volatility – So Long, and Thanks for All the Fish

AutoTimeliner: automatically extract forensic timeline from memory dumps

Posted on November 19, 2018November 21, 2018 by Andrea Fortuna

Often, during an incident response, may be necessary to analyze a lot of evidences, like disk and memory dumps.

Malhunt: automated malware search in memory dumps

Posted on July 30, 2018July 23, 2018 by Andrea Fortuna

Recently i’ve published this post focused on hunting malware using volatility and Yara rules.

Digital forensics chronicles: image identification issues on large memory dump with Volatility

Posted on July 25, 2018July 19, 2018 by Andrea Fortuna

Spoiler: shame on DumpIT!

Finding malware on memory dumps using Volatility and Yara rules

Posted on July 16, 2018July 5, 2018 by Andrea Fortuna

Previously i’ve talked a lot about Volatility, and i’ve published also some articles about YARA. Today i’d like share a brief and simple workflow, useful for a first high-level analysis of memory dumps in order to search the presence of a generic malware.

Volatility tips: how to extract text typed in a notepad window from a Windows memory dump

Posted on March 2, 2018March 5, 2018 by Andrea Fortuna

In a comment on my article Volatility, my own cheatsheet (Part 3): Process Memory, Fabrizio asked me: […] da un dump di memoria su un sistema win7, ho rilevato che era in esecuzione notepad, è possibile visualizzarne il contenuto? ([…] from a memory dump on a win7 system, I found out that notepad was running,…

Older posts →