📒
cybersecurity notes
  • Welcome
  • Memory Forensics
    • Resources
    • autovol
    • Memory Forensics - 13cubed
      • Intro to Memory Forensics
      • Windows Memory Analysis
      • Windows Process Genealogy
      • Pulling threads
      • Persistence in Memory
      • Memory Forensics Baselines
      • Extracting Prefetch
      • Shellbag forensics
    • Challenges
      • BTLO
        • Memory Analysis - Ransomware
      • Memlabs
        • Lab 1 - Beginner's Luck
    • Analysis
      • Stuxnet
      • Zeusbot
      • Darkcomet RAT
      • ZeroAccess Rootkit
  • Linux
    • Linux commands
  • Malware Analysis
    • Triaging
    • Malware Analysis - 13cubed
    • gdb
  • Networking
    • CCNA notes
      • Network devices
      • Interfaces and cables
      • OSI model & TCP-IP suite
      • Intro to CLI
      • Ethernet LAN switching (1)
      • Ethernet LAN switching (2)
      • IPv4 addressing (1)
      • IPv4 addressing (2)
      • Switch Interfaces
      • IPv4 Header
      • Static routing
      • Life of a Packet
      • Subnetting (1)
      • Subnetting (2)
      • Subnetting (3)
      • VLAN (1)
      • VLAN (2)
      • VLAN (3)
      • DTP & VTP
      • Spanning Tree Protocol (1)
      • Spanning Tree Protocol (2)
      • RSTP
      • Etherchannel
      • Dynamic routing
      • RIP & EIGRP
      • OSPF (1)
      • Others (gdrive)
Powered by GitBook
On this page
  • Baselining
  • Plugins
  • Steps
  1. Memory Forensics
  2. Memory Forensics - 13cubed

Memory Forensics Baselines

Baselining

  • Baselining involves comparing memory from a known good configuration with potentially compromised system memory

  • When a user reports a system issue, acquire the memory of the compromised system and compare it with memory of a golden image of your enterprise’s workstation

Plugins

processbl compares the running processes in 2 memory images - can be used to detect newly started processes - can be used to detect newly loaded DLLs

servicesbl compares the services in 2 memory images - can be used to detect modification of service configuration - can be used to detect newly installed services

driverbl compares the kernel drivers in 2 memory images - can be used to detect newly installed / loaded drivers

Steps

./vol.py -f ./infected.raw --profile Win10x64_15063 {plugin} -B clean.raw -U 2>/dev/null

-B to specify the Baseline image -U to display the processes and dlls that cannot be found in the baseline image

  • Immediately you can see some processes that don’t look right, like svchost.exe without a parent of services.exe

  • Further analyze by using pslist and grep for those PIDs

  • Use malfind and see if those potentially malicious PIDs are detected by this plugin (might also contain false positives)

  • Dump those PIDs using procdump and use shasum to find the hashes and look for matches in Virustotal.

PreviousPersistence in MemoryNextExtracting Prefetch

Last updated 1 year ago