Rootkits are tools and techniques used to hide malicious modules from being noticed by system monitoring.
There are commercial tools that provides access to the Volume Shadow Copies within a forensic image, but how can access this source of data using only free tools?
Injecting code into other process memory is not only limited to shellcodes or DLLs. PE Injection technique enables to inject and run a complete executable module inside another process memory.
The Netflix Security Intelligence and Response Team (SIRT) has released (under Apache 2.0 license) a triage tool to help digital forensics and incident response teams quickly identify compromised hosts on which to focus their response. The tool, written in python 3 and named “Diffy”, is strictly focused on security incidents on cloud architectures.
Recently i’ve published this post focused on hunting malware using volatility and Yara rules.