Abstract image of a woman sitting on books and studying on a laptop

Stop pulling the plug

Kamal Rathaur, profile picture
Kamal Rathaur

The document outlines the importance and methodology of memory forensics in incident response, highlighting how memory analysis can reveal evidence of malicious activity. It details the process of memory acquisition, analysis of suspicious processes, and the use of tools like Redline and Volatility for analysis. The advantages of memory forensics include retrieving clear text passwords, identifying running processes, and examining network connections specifically to detect malware that may attempt to hide its presence.

Technology
Related topics:
Computer Security Incident Response
1 of 17
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
Stop Pulling The Plug
Incident Response Preparation Identification and Analysis Containment Eradication Recovery Lessons learnt
Why Memory Forensics  Everything in the OS traverses RAM  Best place to identify malicious software activity  Analyze and track recent activity on the system  Collect evidence that cannot be found anywhere else
Artifacts that can be found in Memory Processes Logged Users Drivers Open files Kernel Modules Unsaved documents Socket Information Live registries Passwords Video Buffers (Screenshots) Crypto Passphrases BIOS Memory Decrypted Files VOIP Calls Execution State Malicious Code Clipboard Material IM chats Network Drive buffers Rootkit Footprints
Advantages of Memory Forensics  Password in clear text in memory  Programs running  Open Documents / Files  Open content of compressed programs (packers)  Network Connections – current and recent  Crypto Keys (BitLocker, PGP Whole Disk Encryption, TrueCrypt etc.)  Command Line parameters (DOSKEY/cmd.exe)
The Malware Paradox  Malware may be successful at either hiding or executing, but it is nearly impossible to do both!  Malware can hide, but it has to execute to be effective.
Memory Forensics  Acquisition • Executing Memory • Pagefile • Hibernation file  Context • Find offset from the needed structures • Extract structures from memory • Isolate Processes
Memory Analysis Process 1. Identify Rouge processes 2. Analyze process DLLs and handles 3. Review Network Artifacts 4. Look for evidence of code injection 5. Check for signs of rootkit 6. Dump suspicious processes and drivers
Finding the First Hit Analyzing Processes Image Name Full Path Parent Process Command Line StartTime SIDs
Redline  Free but not open source  Identify Rouge processes  Was the process started at boot?  What user was logged on?  Any other suspicious processes?  Any further clues/string searches  Explore more  What did you collect so far…. Binaries/network connections/compromised user accounts……….Compare with live audit on the system
SIFT Forensic Workstation Download SANS SIFTWorkstation from http://computer- forensics.sans.org/community/downloads
Let’s start  Login "sansforensics"  Password "forensics"  $ sudo su Elevate privileges to root while mounting disk images.
Volatility  Free and open source  Vol.py –f <image> <plugin> -- profile=<profile>  Export VOLATILITY_LOCATION=file://<filepath>  ExportVOLATILITY_PROFILE=<profile>  Vol.py –f <image format 1> imagecopy –o <imageformat1.img>
It’s Show Time  Memory Analysis using Redline  Memory Analysis usingVolatility
What Next…  Volatility RegistryAnalysis  MemoryTimelining
References  Windows Forensic AnalysisToolkit – Harlan Carvey  https://www.mandiant.com/resources/downl oad/redline  https://code.google.com/p/volatility/  https://code.google.com/p/volatility/wiki/Sa mpleMemoryImages  https://http://computer- forensics.sans.org/community
THANK YOU  Kamal Ranjan Incident Response/Forensic Analyst @ FIS

More Related Content

PDF
Osint presentation nov 2019
Priyanka Aash
 
PPTX
Tools for Open Source Intelligence (OSINT)
Sudhanshu Chauhan
 
PPTX
OSINT using Twitter & Python
37point2
 
KEY
Enterprise Open Source Intelligence Gathering
Tom Eston
 
PPTX
Getting started with using the Dark Web for OSINT investigations
Olakanmi Oluwole
 
PDF
Osint ashish mistry
n|u - The Open Security Community
 
PPTX
Maltego
penetration Tester
 
PDF
OSINT x UCCU Workshop on Open Source Intelligence
Philippe Lin
 
Osint presentation nov 2019
Priyanka Aash
 
Tools for Open Source Intelligence (OSINT)
Sudhanshu Chauhan
 
OSINT using Twitter & Python
37point2
 
Enterprise Open Source Intelligence Gathering
Tom Eston
 
Getting started with using the Dark Web for OSINT investigations
Olakanmi Oluwole
 
Osint ashish mistry
n|u - The Open Security Community
 
Maltego
penetration Tester
 
OSINT x UCCU Workshop on Open Source Intelligence
Philippe Lin
 

What's hot (20)

PDF
Rv defcon25 osint tactics on source code intelligence - simon roses
reconvillage
 
PPT
Owasp osint presentation - by adam nurudini
Adam Nurudini
 
PPTX
Osint skills
FelixK4
 
PPTX
DataSploit - BlackHat Asia 2017
Shubham Mittal
 
PDF
OSINT- Leveraging data into intelligence
Deep Shankar Yadav
 
PPTX
Dark Arts Of Social Engineering
Nutan Kumar Panda
 
PDF
Osint primer
n|u - The Open Security Community
 
PPTX
Datasploit - An Open Source Intelligence Tool
Shubham Mittal
 
PPTX
osint - open source Intelligence
Osama Ellahi
 
PPTX
Hacker tool talk: maltego
Chris Hammond-Thrasher
 
PDF
Open Source Information Gathering Brucon Edition
Chris Gates
 
PDF
OSINT for Attack and Defense
Andrew McNicol
 
PPTX
OSINT Black Magic: Listen who whispers your name in the dark!!!
Nutan Kumar Panda
 
PDF
OSINT Basics for Threat Hunters and Practitioners
Megan DeBlois
 
PDF
What you need to know about OSINT
Jerod Brennen
 
PPTX
Let’s hunt the target using OSINT
Chandrapal Badshah
 
PDF
From OSINT to Phishing presentation
Jesse Ratcliffe, OSCP
 
PDF
Web application penetration testing lab setup guide
Sudhanshu Chauhan
 
PPTX
OSINT for Proactive Defense - RootConf 2019
RedHunt Labs
 
PDF
Open source intelligence information gathering (OSINT)
phexcom1
 
Rv defcon25 osint tactics on source code intelligence - simon roses
reconvillage
 
Owasp osint presentation - by adam nurudini
Adam Nurudini
 
Osint skills
FelixK4
 
DataSploit - BlackHat Asia 2017
Shubham Mittal
 
OSINT- Leveraging data into intelligence
Deep Shankar Yadav
 
Dark Arts Of Social Engineering
Nutan Kumar Panda
 
Osint primer
n|u - The Open Security Community
 
Datasploit - An Open Source Intelligence Tool
Shubham Mittal
 
osint - open source Intelligence
Osama Ellahi
 
Hacker tool talk: maltego
Chris Hammond-Thrasher
 
Open Source Information Gathering Brucon Edition
Chris Gates
 
OSINT for Attack and Defense
Andrew McNicol
 
OSINT Black Magic: Listen who whispers your name in the dark!!!
Nutan Kumar Panda
 
OSINT Basics for Threat Hunters and Practitioners
Megan DeBlois
 
What you need to know about OSINT
Jerod Brennen
 
Let’s hunt the target using OSINT
Chandrapal Badshah
 
From OSINT to Phishing presentation
Jesse Ratcliffe, OSCP
 
Web application penetration testing lab setup guide
Sudhanshu Chauhan
 
OSINT for Proactive Defense - RootConf 2019
RedHunt Labs
 
Open source intelligence information gathering (OSINT)
phexcom1
 
Ad

Viewers also liked (6)

PDF
Go with the flow
Kamal Rathaur
 
PDF
Osint
Kamal Rathaur
 
PDF
Dfrws eu 2014 rekall workshop
Tamas K Lengyel
 
PDF
Memory forensics and incident response
London School of Cyber Security
 
PPTX
Applying Memory Forensics to Rootkit Detection
Igor Korkin
 
PDF
2010 2013 sandro suffert memory forensics introdutory work shop - public
Sandro Suffert
 
Go with the flow
Kamal Rathaur
 
Osint
Kamal Rathaur
 
Dfrws eu 2014 rekall workshop
Tamas K Lengyel
 
Memory forensics and incident response
London School of Cyber Security
 
Applying Memory Forensics to Rootkit Detection
Igor Korkin
 
2010 2013 sandro suffert memory forensics introdutory work shop - public
Sandro Suffert
 
Ad

Similar to Stop pulling the plug (20)

PPTX
01_BasicTechniquesTools.pptx "Malware creeps unseen, corrupting data and cont...
rohayiw496
 
PDF
Intro2 malwareanalysisshort
Vincent Ohprecio
 
PDF
SANS Digital Forensics and Incident Response Poster 2012
Rian Yulian
 
PPTX
Hunting Rootkit From the Dark Corners Of Memory
securityxploded
 
PPTX
Hunting rootkit from dark corners of memory
Cysinfo Cyber Security Community
 
PDF
Osquery
Animesh Roy
 
PPTX
Computer forensics
deaneal
 
PDF
computerforensics-140529094816-phpapp01 (1).pdf
Gnanavi2
 
PDF
Debian Linux as a Forensic Workstation
Vipin George
 
PDF
Real World Application Threat Modelling By Example
NCC Group
 
PDF
SOC-BlueTEam.pdf
BeratAkit
 
PDF
100 Security Operation Center Tools.pdf
MAHESHUMANATHGOPALAK
 
PDF
Super Easy Memory Forensics
IIJ
 
PPT
Anton Chuvakin on Discovering That Your Linux Box is Hacked
Anton Chuvakin
 
PPTX
Finalppt metasploit
devilback
 
PPTX
Windows Live Forensics 101
Arpan Raval
 
PDF
soctool.pdf
nitinscribd
 
PPTX
Infocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte
 
PPT
Ch11 system administration
Raja Waseem Akhtar
 
PPT
Ch11
Raja Waseem Akhtar
 
01_BasicTechniquesTools.pptx "Malware creeps unseen, corrupting data and cont...
rohayiw496
 
Intro2 malwareanalysisshort
Vincent Ohprecio
 
SANS Digital Forensics and Incident Response Poster 2012
Rian Yulian
 
Hunting Rootkit From the Dark Corners Of Memory
securityxploded
 
Hunting rootkit from dark corners of memory
Cysinfo Cyber Security Community
 
Osquery
Animesh Roy
 
Computer forensics
deaneal
 
computerforensics-140529094816-phpapp01 (1).pdf
Gnanavi2
 
Debian Linux as a Forensic Workstation
Vipin George
 
Real World Application Threat Modelling By Example
NCC Group
 
SOC-BlueTEam.pdf
BeratAkit
 
100 Security Operation Center Tools.pdf
MAHESHUMANATHGOPALAK
 
Super Easy Memory Forensics
IIJ
 
Anton Chuvakin on Discovering That Your Linux Box is Hacked
Anton Chuvakin
 
Finalppt metasploit
devilback
 
Windows Live Forensics 101
Arpan Raval
 
soctool.pdf
nitinscribd
 
Infocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte
 
Ch11 system administration
Raja Waseem Akhtar
 
Ch11
Raja Waseem Akhtar
 

Recently uploaded (20)

PPT
Module 1.ppt Iot fundamentals and Architecture
nanditha7766
 
PDF
Getting Started with Data Integration: FME Form 101
Safe Software
 
PPTX
Modernising the Digital Integration Hub
Daniel Toomey
 
PDF
Hybrid horned lizard optimization algorithm-aquila optimizer for DC motor
IAESIJAI
 
PPTX
Web Crawler for Trend Tracking Gen Z Insights.pptx
Actowiz Solustions
 
PDF
DP Operators-handbook-extract for the Mautical Institute
LeonelMejiaLarios
 
PDF
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
PDF
Five Habits of High-Impact Board Members
OnBoard
 
PDF
From MVP to Full-Scale Product A Startup’s Software Journey.pdf
KodekX
 
PDF
Transform Your ITIL® 4 & ITSM Strategy with AI in 2025.pdf
PDCA Consulting
 
PPTX
The various Industrial Revolutions .pptx
bandileshozi3
 
PDF
WOOl fibre morphology and structure.pdf for textiles
Rajendrakumar868651
 
PDF
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
PDF
STKI Israel Market Study 2025 version august
Dr. Jimmy Schwarzkopf
 
PDF
Getting started with AI Agents and Multi-Agent Systems
Maxim Salnikov
 
PDF
Enhancing emotion recognition model for a student engagement use case through...
IAESIJAI
 
PDF
August Patch Tuesday
Ivanti
 
PDF
Taming the Chaos: How to Turn Unstructured Data into Decisions
Safe Software
 
PDF
Unlock new opportunities with location data.pdf
Precisely
 
PDF
ENT215_Completing-a-large-scale-migration-and-modernization-with-AWS.pdf
ssuser28425f
 
Module 1.ppt Iot fundamentals and Architecture
nanditha7766
 
Getting Started with Data Integration: FME Form 101
Safe Software
 
Modernising the Digital Integration Hub
Daniel Toomey
 
Hybrid horned lizard optimization algorithm-aquila optimizer for DC motor
IAESIJAI
 
Web Crawler for Trend Tracking Gen Z Insights.pptx
Actowiz Solustions
 
DP Operators-handbook-extract for the Mautical Institute
LeonelMejiaLarios
 
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
Five Habits of High-Impact Board Members
OnBoard
 
From MVP to Full-Scale Product A Startup’s Software Journey.pdf
KodekX
 
Transform Your ITIL® 4 & ITSM Strategy with AI in 2025.pdf
PDCA Consulting
 
The various Industrial Revolutions .pptx
bandileshozi3
 
WOOl fibre morphology and structure.pdf for textiles
Rajendrakumar868651
 
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
STKI Israel Market Study 2025 version august
Dr. Jimmy Schwarzkopf
 
Getting started with AI Agents and Multi-Agent Systems
Maxim Salnikov
 
Enhancing emotion recognition model for a student engagement use case through...
IAESIJAI
 
August Patch Tuesday
Ivanti
 
Taming the Chaos: How to Turn Unstructured Data into Decisions
Safe Software
 
Unlock new opportunities with location data.pdf
Precisely
 
ENT215_Completing-a-large-scale-migration-and-modernization-with-AWS.pdf
ssuser28425f
 

Stop pulling the plug

  • 3. Why Memory Forensics  Everything in the OS traverses RAM  Best place to identify malicious software activity  Analyze and track recent activity on the system  Collect evidence that cannot be found anywhere else
  • 4. Artifacts that can be found in Memory Processes Logged Users Drivers Open files Kernel Modules Unsaved documents Socket Information Live registries Passwords Video Buffers (Screenshots) Crypto Passphrases BIOS Memory Decrypted Files VOIP Calls Execution State Malicious Code Clipboard Material IM chats Network Drive buffers Rootkit Footprints
  • 5. Advantages of Memory Forensics  Password in clear text in memory  Programs running  Open Documents / Files  Open content of compressed programs (packers)  Network Connections – current and recent  Crypto Keys (BitLocker, PGP Whole Disk Encryption, TrueCrypt etc.)  Command Line parameters (DOSKEY/cmd.exe)
  • 6. The Malware Paradox  Malware may be successful at either hiding or executing, but it is nearly impossible to do both!  Malware can hide, but it has to execute to be effective.
  • 7. Memory Forensics  Acquisition • Executing Memory • Pagefile • Hibernation file  Context • Find offset from the needed structures • Extract structures from memory • Isolate Processes
  • 8. Memory Analysis Process 1. Identify Rouge processes 2. Analyze process DLLs and handles 3. Review Network Artifacts 4. Look for evidence of code injection 5. Check for signs of rootkit 6. Dump suspicious processes and drivers
  • 9. Finding the First Hit Analyzing Processes Image Name Full Path Parent Process Command Line StartTime SIDs
  • 10. Redline  Free but not open source  Identify Rouge processes  Was the process started at boot?  What user was logged on?  Any other suspicious processes?  Any further clues/string searches  Explore more  What did you collect so far…. Binaries/network connections/compromised user accounts……….Compare with live audit on the system
  • 11. SIFT Forensic Workstation Download SANS SIFTWorkstation from http://computer- forensics.sans.org/community/downloads
  • 12. Let’s start  Login "sansforensics"  Password "forensics"  $ sudo su Elevate privileges to root while mounting disk images.
  • 13. Volatility  Free and open source  Vol.py –f <image> <plugin> -- profile=<profile>  Export VOLATILITY_LOCATION=file://<filepath>  ExportVOLATILITY_PROFILE=<profile>  Vol.py –f <image format 1> imagecopy –o <imageformat1.img>
  • 14. It’s Show Time  Memory Analysis using Redline  Memory Analysis usingVolatility
  • 15. What Next…  Volatility RegistryAnalysis  MemoryTimelining
  • 16. References  Windows Forensic AnalysisToolkit – Harlan Carvey  https://www.mandiant.com/resources/downl oad/redline  https://code.google.com/p/volatility/  https://code.google.com/p/volatility/wiki/Sa mpleMemoryImages  https://http://computer- forensics.sans.org/community
  • 17. THANK YOU  Kamal Ranjan Incident Response/Forensic Analyst @ FIS