In last years, the way that operating systems are developed, deployed, and maintained evolved quickly.
Similarly, the skillsets of memory analysts and their preferred work flows have changed to meet a world with increasingly large volumes of complex data.
In order to address these challenges, the Volatility development team has developed an entirely new version of the framework.
When you start analyzing a Linux memory dump using volatility, the first problem you may need to face is choosing the correct memory profile.
Continue…Memory analysis on Windows 10 is pretty different from previous Windows versions: a new feature, called Memory Compression, make it necessary a forensic tool able to read compressed memory pages.
Continue…The hibernation file (hiberfil.sys) is the file used by default by Microsoft Windows to save the machine’s state as part of the hibernation process.
Continue…A very brief post, just a reminder about a very useful volatility feature.
Continue…Previously i’ve talked a lot about Volatility, and i’ve published also some articles about YARA.
Today i’d like share a brief and simple workflow, useful for a first high-level analysis of memory dumps in order to search the presence of a generic malware.
Continue…In a comment on my article Volatility, my own cheatsheet (Part 3): Process Memory, Fabrizio asked me:
[…] da un dump di memoria su un sistema win7, ho rilevato che era in esecuzione notepad, รจ possibile visualizzarne il contenuto?
([…] from a memory dump on a win7 system, I found out that notepad was running, can I view its contents?)