Andrea Fortuna
Just some random thoughts about the Meaning of Life, The Universe, and Everything

CrowdStrike released SuperMem, a great tool for automated Windows memory analysis.

Some days ago, during a brief memory analisys demonstration with Volatility, I’ve used a memory dump of a system infected with the “old-but-gold” Stuxnet.
But, one of the spectators asked me additional info about this malware, so I decided to collect some informations about the story of this “iconic” malware strain.

Currently, there are a lot of good forensics commercial tools, can be used to perform a whole dfir workflow. However, several analyst anche companies cannot afford the purchase of those (awesome) tools.

Recently I’ve already written about Cobalt Strike detection during forensics analysis. However, some followers asked my if it was possibile to perform this activities using Volatility, in order to integrate them in existing analysis workflows.

Today I want to briefly take up a topic already addressed in a previous post: analysis of Windows 10 memory dumps using Volatility 2.

In my previous posts I often covered many tools and techniques that allows memory acquisition from a Windows system. However, I written few articles about Linux memory acquisition and analysis, only one brief post regarding memory profiles generation on Linux, using LiME.

In last years, the way that operating systems are developed, deployed, and maintained evolved quickly.
Similarly, the skillsets of memory analysts and their preferred work flows have changed to meet a world with increasingly large volumes of complex data.
In order to address these challenges, the Volatility development team has developed an entirely new version of the framework.

When you start analyzing a Linux memory dump using volatility, the first problem you may need to face is choosing the correct memory profile.

Memory analysis on Windows 10 is pretty different from previous Windows versions: a new feature, called Memory Compression, make it necessary a forensic tool able to read compressed memory pages.

The hibernation file (hiberfil.sys) is the file used by default by Microsoft Windows to save the machine’s state as part of the hibernation process.