Hello
I'm trying to use memory dumps to investigate malware detections on some computer from the company I work
So far I am able to match the creation time date of the file with the time the detection was triggered in the AV but I'm not able to know how the file get in to the machine.
I have access to navigation logs, firewall logs and antivirus console but this don't help me with this part.
What else do I need besides the memory dump of the machine to determine this.
Thanks for your help.
Hello
I'm trying to use memory dumps to investigate malware detections on some computer from the company I work
So far I am able to match the creation time date of the file with the time the detection was triggered in the AV but I'm not able to know how the file get in to the machine.
I have access to navigation logs, firewall logs and antivirus console but this don't help me with this part.
What else do I need besides the memory dump of the machine to determine this.
Thanks for your help.
Besides what is in memory, you need to check what traces remain in the OS (please read the Registry assuming it is a Windows of some kind) and in the various logs and what is on disk.
As usual a full timeline is what is advised
https://
https://
jaclaz
If your budget allows, I recommend purchasing OSForensics from Passmark, which will allow you to forensically image the computer in question, perform a memory dump, and also perform timeline analysis of activities taking place around the time of infection.
Depending upon your budget, you could also use Open Source tools in combination with some commercial tools for capturing both RAM and Hard drive images and then analyze these images like you would with the OSForensic tool(s).
You will learn (like I did) how to use FTKimager within the Lynda training course - "Learning Computer Forensics". This product is one of the oldest commercial tools (current version 4.2 or earlier i.e. 3.2) all work within Windows environment. I use a much earlier version 2.5.3 loaded as a portable version that executes within Win7 from a Thumb/Flash drive and you can save the image as a "dd" image format.
FTKimager also comes in a Command Line Interface format that will operate in Windows, Mac, & linux and
You will come across the Open Source tools in many other tool sets/distributions such as
These same tool sets will also contain The Volatility Framework which is a completely open collection of tools for the extraction of digital artifacts from volatile memory (RAM) samples. You will also notice that these tool sets usually contain either or both The Sleuth Kit and/or Autopsy forensic analysis tool-set.
Most of these tools have a customization capability with the use of plug-ins. Plug-ins provide the flexibility with these tools that have this built-in feature. Here are some links to the other mentioned tools
I have tried to present an Open Source choice to a commercial choice even though I presented FTKimager. You will find in CAINE and SIFT other tools capable of creating an image of the selected hard drive.
You really need to create this image with a Write-Blocker for a forensically sound image. But this is a different subject and you probably will find many Discussion Threads on this site about this topic, too.
Please review these tools and make your selection. I have presented some of the well known tools in this field for your edification.
You really need to create this image with a Write-Blocker for a forensically sound image. But this is a different subject and you probably will find many Discussion Threads on this site about this topic, too.
as a side note as a threat hunter in a malware investigation, he probably doesn't need to follow forensic principles of creating a full image, or even a write-blocked image.
What I would be pushing is documentation. Document what you've done, and what you've found.
You really need to create this image with a Write-Blocker for a forensically sound image. But this is a different subject and you probably will find many Discussion Threads on this site about this topic, too.
as a side note as a threat hunter in a malware investigation, he probably doesn't need to follow forensic principles of creating a full image, or even a write-blocked image.
What I would be pushing is documentation. Document what you've done, and what you've found.
Yupp, write blockers are generally for law enforcement and dealing with court cases. It does not hurt to use one if you got one, unless it fails to detect the drive (not uncommon) and needs to be excluded.
I'm trying to use memory dumps to investigate malware detections on some computer from the company I work
So far I am able to match the creation time date of the file with the time the detection was triggered in the AV but I'm not able to know how the file get in to the machine.
Which OS and version?
With the AV detection, you should have a full path to the file, so that might give you some kind of indication as to where to start, in order to determine the initial infection vector (IIV).
From there, a mini-timeline created using selected files might be the most valuable and revealing way to approach determining the IIV.
I'm trying to use memory dumps to investigate malware detections on some computer from the company I work
So far I am able to match the creation time date of the file with the time the detection was triggered in the AV but I'm not able to know how the file get in to the machine. - d4n13l4
as a side note as a threat hunter in a malware investigation, he probably doesn't need to follow forensic principles of creating a full image, or even a write-blocked image.
What I would be pushing is documentation. Document what you've done, and what you've found. -randomaccess
What randomaccess suggests is very appropriate and what you use to document would pretty much depend upon how he wishes to document and which tools. It would make the task somewhat easier or much more time consuming. Since this is a Windows system, anyone have any tools to suggest ?
I would guess that this is more of a Blue Team type situation ? But wouldn't you not want to at some point, just-in-case, want to have the collected evidence ready for a possible court use besides stopping this attack and making secure corrections and protections ?
What has been your policies and experiences ? To just stop and correct the attack and move on or to potentially provide your experience and evidence to a prosecutor ? This would be interesting to know, too ….
thank you all for your replies
i've considered the registry checks, doing a timeline with the help of volatility mftparser and other plugins
and yes AV detection gave me the path or I was able to get in from registry in some cases but I was wondering if it's possible to know from which site specifically did the user get the file, we have McAfee so I can only see it came from the browser but that is it.
the machines are mainly win 7 and 10
my ultimate goal is to find where the user got the malicious file to find other users who might also visited that site and might have another similar undetected malware
Hi,
I'd also consider running a virtual machine from the forensic image and monitor network activity coming from the potentially infected machine. There might be more calls to foreign IP addresses than was captured in the memory dump at the time that was done.
You can also do a packet analysis of what the machine is trying to send out as part of that process. This might give you clues of where to look next on the computer.
Steve