VolDiff: Malware Memory Footprint Analysis
VolDiff is a Python script that leverages the Volatility framework to identify malware threats on Windows 7 memory images.
VolDiff can be used to run a collection of Volatility plugins against memory images captured before and after malware execution. It creates a report that highlights system changes based on memory (RAM) analysis.
VolDiff can also be used against a single Windows memory image to automate Volatility plugin execution, and hunt for malicious patterns.
Installation and use directions
This work was initially inspired by Andrew Case (@attrc) talk on analyzing the sophisticated Careto malware sample with memory forensics. Kudos to @attrc and all the Volatility development team for creating and maintaining the greatest memory forensic framework out there!