 you say that it is running executable code without a program on disk.
Whenever we see the flag "PAGE_EXECUTE_READWRITE", does that mean it isn't written on disk?
PAGE_EXECUTE_READWRITE means the process has execute, read, and write permissions. Typically, memory sections shouldn't be simultaneously executable and writable at the same time. Malfind shows hidden or injected code / DLLs in user mode memory. The combination of both of these things together -- the fact that it showed up in malfind, and that those permissions are associated with it, is a red flag.
@@13Cubed Thanks for the quick reply.
Good video and really apreciate your work, but I got some troubles during analyzing this vmem (stuxnet.vmem). When I used the hollowfind plugin, it said "ERROR : volatility.debug : You must specify something to do (try -h)"
It sounds like you don’t have the hollowfind plugin installed. See here: github.com/monnappa22/HollowFind/blob/master/README.md
Thanks a lot for your help and kindness, finally solved the problem. Keep up the good work btw
Hello. Is it possible to do the same with W10 .dmp file? How can I do that? Eg. when I try use imageinfo for dump file I see "PAE type: No PAE" and no more information.
Are you referring to extracting data from a complete crash dump?
@@13Cubed Yup, some of my crash dump files don't work properly. Profiles are good, dumps work good in WinDbg, but not in Volatility and Rekall.
@@MrRodzyn7 What happens? Do you get parsing errors, gibberish, some good data mixed with bad data, etc?
can't seem to run hollowfind..
Once we recognize the evil processes, how do we get rid of those files and in essence clean the machine?
A little beyond the scope of this channel. Once the incident is properly scoped and contained, and only then, should you proceed to remediation. In many instances that involves nuking the box(es) and restoring from trusted media.
@@13Cubed Thank you, I'll take that and do a little research. Thank you for your expertise and time.
I love you
which memory sample you used in this video?
I honestly don't remember, but check out "Mini Memory CTF" -- that episode has a downloadable memory sample you can grab and follow along with.
@@13Cubed okay Thank you man your videos are really informative
that's how people played among us in 2017, who's the impostor here?