Memory forensic is an excellent skill to find out various data structures and artefacts in the memory of a running computer. It gives very detailed view of running processes, open network connections, registry handles, kernel modules etc. Recently, the science of memory forensics is also used by malware analysts to analyse the behaviour of malware from within memory. Malware analysts who are not looking at volatile memory are missing a very important piece of information on the table. Today, a new breed of malwares has emerged which run only in the RAM and thus leave no clue for the investigators. In this training we will use Volatility framework which is a completely open collection of tools, implemented in Python, for the extraction of digital artefacts from volatile memory (RAM) samples.
After attending this training the students will be able to:
- Traverse the RAM images of windows system for finding malicious activity
- Analyse the user space and kernel space processes for possible injection
- Find malicious hooks and rootkits being implanted within the RAM images
Topics: Training will cover the following topics:
Memory Forensics with Volatility
- Dumping Memory with MoonSols Windows Memory Toolkit
- Remote, Read-only Memory Acquisition with F-Response
- Accessing Virtual Machine Memory Files
- Volatility in a Nutshell
- Investigating processes in Memory Dumps
- Detecting DKOM Attacks with psscan
- Recognizing Process Context Tricks
Memory Forensics: Code Injection and Extraction
- Hunting Suspicious Loaded DLLs
- Detecting Unlinked DLLs with ldr_modules
- Exploring Virtual Address Descriptors (VAD)
- Translating Page Protections
- Finding Artifacts in Process Memory
- Identifying Injected Code with Malfind and YARA
- Rebuilding Executable Images from Memory
- Scanning for Imported Functions with impscan
- Dumping Suspicious Kernel Modules
Memory Forensics: Rootkits
- Detecting IAT Hooks
- Detecting EAT Hooks
- Detecting Inline API Hooks
- Detecting Interrupt Descriptor Table (IDT) Hooks
- Detecting Driver IRP Hooks
- Detecting SSDT Hooks
Memory Forensics: Network and Registry
- Exploring Socket and Connection Objects
- Analyzing Network Artifacts Left by Zeus
- Detecting Attempts to Hide TCP/IP Activity
- Detecting Raw Sockets and Promiscuous NICs
- Analyzing Registry Artifacts with Memory Registry Tools
- Sorting Keys by Last Written Timestamp