Today we will analyze the basic analysis of RAM containing a malicious program. This post is for beginner forensics or people who want to learn forensics.
In this quick tutorial, we will be using one of the most popular software volatile memory analyzers: Volatility . This tool will help us check the memory dump of a potentially infected computer. Volatility will help you get useful information (about running processes, last modified files, or even the user's browser history) stored in the computer's memory.
We'll use a few commands to play out a simple Cridex search scenario. Ready? Let's start!
Simulating the situation with an attacker, if the computer was turned off upon the arrival of the Mask Show, the hibernation file located in %SystemDrive%/hiberfil.sys will help. It is problematic to remove it by conventional methods, and uninformed users rarely care about it.
A rich arsenal of virtual machines is also subject to analysis:
In this quick tutorial, we will be using one of the most popular software volatile memory analyzers: Volatility . This tool will help us check the memory dump of a potentially infected computer. Volatility will help you get useful information (about running processes, last modified files, or even the user's browser history) stored in the computer's memory.
We'll use a few commands to play out a simple Cridex search scenario. Ready? Let's start!
Preparation
- I assume that you have already downloaded and installed Volatility on your computer.
- The dump that we will analyze can be downloaded from the page with all the basic samples from Volatility.
Creating a dump
If you want to analyze your own RAM dump, then in order to create it, you can use the following programs:- FTK Imager
- Redline (requires registration)
- DumpIt.exe
- win32dd.exe / win64dd.exe - has fantastic psexec support
Simulating the situation with an attacker, if the computer was turned off upon the arrival of the Mask Show, the hibernation file located in %SystemDrive%/hiberfil.sys will help. It is problematic to remove it by conventional methods, and uninformed users rarely care about it.
A rich arsenal of virtual machines is also subject to analysis:
- VMware - .vmem file
- Hyper-V - .bin file
- Parallels - .mem file
- VirtualBox - .sav file (partial memory file)