Memory Forensics Baselines
Ғылым және технология
As a continuation of the "Introduction to Memory Forensics" series, this episode covers a trio of Volatility plugins that can help us establish a baseline for processes, services, and drivers. We’ll use those plugins to compare a clean Windows 10 memory capture against one infected with malware, both based upon the same “gold” image (as we would likely find in an enterprise environment). We’ll then look at a few additional Volatility plugins that can help us identify the malicious code present within memory.
** If you enjoy this video, please consider supporting 13Cubed on Patreon at patreon.com/13cubed. **
Introduction to Memory Forensics - Playlist:
• Introduction to Memory...
Volatility Baseline Plugin Suite:
github.com/csababarta/volatil...
Background Music Courtesy of Anders Enger Jensen:
/ hariboosx
#Forensics #DigitalForensics #DFIR #ComputerForensics #WindowsForensics #MemoryForensics #MalwareAnalysis #Malware
Пікірлер: 18
I'm also a student in Digital Forensics and Cyber security. Your videos helped me with deciding what Final Year Project to choose. Very well laid-out explanations of complex things. Your videos are amazing - all of them. Time well spent. Thank you
Thank you so much for your videos. I've been going through them like crazy. I'm a student in Digital forensics but I want to move more towards IR and your videos are excellent for that.
Really cool! Thanks!
Thanks for the video...
thank you for your videos
I really wanna try this but i don’t have a sift workstation and I have tried to download it from sans with my account it wasn’t work got some error. Any help? cuz I really wanna download that img. Anyhow, currently I have windows SIFT acquired it dyring my for500 course
@13Cubed
4 жыл бұрын
You can install SIFT on top of an existing Ubuntu installation. Check this out: github.com/teamdfir/sift-cli
I'm having trouble with my volatility :( It doesn't seem to accept the baseline plugin :(
@13Cubed
4 жыл бұрын
What kind of error do you receive when you try?
@hejieronymus
4 жыл бұрын
@@13Cubed I think it was the code itself? It doesn't seem to accept the inputs properly
Hi Richard, I've watched both series windows and memory forensics, and I have practiced memory forensics enough by analyzing different malwares, now I'm forensicating my own laptop, one thing is irritating me that why driverbl plugin doesn't return anything, always the output is null. I've installed Magnet Ram capture today just to try it, through modules plugin i found that it loads the driver from the following directory C:\Users\Muhammad Noman\Downloads\MRCFA2D.tmp, and it is not found in the clean image that i had taken awhile back. Driverbl didnt notify me about that kernel loaded module. why?
@13Cubed
3 жыл бұрын
That series of plug-ins has not been updated in quite a while and I have seen issues with newer builds of Windows 10. Step back to an older version of Windows, like 7, and see if you have different results.
@muhammadnoman06
3 жыл бұрын
@@13Cubed But I'm getting results for servicebl and processbl. Thanks for the reply Sir.
@13Cubed
3 жыл бұрын
Muhammad Noman Yes, it's driverbl that doesn't return results.
Can you please comment the link for images?
@13Cubed
4 жыл бұрын
The memory images used here are not publicly available. However, the "Pulling Threads" episode within this series (kzread.info/dash/bejne/max1lMmjc7TZXdI.html) does have a memory sample you can download and use to follow along (you'll find the link in that episode's description).
intro is super loud relative to the content, be careful if wearing headphones
@13Cubed
2 жыл бұрын
Yeah sorry about that -- much better/different in newer episodes.