"
Congratulations 🙂
You found a signature from an antivirus program or a dll containing detection patterns. The same happened to me ~15 years ago and I was so proud to find evidence for activities from multiple threat actors. And I was running around and raising an alert based on this false positive 🤪 🤪 🤪
@bunnysniper Thank you for sharing your experience!. I have a question, how can I identify the difference between detection patterns of dll or antivirus program from a real maliciuos activity of malware in RAM memory? Is that possible with FTK imager or should I use another tools to analyze it? (I used Volatility3 but I found nothing suspicious)
Maybe could you recommend me please some technical material to understand well the interpretation of memory images through FTKimager? because I found many material of how to get the images but very little material of malware analysis by using this tool.
Thanks for your help!
In #DFIR you have great tools to
1. gather evidence
2. analyse evidenve
but only a handful that can do both.
FTK Imager is a great tool and (more or less) the industry standard to create online (OS is running) and offline (OS is not running) images. But it is not a tool for analysis! To analyse the hard drive content imaged by FTK Imager, you can use tools like Autopsy (free) or commercial tools like Magnet Axiom or X-Ways Forensics (and a lot more).
And yes, FTK Imager can create memory dumps. Other tools you can use to create mem dumps are winpmem, Magnet RAM Capturer and a few others. When it comes to memory analysis, Volatility 3 is the standard tool to use.
These analysis tools will show you something important: the path, where a string like "Emotet" was found and the file name. Then it is much more clearer to you, why this string was there.
The overall amount of suspicous or malicious strings within one line in a file found by using FTK Imager clearly shows, that the file you found something related to antivirus detection.
@bunnysniper Thank you so much for sharing your knowledge, this clarifies me more about memory analysis topic.
👍 👍 👍