Windows Memory Analysis

Подписаться 51 тыс.

Просмотров 29 тыс.

50% 1

As a continuation of the “Introduction to Memory Forensics” video, we will use Volatility to analyze a Windows memory image that contains malware. We’ll first start by using some of the more common plugins that were covered in the previous video, including pstree, pslist, and psscan. As we sift through that data, we’ll look for any processes that stand out as being odd, or potentially malicious. Then, we’ll move on to a more advanced plugin called malfind. As the name implies, malfind helps us locate malicious code within our memory image, including hidden or injected code or DLLs. Next, we’ll look at a similar plugin called hollowfind, which won first place in the 2016 Volatility Plugin Contest, and is designed to automate detection of various process hollowing techniques you may encounter. Lastly, we’ll use procdump to dump a couple of the identified malicious processes. We’ll then hash them, and submit those hashes to VirusTotal to verify our findings.
Introduction to Memory Forensics:
• Introduction to Memory...
Volatility Memory Samples:
github.com/vol...
Detecting Deceptive Process Hollowing Techniques:
cysinfo.com/de...
This website provides an analysis of the same memory image, and provides a great overview of process hollowing.
HollowFind:
github.com/mon...
Ten Process Injection Techniques:
www.endgame.co...
#Forensics #DigitalForensics #DFIR #ComputerForensics #WindowsForensics #MemoryForensics

Опубликовано:

13 сен 2024

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 40

@Thms84 4 года назад

Hands down, the best practical volatility case description I have seen so far. You, Sir, just got a follower now and I can't wait to watch more of your videos.

@ElCyberWizard 3 года назад

Thanks again! So awesome how everything it’s explained so well.

@alrestauro 3 года назад

This presentation is so cool and on point with the information! Thanks for sharing!

@HamsterLover1337 Год назад

Richard, Much thanks to the amazing content you put out for free on RU-vid. Using what I have learned from you, I have passed my Threat Hunting (eCTHPv2) examination!

@13Cubed Год назад

Great to hear - congrats!

@HamsterLover1337 Год назад

@@13Cubed Looking forward to do FOR500 in the near future!

@13Cubed Год назад

@@HamsterLover1337 Awesome. Check out Investigating Windows Endpoints as well! training.13cubed.com/investigating-windows-endpoints

@SanJay-jo4ny 4 года назад

Beautiful video giving very good knowledge about memory forensics. Try zooming in while using commands.... Which will be very useful fr us... while seeing these...

@13Cubed 4 года назад

This is a pretty old episode. I think you will find that the production quality has greatly increased in newer videos, and they are much easier to read/see.

@SanJay-jo4ny 4 года назад

@@13Cubed true.... Thank u so much fr ur reply

@SethTech 4 года назад

Please expand on other modules from volatility. Especially SSDT as code injection and hooks go hand in hand. :)

@Psychiatry.321 5 лет назад

Since windows 8.1 you cant extract the passwords from the memory image dump because there is no plain text inside the lsass.exe (or lsass.dmp if you created a dump file from task manager or powershell command),but you can get the hash and brute -force it by terminal (you can use macOS as well instead of linux).

@ehsanghasaei7474 4 года назад

This video is amazing. Thank you.

@TheKiller7276 7 лет назад

Another good video. Once you have identified the malware, what steps would you take to remove it?

@TheKiller7276 7 лет назад

I see thanks for the response.

@ethanrepublic 6 лет назад

Excellent Video Just need to make the Screen a little bigger. ty

@MegaEthicalHacking 6 лет назад

Very nice and informative, thanks for sharing the knowledge.

@benjaminnewman3833 6 лет назад

I haven't had time to watch your other videos but this is really informative thank you, quick question what is your background ? are you in the forensic industry?

@13Cubed 6 лет назад

I've been in the IT field for 23+ years, InfoSec for 10+ of that time. Forensics is often a significant part of my job, but not my only concentration or responsibility.

@HamsterLover1337 Год назад

at 10:30 you say that it is running executable code without a program on disk. Whenever we see the flag "PAGE_EXECUTE_READWRITE", does that mean it isn't written on disk?

@13Cubed Год назад

PAGE_EXECUTE_READWRITE means the process has execute, read, and write permissions. Typically, memory sections shouldn't be simultaneously executable and writable at the same time. Malfind shows hidden or injected code / DLLs in user mode memory. The combination of both of these things together -- the fact that it showed up in malfind, and that those permissions are associated with it, is a red flag.

@HamsterLover1337 Год назад

@@13Cubed Thanks for the quick reply.

@SecureTheWorld 5 лет назад

Can you please give a video for rekall and what its best cases? I found that some results are better than volatility but volatility is somehow easier to use.

@13Cubed 5 лет назад

Ahmed Elshaer Thanks for the suggestion. I will add this to my list.

@abhradeepbanerjee1286 4 года назад

can't seem to run hollowfind..

@maheshloke7985 Год назад

which memory sample you used in this video?

@13Cubed Год назад

I honestly don't remember, but check out "Mini Memory CTF" -- that episode has a downloadable memory sample you can grab and follow along with.

@maheshloke7985 Год назад

@@13Cubed okay Thank you man your videos are really informative

@dreamersstudio1873 5 лет назад

Once we recognize the evil processes, how do we get rid of those files and in essence clean the machine?

@13Cubed 5 лет назад

A little beyond the scope of this channel. Once the incident is properly scoped and contained, and only then, should you proceed to remediation. In many instances that involves nuking the box(es) and restoring from trusted media.

@dreamersstudio1873 5 лет назад

@@13Cubed Thank you, I'll take that and do a little research. Thank you for your expertise and time.

@richardroe7072 5 лет назад

Good video and really apreciate your work, but I got some troubles during analyzing this vmem (stuxnet.vmem). When I used the hollowfind plugin, it said "ERROR : volatility.debug : You must specify something to do (try -h)"

@13Cubed 5 лет назад

It sounds like you don’t have the hollowfind plugin installed. See here: github.com/monnappa22/HollowFind/blob/master/README.md

@richardroe7072 5 лет назад

Thanks a lot for your help and kindness, finally solved the problem. Keep up the good work btw

@MrRodzyn7 4 года назад

Hello. Is it possible to do the same with W10 .dmp file? How can I do that? Eg. when I try use imageinfo for dump file I see "PAE type: No PAE" and no more information.

@13Cubed 4 года назад

Are you referring to extracting data from a complete crash dump?

@MrRodzyn7 4 года назад

@@13Cubed Yup, some of my crash dump files don't work properly. Profiles are good, dumps work good in WinDbg, but not in Volatility and Rekall.

@13Cubed 4 года назад

@@MrRodzyn7 What happens? Do you get parsing errors, gibberish, some good data mixed with bad data, etc?