Successfully reported this slideshow.

n|u Dharamsala Humla : Memory Forensic by Tenzin Chokden

2

Share

Upcoming SlideShare
Gray box testing
Gray box testing
Loading in …3
×
1 of 10
1 of 10

n|u Dharamsala Humla : Memory Forensic by Tenzin Chokden

2

Share

Download to read offline

n|u Dharamsala Humla : Memory Forensic by Tenzin Chokden

n|u Dharamsala Humla : Memory Forensic by Tenzin Chokden

More Related Content

Related Books

Free with a 14 day trial from Scribd

See all

Related Audiobooks

Free with a 14 day trial from Scribd

See all

n|u Dharamsala Humla : Memory Forensic by Tenzin Chokden

  1. 1. { Null Humla Session 0.1 Memory forensics with Volatility2.4
  2. 2.  Usage  Vol.py –f image --profile=(imageinfo) –plugins  -f parameter  It is used to locate the source memory image  Vol.py –f sality.vmem  imageinfo  To identify the memory image  Vol.py –f sality.vmem imageinfo  Vol.py –f sality.vmem –proflie=WinXPSP2x86 connscan Steps in Analysing
  3. 3. pstree  Prints the process list in tree structure. Vol.py –f zeus.vmem –profile =WinXPSP2x8 6 pstree
  4. 4. Connscan  Scans for tcp connections Vol.py –f zeus.vmem –profile =WinXPSP2x8 6 connscan
  5. 5.  Lets run the pstree command again….. Interesting connections ??
  6. 6. Printkey  Print a registry key and its subkey and values Vol.py –f zeus.vmem –profile =WinXPSP2x8 6 printkey –K “MicrosoftWindowsCurrentVersionRun” Vol.py –f zeus.vmem –profile =WinXPSP2x8 6 printkey –K “MicrosoftWindowsNTCurrentVersion Winlogon”
  7. 7. Malfind  Find hidden or injected code/Dll Vol.py –f zeus.vmem –profile =WinXPSP2x86 malfind –dump-dir ~/code-injections
  8. 8. Vol.py –f zeus.vmem –profile =WinXPSP2x86 malfind -p 856 –dump-dir ~/code-injections Too much data ?? Let’s narrow it down !!!
  9. 9. Vol.py –f zeus.vmem printkey –K “ControlSet001ServicesSharedAccess ParametersFirewallPolicyStandard Profile” This malware shutdowns firewall also …..
  10. 10. EOF…. QUESTIONS …..

Editor's Notes

  • We have to select a profile since by default It takes winxpsp2x86
  • Looks like there is nothing wrong with the process… see if its making any connections


    Run plugins sockets also ….
  • SEE WHO OWNS THE PROCESS AND WHO IS ITS PARENTS


    RUN THE IP IN VIRUS TOTAL AND SEE
  • IF its connecting to a site… it will make sure to be persistant .. Since it doesn’t make sense it will loose connection on restart ….

    Lets look into registries for autorun entries ….

    Lot of entries in registry …. We have to try all.
  • These are possible code injections …
    but the exe you get here is not the whole process but only the injected part …. You can always load it in vm and start your normal analysis.


    IF you want whole process dump then the parameter is procdump –p id dump-dir



  • -p parameter to select a particular process …

    You can take a hash of it and always find something on the virus total.

    take an md5sum of both file and submit to virus total.
  • This malwares shutdowns the fireswall also …
  • ×