±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 33838
New Yesterday: 2 Visitors: 224

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

RSS Feed Widget

±Latest Webinars

Finding Metasploit’s Meterpreter Traces With Memory Forensics

Tuesday, April 03, 2018 (08:50:47)

Finding Metasploit’s Meterpreter Traces With Memory Forensics

by Oleg Skulkin & Igor Mikhaylov

Metasploit Framework is not only very popular among pentesters, but is also quite often used by real adversaries. So why is memory forensics important here? Because Meterpreter, for example – an advanced, dynamically extensible Metasploit payload – resides entirely in the memory and writes nothing to the victim’s drive. In this article we will show you how to use the Volatility Framework to find Metasploit traces with memory forensics.

As we are analyzing a memory image, first of all we should gather information about the operating system to choose the right Volatility profile. If you ask us, the best practice here is to document the OS version during memory imaging process, as Volatility does not always detect it correctly. Anyway, if you get the memory image from the third party and the OS version is unknown, use the imageinfo plugin.

Read More


Advertisement

0 comments

Log in to post a comment. The comments are owned by the poster. Forensic Focus is not responsible for their content.
Threshold