Why Analyze Memory?
- Malware has to execute.
- Everything that execute, runs through RAM
- Therefore, Malware has to run through RAM
How to preserve RAM.
Infected Machine should be left running.
What it Fileless malware
Does not touch the disk.
Encrypted Systems
- CPU runs in clear text.
2. Decryption first before running.
Dump Format: RAW
Live memory acquisition tools
Dump Format: Crash Dump
Generated during a crash
Dump Format: hiberfil.sys
Windows (laptops). Created during hibernation mode
Dump Format: EWF
Expert Witness Disk Image Format (EnCase)
Standard for analyzing memory Dumps
Dump Format: AFF4
WinPMEM.Memory Dump
Analysis Frameworks
- Rekall
2. Volatility
Volatility
Best known. Windows, Linux, Mac.
Rekall
Develop by Google
Six Investigation Steps
- Processes
- DLL and Handles
- Network
- Code Injection
- RootKits
- Dump
What is KDbg?
KDbg is a data structure for RAW memory image.
What is Memory Profile
Different Windows version have different profiles.
VM Metadata
Memory Images from VM contain Metadata
Why image conversion?
Volatility: needs RAW memory image.
