Investigating Malware using Memory Forensics

•Télécharger en tant que PPTX, PDF•

3 j'aime•3,984 vues

Cysinfo Cyber Security Community

Logiciels

Monnappa K A
 Info Security Investigator - Cisco CSIRT
 Co-founder Cysinfo - Cyber Security Community
 Author of Limon Sandbox
 Malware Analysis, Reverse Engineering, Memory Forensics
 Conferences - Black Hat, FIRST, 4SICS
 Articles - eForensics, Hakin9, Hack Insight
Who am I

 Finding and extracting forensic artifacts
 Helps in malware analysis
 Determining process, network, registry activities
 Reconstructing original state of the system
 Assists with unpacking, rootkit detection and reverse
engineering
 Sophisticated actors
 Critical data exists in memory
Why Memory Forensics?

 Memory acquisition - Dumping the memory of a target
machine
 Memory analysis - Analyzing the memory dump for forensic
artifacts
Steps in Memory Forensics

Process of Acquiring Volatile memory to non volatile storage
On Physical Machines(Tools):
 KnTTools
 F-Response
 Mandiant Memoryze
 HBGary FastDump
 MoonSols Windows Memory Toolkit(DumpIt)
On Virtual Machines:
 Suspend the VM (.vmem)
Memory Acquisition and tools

Your security device alerts on a http communication from 192.168.1.100 to a domain livedieoslix.com which
resolves to 192.168.1.3, you suspect 192.168.1.100 to infected. You are asked to investigate the machine.
-To start with, acquire the memory image “infected.dmp” from 192.168.1.100, using memory acquisition
tools
- Analyze the memory dump “infected.dmp”
Demo-Scenario

Thank You !
@monnappa22
http://malware-unplugged.blogspot.in
monnappa22@gmail.com
Twitter:
Blog:
Gmail:

Contenu connexe

Tendances

Anatomy of Exploit Kitssecurityxploded

Reversing malware analysis training part10 exploit development basicsCysinfo Cyber Security Community

Automating malware analysis Cysinfo Cyber Security Community

Advanced malware analysis training session1 detection and removal of malwaresCysinfo Cyber Security Community

Reversing and decrypting communications of apt malwareCysinfo Cyber Security Community

Watering hole attacks case study analysisCysinfo Cyber Security Community

Basic malware analysissecurityxploded

Advanced Malware Analysis Training Session 7 - Malware Memory Forensicssecurityxploded

Reversing and Decrypting the Communications of APT Malware (Etumbot)securityxploded

Advanced malware analysis training session11 part2 dissecting the heart beat ...Cysinfo Cyber Security Community

Advanced Malware Analysis Training Session 1 - Detection and Removal of Malwaressecurityxploded

Return addressCysinfo Cyber Security Community

Advanced malware analysis training session10 part1Cysinfo Cyber Security Community

Primer on password securitysecurityxploded

Malware analysisPrakashchand Suthar

Dll preloading-attackCysinfo Cyber Security Community

Understanding CryptoLocker (Ransomware) with a Case Studysecurityxploded

Advanced malware analysis training session6 malware sandbox analysisCysinfo Cyber Security Community

Pentesting with MetasploitPrakashchand Suthar

Reversing malware analysis trainingpart9 advanced malware analysisCysinfo Cyber Security Community

Tendances (20)

Anatomy of Exploit Kits

Reversing malware analysis training part10 exploit development basics

Automating malware analysis

Advanced malware analysis training session1 detection and removal of malwares

Reversing and decrypting communications of apt malware

Watering hole attacks case study analysis

Basic malware analysis

Advanced Malware Analysis Training Session 7 - Malware Memory Forensics

Reversing and Decrypting the Communications of APT Malware (Etumbot)

Advanced malware analysis training session11 part2 dissecting the heart beat ...

Advanced Malware Analysis Training Session 1 - Detection and Removal of Malwares

Return address

Advanced malware analysis training session10 part1

Primer on password security

Malware analysis

Dll preloading-attack

Understanding CryptoLocker (Ransomware) with a Case Study

Advanced malware analysis training session6 malware sandbox analysis

Pentesting with Metasploit

Reversing malware analysis trainingpart9 advanced malware analysis

Similaire à Investigating Malware using Memory Forensics

N.sai kiran IIITA APsai Nagaragiri

2010 2013 sandro suffert memory forensics introdutory work shop - publicSandro Suffert

Digital forensics Adriana Backman

Msra 2011 windows7 forensics-troylaCTIN

Role of a Forensic InvestigatorAgape Inc

Digital forensic science and its scope manesh tManesh T

Memory ForensicsAnshul Tayal

Memory forensic analysis (aashish)ClubHack

3871778Christiaan Beek

Intro2 malwareanalysisshortVincent Ohprecio

Live Forensics Analysis Method for Random Access Memory on Laptop DevicesIJCSIS Research Publications

SANS Digital Forensics and Incident Response Poster 2012Rian Yulian

Chetan-Mining_Digital_Evidence_in_Microsoft_Windowsguest66dc5f

Debian Linux as a Forensic Workstation Vipin George

Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docxsmile790243

Modern malware and threatsMartin Holovský

Open Source ForensicsCTIN

How to Avoid the Spying of EEUU & other Practical Solutions Computing: Protec...AbundioTeca

Buffer overflow attacksJoe McCarthy

Assingment 5 - ENSAJeewanthi Fernando

Similaire à Investigating Malware using Memory Forensics (20)

N.sai kiran IIITA AP

2010 2013 sandro suffert memory forensics introdutory work shop - public

Digital forensics

Msra 2011 windows7 forensics-troyla

Role of a Forensic Investigator

Digital forensic science and its scope manesh t

Memory Forensics

Memory forensic analysis (aashish)

3871778

Intro2 malwareanalysisshort

Live Forensics Analysis Method for Random Access Memory on Laptop Devices

SANS Digital Forensics and Incident Response Poster 2012

Chetan-Mining_Digital_Evidence_in_Microsoft_Windows

Debian Linux as a Forensic Workstation

Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx

Modern malware and threats

Open Source Forensics

How to Avoid the Spying of EEUU & other Practical Solutions Computing: Protec...

Buffer overflow attacks

Assingment 5 - ENSA

Plus de Cysinfo Cyber Security Community

Understanding Malware Persistence Techniques by Monnappa K ACysinfo Cyber Security Community

Understanding & analyzing obfuscated malicious web scripts by Vikram KharviCysinfo Cyber Security Community

Getting started with cybersecurity through CTFs by Shruti Dixit & Geethna TKCysinfo Cyber Security Community

Emerging Trends in Cybersecurity by Amar PrustyCysinfo Cyber Security Community

A look into the sanitizer family (ASAN & UBSAN) by Akul PillaiCysinfo Cyber Security Community

Closer look at PHP Unserialization by Ashwin ShenoiCysinfo Cyber Security Community

Unicorn: The Ultimate CPU Emulator by Akshay AjayanCysinfo Cyber Security Community

The Art of Executing JavaScript by Akhil MahendraCysinfo Cyber Security Community

Reversing and Decrypting Malware Communications by MonnappaCysinfo Cyber Security Community

DeViL - Detect Virtual Machine in Linux by SreelakshmiCysinfo Cyber Security Community

Analysis of android apk using adhrit by Abhishek J.MCysinfo Cyber Security Community

Understanding evasive hollow process injection techniques monnappa k aCysinfo Cyber Security Community

Security challenges in d2d communication by ajithkumar vyasaraoCysinfo Cyber Security Community

S2 e (selective symbolic execution) -shivkrishna aCysinfo Cyber Security Community

Dynamic binary analysis using angr siddharth muraleeCysinfo Cyber Security Community

Bit flipping attack on aes cbc - ashutosh ahelleyaCysinfo Cyber Security Community

Security Analytics using ELK stack Cysinfo Cyber Security Community

Linux Malware Analysis Cysinfo Cyber Security Community

Introduction to Binary Exploitation Cysinfo Cyber Security Community

ATM Malware: Understanding the threat Cysinfo Cyber Security Community

Plus de Cysinfo Cyber Security Community (20)

Understanding Malware Persistence Techniques by Monnappa K A

Understanding & analyzing obfuscated malicious web scripts by Vikram Kharvi

Getting started with cybersecurity through CTFs by Shruti Dixit & Geethna TK

Emerging Trends in Cybersecurity by Amar Prusty

A look into the sanitizer family (ASAN & UBSAN) by Akul Pillai

Closer look at PHP Unserialization by Ashwin Shenoi

Unicorn: The Ultimate CPU Emulator by Akshay Ajayan

The Art of Executing JavaScript by Akhil Mahendra

Reversing and Decrypting Malware Communications by Monnappa

DeViL - Detect Virtual Machine in Linux by Sreelakshmi

Analysis of android apk using adhrit by Abhishek J.M

Understanding evasive hollow process injection techniques monnappa k a

Security challenges in d2d communication by ajithkumar vyasarao

S2 e (selective symbolic execution) -shivkrishna a

Dynamic binary analysis using angr siddharth muralee

Bit flipping attack on aes cbc - ashutosh ahelleya

Security Analytics using ELK stack

Linux Malware Analysis

Introduction to Binary Exploitation

ATM Malware: Understanding the threat

Dernier

Architecture decision records - How not to get lost in the pastPapp Krisztián

SHRMPro HRMS Software Solutions PresentationShrmpro

Exploring the Best Video Editing App.pdfproinshot.com

Right Money Management App For Your Financial GoalsJhone kinadey

Announcing Codolex 2.0 from GDK SoftwareJim McKeeth

OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...Shane Coughlan

%in kempton park+277-882-255-28 abortion pills for sale in kempton park masabamasaba

%in Durban+277-882-255-28 abortion pills for sale in Durbanmasabamasaba

Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdfkalichargn70th171

The Ultimate Test Automation Guide_ Best Practices and Tips.pdfkalichargn70th171

call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️Delhi Call girls

%in Hazyview+277-882-255-28 abortion pills for sale in Hazyviewmasabamasaba

%in Bahrain+277-882-255-28 abortion pills for sale in Bahrainmasabamasaba

CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE9953056974 Low Rate Call Girls In Saket, Delhi NCR

AI & Machine Learning Presentation TemplatePresentation.STUDIO

%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...masabamasaba

VTU technical seminar 8Th Sem on Scikit-learnAmarnathKambale

Software Quality Assurance Interview QuestionsArshad QA

Microsoft AI Transformation Partner Playbook.pdfWilly Marroquin (WillyDevNET)

Define the academic and professional writing..pdfPearlKirahMaeRagusta1

Dernier (20)

Architecture decision records - How not to get lost in the past

SHRMPro HRMS Software Solutions Presentation

Exploring the Best Video Editing App.pdf

Right Money Management App For Your Financial Goals

Announcing Codolex 2.0 from GDK Software

OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...

%in kempton park+277-882-255-28 abortion pills for sale in kempton park

%in Durban+277-882-255-28 abortion pills for sale in Durban

Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf

The Ultimate Test Automation Guide_ Best Practices and Tips.pdf

call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️

%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview

%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain

CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE

AI & Machine Learning Presentation Template

%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...

VTU technical seminar 8Th Sem on Scikit-learn

Software Quality Assurance Interview Questions

Microsoft AI Transformation Partner Playbook.pdf

Define the academic and professional writing..pdf

Investigating Malware using Memory Forensics

2. Monnappa K A  Info Security Investigator - Cisco CSIRT  Co-founder Cysinfo - Cyber Security Community  Author of Limon Sandbox  Malware Analysis, Reverse Engineering, Memory Forensics  Conferences - Black Hat, FIRST, 4SICS  Articles - eForensics, Hakin9, Hack Insight Who am I

3.  Finding and extracting forensic artifacts  Helps in malware analysis  Determining process, network, registry activities  Reconstructing original state of the system  Assists with unpacking, rootkit detection and reverse engineering  Sophisticated actors  Critical data exists in memory Why Memory Forensics?

4.  Memory acquisition - Dumping the memory of a target machine  Memory analysis - Analyzing the memory dump for forensic artifacts Steps in Memory Forensics

5. Process of Acquiring Volatile memory to non volatile storage On Physical Machines(Tools):  KnTTools  F-Response  Mandiant Memoryze  HBGary FastDump  MoonSols Windows Memory Toolkit(DumpIt) On Virtual Machines:  Suspend the VM (.vmem) Memory Acquisition and tools

6. Your security device alerts on a http communication from 192.168.1.100 to a domain livedieoslix.com which resolves to 192.168.1.3, you suspect 192.168.1.100 to infected. You are asked to investigate the machine. -To start with, acquire the memory image “infected.dmp” from 192.168.1.100, using memory acquisition tools - Analyze the memory dump “infected.dmp” Demo-Scenario

7. Video Demo

8. Thank You ! @monnappa22 http://malware-unplugged.blogspot.in monnappa22@gmail.com Twitter: Blog: Gmail:

Investigating Malware using Memory Forensics

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

Similaire à Investigating Malware using Memory Forensics

Similaire à Investigating Malware using Memory Forensics (20)

Plus de Cysinfo Cyber Security Community

Plus de Cysinfo Cyber Security Community (20)

Dernier

Dernier (20)

Investigating Malware using Memory Forensics