Memory dump, best practices

General (Technical, Procedural, Software, Hardware etc.)

Last Post by Bunnysniper 10 years ago

2 Posts

2 Users

0 Reactions

555 Views

RSS

ottomatik

(@ottomatik)

Active Member

Joined: 10 years ago

Posts: 10

Topic starter 16/10/2015 9:48 am

Hi,
I'm beginner in forensics and i would like to have your advice on the following case.
Let's say an incident occurred inside the organization and we know what tool the disgruntled employee used to attack one of our servers. Let's say we acquired the RAM image and a bunch of other volatile data from the live system
My question is the following
Should we try to dump the process used to attack our network with a utility like procdump or should we instead work on the RAM image and try to extract the process dump from the RAM image?

Quote

Bunnysniper

(@bunnysniper)

Reputable Member

Joined: 13 years ago

Posts: 259

18/10/2015 1:19 am

Work on the complete memory dump. Volatility may become your new best friend in this case. You can analyze any malicious process and dump out the executables from it.

best regards,
Robin

ReplyQuote

Prefetch Question

Hello All, I have a question regarding Windows prefet...

By Forensic_Tester , 6 hours ago
Webinar: Collaborative Forensics: Overcoming Challenges In Multi-Jurisdictional Investigations

Discover expert strategies for cross-border investigati...

By Zoe , 7 days ago
🔍 Seeking Collaborators for AI-Enhanced Digital Forensics Project

Hey everyone! I'm working on an exciting project that c...

By etinoxa , 1 week ago

8 Forums
15.7 K Topics
92.3 K Posts
186 Online
41.1 K Members

Forum Icons: Forum contains no unread posts Forum contains unread posts

Topic Icons: Not Replied Replied Active Hot Sticky Unapproved Solved Private Closed