SlideShare a Scribd company logo

n|u Dharamsala Humla : Memory Forensic by Tenzin Chokden

Download as PPTX, PDF
Sunil Kumar
Sunil Kumar

This document provides an overview of analyzing memory forensics using Volatility 2.4. It demonstrates running various Volatility plugins like pstree to print processes, connscan to scan for TCP connections, printkey to print registry keys and values, and malfind to find hidden code injections. The document analyzes a Zeus memory sample, identifying processes, connections, registry keys used by the malware, and injected code, showing how Volatility can be used to analyze malware behavior and artifacts in memory forensics.

Software
1 of 10
{ Null Humla Session 0.1 Memory forensics with Volatility2.4
 Usage  Vol.py –f image --profile=(imageinfo) –plugins  -f parameter  It is used to locate the source memory image  Vol.py –f sality.vmem  imageinfo  To identify the memory image  Vol.py –f sality.vmem imageinfo  Vol.py –f sality.vmem –proflie=WinXPSP2x86 connscan Steps in Analysing
pstree  Prints the process list in tree structure. Vol.py –f zeus.vmem –profile =WinXPSP2x8 6 pstree
Connscan  Scans for tcp connections Vol.py –f zeus.vmem –profile =WinXPSP2x8 6 connscan
 Lets run the pstree command again….. Interesting connections ??
Printkey  Print a registry key and its subkey and values Vol.py –f zeus.vmem –profile =WinXPSP2x8 6 printkey –K “MicrosoftWindowsCurrentVersionRun” Vol.py –f zeus.vmem –profile =WinXPSP2x8 6 printkey –K “MicrosoftWindowsNTCurrentVersion Winlogon”
Malfind  Find hidden or injected code/Dll Vol.py –f zeus.vmem –profile =WinXPSP2x86 malfind –dump-dir ~/code-injections
Vol.py –f zeus.vmem –profile =WinXPSP2x86 malfind -p 856 –dump-dir ~/code-injections Too much data ?? Let’s narrow it down !!!
Vol.py –f zeus.vmem printkey –K “ControlSet001ServicesSharedAccess ParametersFirewallPolicyStandard Profile” This malware shutdowns firewall also …..
EOF…. QUESTIONS …..

Recommended

Glusterfs session #18 intro to fuse and its trade offs
Glusterfs session #18 intro to fuse and its trade offsGlusterfs session #18 intro to fuse and its trade offs
Glusterfs session #18 intro to fuse and its trade offs
Pranith Karampuri
 
Glusterfs session #8 memory tracking infra, io-threads
Glusterfs session #8 memory tracking infra, io-threadsGlusterfs session #8 memory tracking infra, io-threads
Glusterfs session #8 memory tracking infra, io-threads
Pranith Karampuri
 
Tmux Development Workflow
Tmux Development WorkflowTmux Development Workflow
Tmux Development Workflow
jschembri
 
Sistemas operacionais 13
Sistemas operacionais 13Sistemas operacionais 13
Sistemas operacionais 13
Nauber Gois
 
50 Perintah Dasar pada linux
50 Perintah Dasar pada linux50 Perintah Dasar pada linux
50 Perintah Dasar pada linux
ReskyRian
 
Creating a Name seperator Custom Control using C#
Creating a Name seperator Custom Control using C#Creating a Name seperator Custom Control using C#
Creating a Name seperator Custom Control using C#
priya Nithya
 
Perintah perintah dasar linux Operating Sistem
Perintah perintah dasar linux Operating SistemPerintah perintah dasar linux Operating Sistem
Perintah perintah dasar linux Operating Sistem
Roziq Bahtiar
 
PenTest using Python By Purna Chander
PenTest using Python By Purna ChanderPenTest using Python By Purna Chander
PenTest using Python By Purna Chander
nforceit
 

Recommended

Glusterfs session #18 intro to fuse and its trade offs
Glusterfs session #18 intro to fuse and its trade offsGlusterfs session #18 intro to fuse and its trade offs
Glusterfs session #18 intro to fuse and its trade offs
Pranith Karampuri
 
Glusterfs session #8 memory tracking infra, io-threads
Glusterfs session #8 memory tracking infra, io-threadsGlusterfs session #8 memory tracking infra, io-threads
Glusterfs session #8 memory tracking infra, io-threads
Pranith Karampuri
 
Tmux Development Workflow
Tmux Development WorkflowTmux Development Workflow
Tmux Development Workflow
jschembri
 
Sistemas operacionais 13
Sistemas operacionais 13Sistemas operacionais 13
Sistemas operacionais 13
Nauber Gois
 
50 Perintah Dasar pada linux
50 Perintah Dasar pada linux50 Perintah Dasar pada linux
50 Perintah Dasar pada linux
ReskyRian
 
Creating a Name seperator Custom Control using C#
Creating a Name seperator Custom Control using C#Creating a Name seperator Custom Control using C#
Creating a Name seperator Custom Control using C#
priya Nithya
 
Perintah perintah dasar linux Operating Sistem
Perintah perintah dasar linux Operating SistemPerintah perintah dasar linux Operating Sistem
Perintah perintah dasar linux Operating Sistem
Roziq Bahtiar
 
PenTest using Python By Purna Chander
PenTest using Python By Purna ChanderPenTest using Python By Purna Chander
PenTest using Python By Purna Chander
nforceit
 
Tmux tips and_tricks
Tmux tips and_tricksTmux tips and_tricks
Tmux tips and_tricks
Arc & Codementor
 
Processes And Job Control
Processes And Job ControlProcesses And Job Control
Processes And Job Control
ahmad bassiouny
 
Glusterfs session #5 inode t, fd-t lifecycles
Glusterfs session #5 inode t, fd-t lifecyclesGlusterfs session #5 inode t, fd-t lifecycles
Glusterfs session #5 inode t, fd-t lifecycles
Pranith Karampuri
 
RedHat/CentOs Commands for administrative works
RedHat/CentOs Commands for administrative worksRedHat/CentOs Commands for administrative works
RedHat/CentOs Commands for administrative works
Md Shihab
 
Combine vs RxSwift
Combine vs RxSwiftCombine vs RxSwift
Combine vs RxSwift
shark-sea
 
Using strace
Using straceUsing strace
Using strace
Ryan Robson
 
report about hack رابؤرتيكدةربارةي (لةسةر) هاك
report about hack رابؤرتيكدةربارةي (لةسةر) هاكreport about hack رابؤرتيكدةربارةي (لةسةر) هاك
report about hack رابؤرتيكدةربارةي (لةسةر) هاك
Shwana M
 
Debian
DebianDebian
Debian
YUDDYAL HAMDANIL
 
Mongo db tailable cursors
Mongo db tailable cursorsMongo db tailable cursors
Mongo db tailable cursors
Bill Kunneke
 
Zfs replication overview
Zfs replication overviewZfs replication overview
Zfs replication overview
鵬 大
 
Glusterfs session #13 replication introduction
Glusterfs session #13 replication introductionGlusterfs session #13 replication introduction
Glusterfs session #13 replication introduction
Pranith Karampuri
 
Partyhack 3.0 - Telegram bugbounty writeup
Partyhack 3.0 - Telegram bugbounty writeupPartyhack 3.0 - Telegram bugbounty writeup
Partyhack 3.0 - Telegram bugbounty writeup
Дмитрий Бумов
 
Rhel 7 root password reset
Rhel 7 root password resetRhel 7 root password reset
Rhel 7 root password reset
Md Shihab
 
Unix environment
Unix environmentUnix environment
Unix environment
Er Mittinpreet Singh
 
Emuladores
EmuladoresEmuladores
EmuladoresBayoch
 
Installation of ubuntu, ns3 and compiling first
Installation of ubuntu, ns3 and compiling firstInstallation of ubuntu, ns3 and compiling first
Installation of ubuntu, ns3 and compiling first
Jawad Khan
 
Unix environment [autosaved]
Unix environment [autosaved]Unix environment [autosaved]
Unix environment [autosaved]
Er Mittinpreet Singh
 
Unix
UnixUnix
UnixHari Krishna
 
Ultimate Unix Meetup Presentation
Ultimate Unix Meetup PresentationUltimate Unix Meetup Presentation
Ultimate Unix Meetup Presentation
JacobMenke1
 
QEMU Sandboxing for dummies
QEMU Sandboxing for dummiesQEMU Sandboxing for dummies
QEMU Sandboxing for dummies
Eduardo Otubo
 
Basic command for linux
Basic command for linuxBasic command for linux
Basic command for linuxgt0ne
 
Windows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility FrameworkWindows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility Framework
Kapil Soni
 

More Related Content

What's hot

Tmux tips and_tricks
Tmux tips and_tricksTmux tips and_tricks
Tmux tips and_tricks
Arc & Codementor
 
Processes And Job Control
Processes And Job ControlProcesses And Job Control
Processes And Job Control
ahmad bassiouny
 
Glusterfs session #5 inode t, fd-t lifecycles
Glusterfs session #5 inode t, fd-t lifecyclesGlusterfs session #5 inode t, fd-t lifecycles
Glusterfs session #5 inode t, fd-t lifecycles
Pranith Karampuri
 
RedHat/CentOs Commands for administrative works
RedHat/CentOs Commands for administrative worksRedHat/CentOs Commands for administrative works
RedHat/CentOs Commands for administrative works
Md Shihab
 
Combine vs RxSwift
Combine vs RxSwiftCombine vs RxSwift
Combine vs RxSwift
shark-sea
 
Using strace
Using straceUsing strace
Using strace
Ryan Robson
 
report about hack رابؤرتيكدةربارةي (لةسةر) هاك
report about hack رابؤرتيكدةربارةي (لةسةر) هاكreport about hack رابؤرتيكدةربارةي (لةسةر) هاك
report about hack رابؤرتيكدةربارةي (لةسةر) هاك
Shwana M
 
Debian
DebianDebian
Debian
YUDDYAL HAMDANIL
 
Mongo db tailable cursors
Mongo db tailable cursorsMongo db tailable cursors
Mongo db tailable cursors
Bill Kunneke
 
Zfs replication overview
Zfs replication overviewZfs replication overview
Zfs replication overview
鵬 大
 
Glusterfs session #13 replication introduction
Glusterfs session #13 replication introductionGlusterfs session #13 replication introduction
Glusterfs session #13 replication introduction
Pranith Karampuri
 
Partyhack 3.0 - Telegram bugbounty writeup
Partyhack 3.0 - Telegram bugbounty writeupPartyhack 3.0 - Telegram bugbounty writeup
Partyhack 3.0 - Telegram bugbounty writeup
Дмитрий Бумов
 
Rhel 7 root password reset
Rhel 7 root password resetRhel 7 root password reset
Rhel 7 root password reset
Md Shihab
 
Unix environment
Unix environmentUnix environment
Unix environment
Er Mittinpreet Singh
 
Emuladores
EmuladoresEmuladores
EmuladoresBayoch
 
Installation of ubuntu, ns3 and compiling first
Installation of ubuntu, ns3 and compiling firstInstallation of ubuntu, ns3 and compiling first
Installation of ubuntu, ns3 and compiling first
Jawad Khan
 
Unix environment [autosaved]
Unix environment [autosaved]Unix environment [autosaved]
Unix environment [autosaved]
Er Mittinpreet Singh
 
Ultimate Unix Meetup Presentation
Ultimate Unix Meetup PresentationUltimate Unix Meetup Presentation
Ultimate Unix Meetup Presentation
JacobMenke1
 
QEMU Sandboxing for dummies
QEMU Sandboxing for dummiesQEMU Sandboxing for dummies
QEMU Sandboxing for dummies
Eduardo Otubo
 

What's hot (20)

Tmux tips and_tricks
Tmux tips and_tricksTmux tips and_tricks
Tmux tips and_tricks
 
Processes And Job Control
Processes And Job ControlProcesses And Job Control
Processes And Job Control
 
Glusterfs session #5 inode t, fd-t lifecycles
Glusterfs session #5 inode t, fd-t lifecyclesGlusterfs session #5 inode t, fd-t lifecycles
Glusterfs session #5 inode t, fd-t lifecycles
 
RedHat/CentOs Commands for administrative works
RedHat/CentOs Commands for administrative worksRedHat/CentOs Commands for administrative works
RedHat/CentOs Commands for administrative works
 
Combine vs RxSwift
Combine vs RxSwiftCombine vs RxSwift
Combine vs RxSwift
 
Using strace
Using straceUsing strace
Using strace
 
report about hack رابؤرتيكدةربارةي (لةسةر) هاك
report about hack رابؤرتيكدةربارةي (لةسةر) هاكreport about hack رابؤرتيكدةربارةي (لةسةر) هاك
report about hack رابؤرتيكدةربارةي (لةسةر) هاك
 
Debian
DebianDebian
Debian
 
Mongo db tailable cursors
Mongo db tailable cursorsMongo db tailable cursors
Mongo db tailable cursors
 
Zfs replication overview
Zfs replication overviewZfs replication overview
Zfs replication overview
 
Glusterfs session #13 replication introduction
Glusterfs session #13 replication introductionGlusterfs session #13 replication introduction
Glusterfs session #13 replication introduction
 
Partyhack 3.0 - Telegram bugbounty writeup
Partyhack 3.0 - Telegram bugbounty writeupPartyhack 3.0 - Telegram bugbounty writeup
Partyhack 3.0 - Telegram bugbounty writeup
 
Rhel 7 root password reset
Rhel 7 root password resetRhel 7 root password reset
Rhel 7 root password reset
 
Unix environment
Unix environmentUnix environment
Unix environment
 
Emuladores
EmuladoresEmuladores
Emuladores
 
Installation of ubuntu, ns3 and compiling first
Installation of ubuntu, ns3 and compiling firstInstallation of ubuntu, ns3 and compiling first
Installation of ubuntu, ns3 and compiling first
 
Unix environment [autosaved]
Unix environment [autosaved]Unix environment [autosaved]
Unix environment [autosaved]
 
Unix
UnixUnix
Unix
 
Ultimate Unix Meetup Presentation
Ultimate Unix Meetup PresentationUltimate Unix Meetup Presentation
Ultimate Unix Meetup Presentation
 
QEMU Sandboxing for dummies
QEMU Sandboxing for dummiesQEMU Sandboxing for dummies
QEMU Sandboxing for dummies
 

Similar to n|u Dharamsala Humla : Memory Forensic by Tenzin Chokden

Basic command for linux
Basic command for linuxBasic command for linux
Basic command for linuxgt0ne
 
Windows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility FrameworkWindows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility Framework
Kapil Soni
 
List command linux fidora
List command linux fidoraList command linux fidora
List command linux fidoraJinyuan Loh
 
Terminal linux commands_ Fedora based
Terminal linux commands_ Fedora basedTerminal linux commands_ Fedora based
Terminal linux commands_ Fedora based
Navin Thapa
 
Unix commands
Unix commandsUnix commands
Unix commands
Divya_Gupta19
 
Basic linux commands
Basic linux commandsBasic linux commands
Basic linux commandsNguyen Vinh
 
Memory forensics cheat sheet
Memory forensics cheat sheetMemory forensics cheat sheet
Memory forensics cheat sheet
Martin Cabrera
 
Perf stat windows
Perf stat windowsPerf stat windows
Perf stat windowsAccenture
 
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Andrew Case
 
Plesk CLI Wrapper
Plesk CLI WrapperPlesk CLI Wrapper
Plesk CLI Wrapper
Alexei Yuzhakov
 
ch8-pv1-the-virtual-filesystem
ch8-pv1-the-virtual-filesystemch8-pv1-the-virtual-filesystem
ch8-pv1-the-virtual-filesystemyushiang fu
 
File encryption. [32] Write a program which accepts a filename as a .pdf
File encryption. [32] Write a program which accepts a filename as a .pdfFile encryption. [32] Write a program which accepts a filename as a .pdf
File encryption. [32] Write a program which accepts a filename as a .pdf
jyothimuppasani1
 
sift_cheat_sheet.pdf
sift_cheat_sheet.pdfsift_cheat_sheet.pdf
sift_cheat_sheet.pdf
NaveenVarma Chintalapati
 
The one page linux manual
The one page linux manualThe one page linux manual
The one page linux manual
Saikat Rakshit
 
The one page linux manual
The one page linux manualThe one page linux manual
The one page linux manualCraig Cannon
 
unix_ref_card.pdf
unix_ref_card.pdfunix_ref_card.pdf
unix_ref_card.pdf
GiovaRossi
 
unix_ref_card.pdf
unix_ref_card.pdfunix_ref_card.pdf
unix_ref_card.pdf
GiovaRossi
 
unix_ref_card.pdf
unix_ref_card.pdfunix_ref_card.pdf
unix_ref_card.pdf
GiovaRossi
 

Similar to n|u Dharamsala Humla : Memory Forensic by Tenzin Chokden (20)

Basic command for linux
Basic command for linuxBasic command for linux
Basic command for linux
 
Windows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility FrameworkWindows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility Framework
 
List command linux fidora
List command linux fidoraList command linux fidora
List command linux fidora
 
Terminal linux commands_ Fedora based
Terminal linux commands_ Fedora basedTerminal linux commands_ Fedora based
Terminal linux commands_ Fedora based
 
Unix commands
Unix commandsUnix commands
Unix commands
 
Basic linux commands
Basic linux commandsBasic linux commands
Basic linux commands
 
Memory forensics cheat sheet
Memory forensics cheat sheetMemory forensics cheat sheet
Memory forensics cheat sheet
 
Perf stat windows
Perf stat windowsPerf stat windows
Perf stat windows
 
Top ESXi command line v2.0
Top ESXi command line v2.0Top ESXi command line v2.0
Top ESXi command line v2.0
 
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
 
Hta w22
Hta w22Hta w22
Hta w22
 
Plesk CLI Wrapper
Plesk CLI WrapperPlesk CLI Wrapper
Plesk CLI Wrapper
 
ch8-pv1-the-virtual-filesystem
ch8-pv1-the-virtual-filesystemch8-pv1-the-virtual-filesystem
ch8-pv1-the-virtual-filesystem
 
File encryption. [32] Write a program which accepts a filename as a .pdf
File encryption. [32] Write a program which accepts a filename as a .pdfFile encryption. [32] Write a program which accepts a filename as a .pdf
File encryption. [32] Write a program which accepts a filename as a .pdf
 
sift_cheat_sheet.pdf
sift_cheat_sheet.pdfsift_cheat_sheet.pdf
sift_cheat_sheet.pdf
 
The one page linux manual
The one page linux manualThe one page linux manual
The one page linux manual
 
The one page linux manual
The one page linux manualThe one page linux manual
The one page linux manual
 
unix_ref_card.pdf
unix_ref_card.pdfunix_ref_card.pdf
unix_ref_card.pdf
 
unix_ref_card.pdf
unix_ref_card.pdfunix_ref_card.pdf
unix_ref_card.pdf
 
unix_ref_card.pdf
unix_ref_card.pdfunix_ref_card.pdf
unix_ref_card.pdf
 

More from Sunil Kumar

Basics of Cryptography
Basics of CryptographyBasics of Cryptography
Basics of Cryptography
Sunil Kumar
 
3Es of Ransomware
3Es of Ransomware3Es of Ransomware
3Es of Ransomware
Sunil Kumar
 
Http2 Security Perspective
Http2 Security PerspectiveHttp2 Security Perspective
Http2 Security Perspective
Sunil Kumar
 
Memory forensics
Memory forensicsMemory forensics
Memory forensicsSunil Kumar
 
Jsonp null-meet-02-2015
Jsonp null-meet-02-2015Jsonp null-meet-02-2015
Jsonp null-meet-02-2015
Sunil Kumar
 
Dt5 varenni win_pcapdosdonts
Dt5 varenni win_pcapdosdontsDt5 varenni win_pcapdosdonts
Dt5 varenni win_pcapdosdonts
Sunil Kumar
 
Nullcon 2011- Behaviour Analysis with DBI
Nullcon 2011- Behaviour Analysis with DBINullcon 2011- Behaviour Analysis with DBI
Nullcon 2011- Behaviour Analysis with DBI
Sunil Kumar
 

More from Sunil Kumar (7)

Basics of Cryptography
Basics of CryptographyBasics of Cryptography
Basics of Cryptography
 
3Es of Ransomware
3Es of Ransomware3Es of Ransomware
3Es of Ransomware
 
Http2 Security Perspective
Http2 Security PerspectiveHttp2 Security Perspective
Http2 Security Perspective
 
Memory forensics
Memory forensicsMemory forensics
Memory forensics
 
Jsonp null-meet-02-2015
Jsonp null-meet-02-2015Jsonp null-meet-02-2015
Jsonp null-meet-02-2015
 
Dt5 varenni win_pcapdosdonts
Dt5 varenni win_pcapdosdontsDt5 varenni win_pcapdosdonts
Dt5 varenni win_pcapdosdonts
 
Nullcon 2011- Behaviour Analysis with DBI
Nullcon 2011- Behaviour Analysis with DBINullcon 2011- Behaviour Analysis with DBI
Nullcon 2011- Behaviour Analysis with DBI
 

Recently uploaded

Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, BetterWebinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
XfilesPro
 
Introduction to Pygame (Lecture 7 Python Game Development)
Introduction to Pygame (Lecture 7 Python Game Development)Introduction to Pygame (Lecture 7 Python Game Development)
Introduction to Pygame (Lecture 7 Python Game Development)
abdulrafaychaudhry
 
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Globus
 
Vitthal Shirke Java Microservices Resume.pdf
Vitthal Shirke Java Microservices Resume.pdfVitthal Shirke Java Microservices Resume.pdf
Vitthal Shirke Java Microservices Resume.pdf
Vitthal Shirke
 
Prosigns: Transforming Business with Tailored Technology Solutions
Prosigns: Transforming Business with Tailored Technology SolutionsProsigns: Transforming Business with Tailored Technology Solutions
Prosigns: Transforming Business with Tailored Technology Solutions
Prosigns
 
Lecture 1 Introduction to games development
Lecture 1 Introduction to games developmentLecture 1 Introduction to games development
Lecture 1 Introduction to games development
abdulrafaychaudhry
 
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
informapgpstrackings
 
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptx
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptxTop Features to Include in Your Winzo Clone App for Business Growth (4).pptx
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptx
rickgrimesss22
 
Pro Unity Game Development with C-sharp Book
Pro Unity Game Development with C-sharp BookPro Unity Game Development with C-sharp Book
Pro Unity Game Development with C-sharp Book
abdulrafaychaudhry
 
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoamOpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
takuyayamamoto1800
 
A Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of PassageA Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of Passage
Philip Schwarz
 
Developing Distributed High-performance Computing Capabilities of an Open Sci...
Developing Distributed High-performance Computing Capabilities of an Open Sci...Developing Distributed High-performance Computing Capabilities of an Open Sci...
Developing Distributed High-performance Computing Capabilities of an Open Sci...
Globus
 
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
Shahin Sheidaei
 
2024 RoOUG Security model for the cloud.pptx
2024 RoOUG Security model for the cloud.pptx2024 RoOUG Security model for the cloud.pptx
2024 RoOUG Security model for the cloud.pptx
Georgi Kodinov
 
Top 7 Unique WhatsApp API Benefits | Saudi Arabia
Top 7 Unique WhatsApp API Benefits | Saudi ArabiaTop 7 Unique WhatsApp API Benefits | Saudi Arabia
Top 7 Unique WhatsApp API Benefits | Saudi Arabia
Yara Milbes
 
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.ILBeyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Natan Silnitsky
 
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data AnalysisProviding Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
Globus
 
How to Position Your Globus Data Portal for Success Ten Good Practices
How to Position Your Globus Data Portal for Success Ten Good PracticesHow to Position Your Globus Data Portal for Success Ten Good Practices
How to Position Your Globus Data Portal for Success Ten Good Practices
Globus
 
Cyaniclab : Software Development Agency Portfolio.pdf
Cyaniclab : Software Development Agency Portfolio.pdfCyaniclab : Software Development Agency Portfolio.pdf
Cyaniclab : Software Development Agency Portfolio.pdf
Cyanic lab
 
Graphic Design Crash Course for beginners
Graphic Design Crash Course for beginnersGraphic Design Crash Course for beginners
Graphic Design Crash Course for beginners
e20449
 

Recently uploaded (20)

Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, BetterWebinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
 
Introduction to Pygame (Lecture 7 Python Game Development)
Introduction to Pygame (Lecture 7 Python Game Development)Introduction to Pygame (Lecture 7 Python Game Development)
Introduction to Pygame (Lecture 7 Python Game Development)
 
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
 
Vitthal Shirke Java Microservices Resume.pdf
Vitthal Shirke Java Microservices Resume.pdfVitthal Shirke Java Microservices Resume.pdf
Vitthal Shirke Java Microservices Resume.pdf
 
Prosigns: Transforming Business with Tailored Technology Solutions
Prosigns: Transforming Business with Tailored Technology SolutionsProsigns: Transforming Business with Tailored Technology Solutions
Prosigns: Transforming Business with Tailored Technology Solutions
 
Lecture 1 Introduction to games development
Lecture 1 Introduction to games developmentLecture 1 Introduction to games development
Lecture 1 Introduction to games development
 
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
 
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptx
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptxTop Features to Include in Your Winzo Clone App for Business Growth (4).pptx
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptx
 
Pro Unity Game Development with C-sharp Book
Pro Unity Game Development with C-sharp BookPro Unity Game Development with C-sharp Book
Pro Unity Game Development with C-sharp Book
 
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoamOpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
 
A Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of PassageA Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of Passage
 
Developing Distributed High-performance Computing Capabilities of an Open Sci...
Developing Distributed High-performance Computing Capabilities of an Open Sci...Developing Distributed High-performance Computing Capabilities of an Open Sci...
Developing Distributed High-performance Computing Capabilities of an Open Sci...
 
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
 
2024 RoOUG Security model for the cloud.pptx
2024 RoOUG Security model for the cloud.pptx2024 RoOUG Security model for the cloud.pptx
2024 RoOUG Security model for the cloud.pptx
 
Top 7 Unique WhatsApp API Benefits | Saudi Arabia
Top 7 Unique WhatsApp API Benefits | Saudi ArabiaTop 7 Unique WhatsApp API Benefits | Saudi Arabia
Top 7 Unique WhatsApp API Benefits | Saudi Arabia
 
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.ILBeyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
 
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data AnalysisProviding Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
 
How to Position Your Globus Data Portal for Success Ten Good Practices
How to Position Your Globus Data Portal for Success Ten Good PracticesHow to Position Your Globus Data Portal for Success Ten Good Practices
How to Position Your Globus Data Portal for Success Ten Good Practices
 
Cyaniclab : Software Development Agency Portfolio.pdf
Cyaniclab : Software Development Agency Portfolio.pdfCyaniclab : Software Development Agency Portfolio.pdf
Cyaniclab : Software Development Agency Portfolio.pdf
 
Graphic Design Crash Course for beginners
Graphic Design Crash Course for beginnersGraphic Design Crash Course for beginners
Graphic Design Crash Course for beginners
 

n|u Dharamsala Humla : Memory Forensic by Tenzin Chokden

  • 1. { Null Humla Session 0.1 Memory forensics with Volatility2.4
  • 2.  Usage  Vol.py –f image --profile=(imageinfo) –plugins  -f parameter  It is used to locate the source memory image  Vol.py –f sality.vmem  imageinfo  To identify the memory image  Vol.py –f sality.vmem imageinfo  Vol.py –f sality.vmem –proflie=WinXPSP2x86 connscan Steps in Analysing
  • 3. pstree  Prints the process list in tree structure. Vol.py –f zeus.vmem –profile =WinXPSP2x8 6 pstree
  • 4. Connscan  Scans for tcp connections Vol.py –f zeus.vmem –profile =WinXPSP2x8 6 connscan
  • 5.  Lets run the pstree command again….. Interesting connections ??
  • 6. Printkey  Print a registry key and its subkey and values Vol.py –f zeus.vmem –profile =WinXPSP2x8 6 printkey –K “MicrosoftWindowsCurrentVersionRun” Vol.py –f zeus.vmem –profile =WinXPSP2x8 6 printkey –K “MicrosoftWindowsNTCurrentVersion Winlogon”
  • 7. Malfind  Find hidden or injected code/Dll Vol.py –f zeus.vmem –profile =WinXPSP2x86 malfind –dump-dir ~/code-injections
  • 8. Vol.py –f zeus.vmem –profile =WinXPSP2x86 malfind -p 856 –dump-dir ~/code-injections Too much data ?? Let’s narrow it down !!!
  • 9. Vol.py –f zeus.vmem printkey –K “ControlSet001ServicesSharedAccess ParametersFirewallPolicyStandard Profile” This malware shutdowns firewall also …..

Editor's Notes

  1. We have to select a profile since by default It takes winxpsp2x86
  2. Looks like there is nothing wrong with the process… see if its making any connections Run plugins sockets also ….
  3. SEE WHO OWNS THE PROCESS AND WHO IS ITS PARENTS RUN THE IP IN VIRUS TOTAL AND SEE
  4. IF its connecting to a site… it will make sure to be persistant .. Since it doesn’t make sense it will loose connection on restart …. Lets look into registries for autorun entries …. Lot of entries in registry …. We have to try all.
  5. These are possible code injections … but the exe you get here is not the whole process but only the injected part …. You can always load it in vm and start your normal analysis. IF you want whole process dump then the parameter is procdump –p id dump-dir
  6. -p parameter to select a particular process … You can take a hash of it and always find something on the virus total. take an md5sum of both file and submit to virus total.
  7. This malwares shutdowns the fireswall also …