Memory Forensics
Contents
You can hide, but you have to run
An attacker can do many things to disguise or even hide their malware and tools on disk to avoid detection.
- Renaming / Moving
- Packing
- Encrypting
- Rootkits
Eventually, the code has to reveal itself when it executes in memory. In the case of remote access, the software has to continue to execute to be able to receive commands and keep a foothold in the system.
Memory is volatile, in normal cases
- Physical forensics
- Hibernation file
Capture Tools
- FTK Imager
- Redline Collector
- dd / windd
- Powershell
- Task Manager
Tools
- Volatility (also see autoVolatility)
- Rekall
Analysis Approach
Volatility
Identify profile with the imageinfo plugin
Process Hollowing
Memory Objects
