07/07/14 Forensic analysis with Redline and Volatility
Caught in the Act
Article from ADMIN 21/2014
We show you how to dig deep to find hidden and covert processes, clandestine communications, and signs of misconduct on your network.
In a previous article , I described how to obtain a memory image from a Windows computer that would allow forensic analysis. I briefly discussed using F-Response TACTICAL  to get the memory image, and then Volatility  and Mandiant Redline  for further investigation. In this paper, I dive more deeply into Redline and Volatility.
To begin, I review a raw memory dump of a known malware variant (see the "Malware Image" box) with Mandiant Redline. After firing up Redline, I chose By Analyzing a Saved Memory File under Analyze Data and browsed to the location of the memory image. Next, I edited my script to include Strings for both Process Listing and Driver Enumeration. Finally, I chose a destination to store the output for future analysis and to analyze memory dumps.
Issue #21 will be shipped to subscribers and available on newsstands starting approximately:
UK/Europe: June 23
|Return to Home|