2. Monnappa K A
Info Security Investigator - Cisco CSIRT
Co-founder Cysinfo - Cyber Security Community
Author of Limon Sandbox
Malware Analysis, Reverse Engineering, Memory Forensics
Conferences - Black Hat, FIRST, 4SICS
Articles - eForensics, Hakin9, Hack Insight
Who am I
3. Finding and extracting forensic artifacts
Helps in malware analysis
Determining process, network, registry activities
Reconstructing original state of the system
Assists with unpacking, rootkit detection and reverse
engineering
Sophisticated actors
Critical data exists in memory
Why Memory Forensics?
4. Memory acquisition - Dumping the memory of a target
machine
Memory analysis - Analyzing the memory dump for forensic
artifacts
Steps in Memory Forensics
5. Process of Acquiring Volatile memory to non volatile storage
On Physical Machines(Tools):
KnTTools
F-Response
Mandiant Memoryze
HBGary FastDump
MoonSols Windows Memory Toolkit(DumpIt)
On Virtual Machines:
Suspend the VM (.vmem)
Memory Acquisition and tools
6. Your security device alerts on a http communication from 192.168.1.100 to a domain livedieoslix.com which
resolves to 192.168.1.3, you suspect 192.168.1.100 to infected. You are asked to investigate the machine.
-To start with, acquire the memory image “infected.dmp” from 192.168.1.100, using memory acquisition
tools
- Analyze the memory dump “infected.dmp”
Demo-Scenario