All course may now be found at SUMURI.COM. This course will remain live in UDEMY for existing students.
A system's memory contains an assortment of valuable forensic data. A computer analyst trained in memory forensics can use this data to determine if a system has been infected with malware - a valuable skill for both incident response triage work as well as in digital forensic exams involving litigation.
This class picks up where Memory Analysis 1 left off. It provides you with hands on training working with an infected sample of memory. Learn to identify suspicious processes running in memory by putting a "level 1" triage of Windows memory into action. Using key volatility plugins, this class walks you through the process of the exam.
A bit of a refresher here - your core windows processes are always a great place to examine first during triage. I went over these in-depth in "Memory Analysis 1."
Class materials download.
This is a basic overview of the tool we will be using, Volatility.
This section goes over the command syntax format you will be using.
Before you can run any plugins against your memory image you need to determine the system's profile.
A quick note about how the practicals are structured.
The IMAGEINFO plugin is the most common one used to determine a system's profile. this section walks you through the steps.
KDBGSCAN is another way to determine a system's profile. This section walks you through the steps.
Another option you have is to list out all the supported profiles supported by your version of the tool. This section walks you through the steps.
The PSLIST plugin will list out processes in the doubly linked list along with additional information you can use for remediation. This section walks you through the steps.
The PSTREE plugin allows you to display processes in their hierarchical format. This section walks you through the steps.
The PSSCAN plugin is one way to search memory for processes not listed in the doubly linked list. This sections walks you through the steps.
In this section I will demonstrate a method to quickly compare the results of each plugin to flag files that only appear in PSSCAN. Since these can be hidden processes this can save you time identifying them.
The PSXVIEW plugin gives you a cross section view of processes found in memory. It is a powerful plugin that provides great information to help you flush out hidden processes. This section walks you through the steps.
I like using this plugin to determine the directory paths of the executables found in memory. By applying some basic triage techniques it can be a powerful tool to find suspicious files. This sections walks you through the steps.
In practice, a good overall filter to keep in mind is any executables (EXEs, DLLs, etc) running from these directories:
And remember, malware can run from the system32 directory, but that is where your legitimate files live so it is hard to sort out with this method. I normally skip these files at this stage unless I have specific information directing me otherwise.
Let's review what we have accomplished in our level 1 triage.
Thank you for checking out the SDF series, I hope you enjoyed the class. The next part of this course will continue to expand upon the level 1 triage of Windows memory. Hope to see you then.
Other SDF courses - www.sumuri.com/training/surviving-digital-forensics
Twitter - @leclairdf
Blog - SUMURI.COM
Over twelve years of experience as a Computer Forensic Analyst, author and developer of computer forensic training and analysis tools. Specialties include: Windows forensics, Mac forensics, iOS forensics, Mac Server forensics & mobile device forensics. Creator of the "Surviving Digital Forensics" series and part of SUMURI's RECON for Mac OS X development team.
Certifications include: CFCE, CISSP, CCE, EnCE, A+, Network+
Regularly instruct law enforcement, government and corporate investigators both nationally and internationally in computer forensics.