General Volatility ...
 
Notifications
Clear all

General Volatility question

packetsmacker
(@packetsmacker)
New Member

I am new to forensics. I have been looking at memory with volatility. I ran the apihook parameter on a clean machine. I see hooking module unknown on a few of the processes. The blog I read said that was most likely malware. I guess I am looking for information on how to interpret the results.

Quote
Topic starter Posted : 25/07/2016 11:43 pm
citizen
(@citizen)
Junior Member

Hi,

You may want to get your employer to invest in training around memory forensics and malware analysis. With that being said take advantage of the wiki resources for volatility and check out rekall. Additionally check out CounterTack (HBGary) Responder and Redline they provide you a "confidence level" of sorts if the code is malicious. Finally with respect to volatility see this

https://github.com/volatilityfoundation/volatility/wiki/Command%20Reference#dlldump
(Another plug…get the "Art of Memory Forensics"…the guys really put a lot of effort into making a great resource available for professionals on this subject matter. Bonus Check out "Malware Cookbook". Get your employer to buy these as a stop gap until they send you to training.)

Once you have the dll dumped. Try using some of the online sandboxes and sheep-dips to get meta-data|third party results on what the dll is. Also, do not overlook behavioral analysis as a way to understand the net impact of possible bad code.

Keep posting here as you progress and please share resources that you find useful for other people that may read this thread in the future.

ReplyQuote
Posted : 03/08/2016 4:59 pm
Share: