Notifications

Clear all

what else other than memory dump

d4n13l4 · 2018-06-26T10:48:35Z

HelloI'm trying to use memory dumps to investigate malware detections on some computer from the company I workSo far I am able to match the creation time date of the file with the time the detection was triggered in the AV but I'm not able to know how the file get in to the machine.I have access to navigation logs, firewall logs and antivirus console but this don't help me with this part.What else do I need besides the memory dump of the machine to determine this.Thanks for your help.

Page 2 / 2 Prev

General (Technical, Procedural, Software, Hardware etc.)

Last Post by d4n13l4 7 years ago

13 Posts

9 Users

0 Reactions

1,274 Views

RSS

tateconcepts

(@tateconcepts)

Eminent Member

Joined: 8 years ago

Posts: 10

19/07/2018 2:42 am

You really need to create this image with a Write-Blocker for a forensically sound image. But this is a different subject and you probably will find many Discussion Threads on this site about this topic, too.

as a side note as a threat hunter in a malware investigation, he probably doesn't need to follow forensic principles of creating a full image, or even a write-blocked image.

What I would be pushing is documentation. Document what you've done, and what you've found.

He better if he wishes to prosecute…

ReplyQuote

tateconcepts

(@tateconcepts)

Eminent Member

Joined: 8 years ago

Posts: 10

19/07/2018 2:48 am

thank you all for your replies

i've considered the registry checks, doing a timeline with the help of volatility mftparser and other plugins

and yes AV detection gave me the path or I was able to get in from registry in some cases but I was wondering if it's possible to know from which site specifically did the user get the file, we have McAfee so I can only see it came from the browser but that is it.

the machines are mainly win 7 and 10

my ultimate goal is to find where the user got the malicious file to find other users who might also visited that site and might have another similar undetected malware

Well if your detection was an AV, which is pretty amazing in of itself, I would start with reviewing what happened at that time of detection and prior. It's almost always delivered via browser or internal email. Additionally, look for the parent processes that were involved prior and it should lead you back to where the breakout occurred.

As it seems you may be a little late to the game, might as well try installing Redline from FireEye and gather everything. You can review web and network events to help narrow things down, in their timeline or with Time Crunch. Personally, the other methods provided are more comprehensive but it sounds like you need a quick remedy.

ReplyQuote

d4n13l4

(@d4n13l4)

Active Member

Joined: 7 years ago

Posts: 12

Topic starter 19/07/2018 7:19 am

Thanks again for all the replies.

Just to clarify I do not need this for any prosecution or similar, it's just malware investigations inside a company and if I can find the origin and then look for similar patterns in other machines even better but it's more for personal knowledge so I wanted another opinion from someone who knows more than me.

ReplyQuote

Page 2 / 2 Prev

8 Forums
15.7 K Topics
92.3 K Posts
150 Online
41.1 K Members

Forum Icons: Forum contains no unread posts Forum contains unread posts

Topic Icons: Not Replied Replied Active Hot Sticky Unapproved Solved Private Closed