Often, during an incident response, may be necessary to analyze a lot of evidences, like disk and memory dumps.
Tag: volatility
Malhunt: automated malware search in memory dumps
Recently i’ve published this post focused on hunting malware using volatility and Yara rules.
Digital forensics chronicles: image identification issues on large memory dump with Volatility
Spoiler: shame on DumpIT!
Finding malware on memory dumps using Volatility and Yara rules
Previously i’ve talked a lot about Volatility, and i’ve published also some articles about YARA. Today i’d like share a brief and simple workflow, useful for a first high-level analysis of memory dumps in order to search the presence of a generic malware.
Volatility tips: how to extract text typed in a notepad window from a Windows memory dump
In a comment on my article Volatility, my own cheatsheet (Part 3): Process Memory, Fabrizio asked me: […] da un dump di memoria su un sistema win7, ho rilevato che era in esecuzione notepad, รจ possibile visualizzarne il contenuto? ([…] from a memory dump on a win7 system, I found out that notepad was running,…